Received: by 2002:a05:7208:13ce:b0:7f:395a:35b6 with SMTP id r14csp79877rbe; Wed, 28 Feb 2024 12:49:10 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCXf9xEy0b1tV1hxWB8WT7M63NaUQbOJJQNk66wWNPwpBQpLPRQV/EslQ8YQnIAW//b6RF5zr4e+YzSTFJaS0OWxOxVWhwiEIdQft3vi4Q== X-Google-Smtp-Source: AGHT+IGzOkJ6OziXrcyEBIRINeNCIWud0iMSTGa+ZT2uIbPu9kHI7F43xyMgDvtp5ESHKLXEtvcl X-Received: by 2002:ac2:559b:0:b0:513:201c:5dc6 with SMTP id v27-20020ac2559b000000b00513201c5dc6mr39451lfg.61.1709153350102; Wed, 28 Feb 2024 12:49:10 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1709153350; cv=pass; d=google.com; s=arc-20160816; b=eJVgopeB+p+IN2rjqFG+VShiqU6okj2eW49GLg9pvlPdVu2uHsZFHyRyKrT5GrUI8f yG1FJkRv40gvOZt1anCo40Lg39mPOjBPoloutZOYUgfRg1thuJPPbQH5q04vj0JnjzNM R7l0nuxx8681gCIFDOGvgHblw8C+8dgZZkECQwgpL8P6QAJPlqk4GOpliwLzV838z0rW 8KG+xw4jAYQjSDFiaa0oOoNrh7aGKd8VwczUe1pTMtK2PnEMZO1NmG7A3X5+cid/7E0d xj32gu3hRvebUjHvI0SXofFV/Uze8SsTdPAx61+b2g1v/PSgDYaEFNxm2HwjwrmCPhBs Ro9A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=ui-outboundreport:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:date:message-id :dkim-signature; bh=HDAcEsoQ5V8C/XTr80eVT6IkNewc3rjOGtp/WrXkY0g=; fh=pw4e/HjKo7rhApBWZXIVB/Sj/ZtCyZ/sEhP3fWBYZaQ=; b=nyCDWcf9xHogCzrTStxy/3PktD6cO3ggCp8FDP4MCO00Uf8hlhNO49At++Pk5+YnVT t59ocfygVAVl15yvhBaPs2yD9CdAvZ+fh5mYIcX8rAMJy4S1mnC0HEb3wkge7Kf4O9R0 2jVqZIgGChvAHvR9X0+SNCELgOwOhwsOdH3D5arb3ncjVMHilchkTxYYeWjqxSiD5kbR 2u26Z8M7o4D5kmL8errcJy3zvXD8YAA7g3DLspHB5kXFIW+pm3fpKSfyVQoELiYJQkq8 bgVSXkK/E66cA7iPr432Wgv0bvLHhlvXImjogPJtRBdXbgCAty+wigkM6tw/kxWTWdQ1 Dr3Q==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmx.de header.s=s31663417 header.b=A1km7Vpv; arc=pass (i=1 spf=pass spfdomain=gmx.de dkim=pass dkdomain=gmx.de dmarc=pass fromdomain=gmx.de); spf=pass (google.com: domain of linux-kernel+bounces-85686-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-85686-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=gmx.de Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id a12-20020a05640213cc00b005662fd4afb5si1954993edx.381.2024.02.28.12.49.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 28 Feb 2024 12:49:10 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-85686-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@gmx.de header.s=s31663417 header.b=A1km7Vpv; arc=pass (i=1 spf=pass spfdomain=gmx.de dkim=pass dkdomain=gmx.de dmarc=pass fromdomain=gmx.de); spf=pass (google.com: domain of linux-kernel+bounces-85686-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-85686-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=gmx.de Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id AAB091F28902 for ; Wed, 28 Feb 2024 20:49:09 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id D852215DBB9; Wed, 28 Feb 2024 20:48:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmx.de header.i=w_armin@gmx.de header.b="A1km7Vpv" Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4632573509; Wed, 28 Feb 2024 20:48:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=212.227.17.20 