LinuxLists.cc - [PATCH][v2] virt: tdx-guest: Don't free decrypted memory

2024-06-14 05:15:13

Subject: [PATCH][v2] virt: tdx-guest: Don't free decrypted memory

In CoCo VMs it is possible for the untrusted host to cause
set_memory_decrypted() to fail such that an error is returned
and the resulting memory is shared. Callers need to take care
to handle these errors to avoid returning decrypted (shared)
memory to the page allocator, which could lead to functional
or security issues.

So when set_memory_decrypted fails, leak decrypted memory, and
print an error message

Signed-off-by: Li RongQing <[email protected]>
---
diff with v1: leak the page, and print error

drivers/virt/coco/tdx-guest/tdx-guest.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/virt/coco/tdx-guest/tdx-guest.c b/drivers/virt/coco/tdx-guest/tdx-guest.c
index 1253bf7..3a6e76c8 100644
--- a/drivers/virt/coco/tdx-guest/tdx-guest.c
+++ b/drivers/virt/coco/tdx-guest/tdx-guest.c
@@ -125,7 +125,7 @@ static void *alloc_quote_buf(void)
return NULL;

if (set_memory_decrypted((unsigned long)addr, count)) {
- free_pages_exact(addr, len);
+ pr_err("Failed to set Quote buffer decrypted, leak the buffer\n");
return NULL;
}

--
2.9.4

2024-06-14 16:14:04

by Edgecombe, Rick P

[permalink] [raw]

Subject: Re: [PATCH][v2] virt: tdx-guest: Don't free decrypted memory

On Fri, 2024-06-14 at 13:14 +0800, Li RongQing wrote:
> In CoCo VMs it is possible for the untrusted host to cause
> set_memory_decrypted() to fail such that an error is returned
> and the resulting memory is shared. Callers need to take care
> to handle these errors to avoid returning decrypted (shared)
> memory to the page allocator, which could lead to functional
> or security issues.
>
> So when set_memory_decrypted fails, leak decrypted memory, and
> print an error message
>
> Signed-off-by: Li RongQing <[email protected]>
> ---
> diff with v1: leak the page, and print error
>
> drivers/virt/coco/tdx-guest/tdx-guest.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/virt/coco/tdx-guest/tdx-guest.c b/drivers/virt/coco/tdx-
> guest/tdx-guest.c
> index 1253bf7..3a6e76c8 100644
> --- a/drivers/virt/coco/tdx-guest/tdx-guest.c
> +++ b/drivers/virt/coco/tdx-guest/tdx-guest.c
> @@ -125,7 +125,7 @@ static void *alloc_quote_buf(void)
>                 return NULL;
>
>         if (set_memory_decrypted((unsigned long)addr, count)) {
> -               free_pages_exact(addr, len);
> +               pr_err("Failed to set Quote buffer decrypted, leak the
> buffer\n");
>                 return NULL;
>         }

I'm not sure we need the error message, because the set_memory() failure we are
most worried about already has a WARN. But, I could be convinced either way. It
seems to fit with the other code in the file.

Reviewed-by: Rick Edgecombe <[email protected]>