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709153330; cv=none; b=IsdCo8vWT9OphyvDMWLgL8G1vDJZXN8YHpRPNqMUlr4ynzhQg4ZMOaOTRlAKbnvDg43Ng2mYp3PHnHnlICaMlhnPGeHOC+VWrf/X5ljMfcR2FWU2J9tyV0AAy4BpfRL4fDy7Qh1tsAMiUynpUH4oEbOlW+NvT44XnpUymZoXbNY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709153330; c=relaxed/simple; bh=xB/Lvc3pAyy3aE4uSGlVi5mHrvCghaImnICZTejHVYw=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=pSR96rcfW3F5XvZIZZ6R0TuT0ypwpbjxi3B5ui4jrl4INqe6QPnpm1e47XR1l0Q8adl9FjEGti2EnAuexgExLSR/m67vM41egiutVSK3/+iGsCrHJafpZREYHm+n+Du5ZeK1AJI2TeFXt4DMtara+ZTGeO2YKLsEyjaKTRGXtqg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=gmx.de; spf=pass smtp.mailfrom=gmx.de; dkim=pass (2048-bit key) header.d=gmx.de header.i=w_armin@gmx.de header.b=A1km7Vpv; arc=none smtp.client-ip=212.227.17.20 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=gmx.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.de; s=s31663417; t=1709153316; x=1709758116; i=w_armin@gmx.de; bh=xB/Lvc3pAyy3aE4uSGlVi5mHrvCghaImnICZTejHVYw=; h=X-UI-Sender-Class:Date:Subject:To:Cc:References:From: In-Reply-To; b=A1km7VpvR1RYpB9+WhwCVsuYxvp7u1Qta2kWyER8RKFnhcOaPAu2yOXLYxp4/hE5 lLPqHMa3XODQkPUWCcG+BXgK17XtkA13je+bWjGOgmLYzCqtiRQ/6EbvCevLaNHvb FafPjVNeUpt7j0UQDI7gLkCxoQz3V7Z83bIIkwD4rJA2BKTEPQkxnlRJ8CJe5yLqS Oy2LQqlK7F2hApnxsLDWQobYy6tewA4gIukrz7tFEhd4WLlpCnwKgqT0J3Fkr7Hqg OmxSnmXzrXsmy4ELoiGv1v0UoIE8uVmym/ahLJ9xEfDYYIg7ZAEx4GeoGO2e82N8j J6a5wzG30a07vpUpug== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from [141.30.226.129] ([141.30.226.129]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1Mk0NU-1rCirs0w36-00kLYJ; Wed, 28 Feb 2024 21:48:36 +0100 Message-ID: <63ba267a-27db-456e-be32-2efe27fa26e1@gmx.de> Date: Wed, 28 Feb 2024 21:48:34 +0100 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v2 2/2] platform/x86/amd/pmf: Fix possible out-of-bound memory accesses Content-Language: en-US To: Shyam Sundar S K , =?UTF-8?Q?Ilpo_J=C3=A4rvinen?= Cc: Hans de Goede , platform-driver-x86@vger.kernel.org, LKML References: <20240227145500.299683-1-W_Armin@gmx.de> <20240227145500.299683-2-W_Armin@gmx.de> <2dd63b5b-cf60-9f28-55b3-35eab537dc9b@linux.intel.com> <0e70681f-85c2-43f9-822a-2e07776c37c9@amd.com> From: Armin Wolf In-Reply-To: <0e70681f-85c2-43f9-822a-2e07776c37c9@amd.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:SyH/nmgU2774H+komsiu5jOrBKM93Q/lDfp/A1JMDlijW0dIDIo qlGTzGn7y8GRGiDajuHEYxJ/8IAyXhgLGTRMKEg0w2Uv5W2xm+2MWSqyQfJURXQOxH7xJrz FpzohwyTTv3a8VzhO2LSYuiWrxyc1dFAWgtdmKz4Ol/8LVZN4JDUV+qRkUGCN8nsHo8b37p tgW1bI2nxusE0TUNTHKgA== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:3dRI2+X09JY=;HcDYDkXd0mggqMRwvx12MJ+gSuD wxAdLYrEYvIh+3wvZzfD/rMEJsg8giRmFEma0zrmUbENt6E/ZIrpem6++hOo9s5Yvnxc35EWo 2tkW16cwpOmWHGqum5wrCBcqSaAwpKfou6yVMV+fMOFrcGZ7oMdU9tOH6x0xohQ6wOI5/SarM rsR1HOPHmGzt4It/ooa3XNHSJEo5sj9fnSdTZso/uViJ25FSTcTKGyZCoYpUa4x+UCBSHbmlY 2UkT4xS1YkC7w5Ylz3ytN15z4VvAer2CNktcOCkKCrb9pqi1awjMj2naJXjD1Y4paWK92tZ1I lF+6+9nR9QEI+lqM+N7ZuN+06aaYwTGA7n86Jm5d5Kd/qkrLKP2Ux24fX42bQEoYaIKER20c0 trqeorVSGJJ15ziLMZZRGMiCR+fEOFKBZ6bqXrwr0Tjn214M5aldunvOdBraqvas8pv32eY+v FbzP/Z7TPnOzL0u3bRS6YMavIVakTFjKcfqyiu4IZYRs7ljj5JAUNeMGYrQR9GcuPQhAAZdzw 8+U5GS1td1zj7nUrC14UbgphUu9RaZKagBUry6aNNfnYExN8Ocx+JIPKKipedS/1PlXsvJPMQ h7D+wMyBCSrnd2MLn1pvpQ+Z8zMA6gE+Qx6GlVwojYyNwp7ziuJaA2ehHpUGVRXwAtcvl0FDk 7KkrWXOrqxGbyFdDA1mlcZdZgm2RqhiHbFQ0izUs3OG/at7708pHbvd+qmwuxTkdu8bSay3RT fSz9jRTvhpCkqEciKO7cVRknGbbgZCrWCUDloyeYUK3DX9+nmcMwuxehZ3PLY43KluiraGQe4 u1HzZOmsJ1xfh9pkSaWWoouPsTx03xzJ09N+BkBMb65/w= Am 28.02.24 um 12:16 schrieb Shyam Sundar S K: > Hi Ilpo, > > On 2/27/2024 21:15, Ilpo J=C3=A4rvinen wrote: >> Hi Shyam & Armin, >> >> Shyam, please take a look at the question below. >> >> On Tue, 27 Feb 2024, Armin Wolf wrote: >> >>> The length of the policy buffer is not validated before accessing it, >>> which means that multiple out-of-bounds memory accesses can occur. >>> >>> This is especially bad since userspace can load policy binaries over >>> debugfs. > IMO, this patch is not required, reason being: > - the debugfs patch gets created only when CONFIG_AMD_PMF_DEBUG is > enabled. > - Sideload of policy binaries is only supported with a valid signing > key. (think like this can be tested & verified within AMD environment) > - Also, in amd_pmf_get_pb_data() there are boundary conditions that > are being checked. Is that not sufficient enough? IMHO, amd_pmf_get_pb_data() only checks if the length of the binary is between 0 and the maximum buffer size. If for example the binary contains only 4 bytes, then there will be an out-of-bounds access when trying to read the cookie and length. Or if the length is bigger than the binary buffer, then the driver just updates the buffer length even if the buffer is too small. I think the driver should catch such cases and return an error. (Please note that we are talking about the binary buffer, not the internal structure of the remaining policy binary itself). >>> + if (dev->policy_sz < POLICY_COOKIE_LEN + sizeof(length)) >>> + return -EINVAL; >>> + >>> cookie =3D *(u32 *)(dev->policy_buf + POLICY_COOKIE_OFFSET); >>> length =3D *(u32 *)(dev->policy_buf + POLICY_COOKIE_LEN); >> This starts to feel like adding a struct for the header(?) would be bet= ter >> course of action here as then one could compare against sizeof(*header) >> and avoid all those casts (IMO, just access the header fields directly >> w/o the local variables). > Not sure if I get your question clearly. Can you elaborate a bit more > on the struct you are envisioning? I think he envisions something like this: struct __packed cookie_header { u32 magic; u32 length; }; > > but IHMO, we actually don't need a struct - as all that we would need > is to make sure the signing cookie is part of the policy binary and > leave the rest of the error handling to ASP/TEE modules (we can rely > on the feedback from those modules). > >> Shyam, do you think a struct makes sense here? There's some header in >> this policy, right? > Yes, the policy binary on a whole has multiple sections within it and > there are multiple headers (like signing, OEM header, etc). > > But that might be not real interest to the PMF driver. The only thing > the driver has to make sure is that the policy binary going into ASP > (AMD Secure Processor) is with in the limits and has a valid signing > cookie. So this part is already taken care in the current code. > >> >> There are more thing to address here... >> >> 1) amd_pmf_start_policy_engine() function returns -EINVAL & res that is >> TA_PMF_* which inconsistent in type of the return value >> > ah! it has mix of both int and u32 :-) > > Armin, would you like to amend this in your current series? or else I > will submit a change for this in my next series. > > Thanks, > Shyam I can do so, but i will be unable to send a new patch series for the rest = of this week. Thanks, Armin Wolf >> 2) Once 1) is fixed, the caller shadowing the return code can be fixed = as >> well: >> ret =3D amd_pmf_start_policy_engine(dev); >> if (ret) >> return -EINVAL; >> >>