Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp3142683iob; Mon, 16 May 2022 14:13:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzJz5AitvCaTZpSArcLoMC9SLPFhZ8vfD2m29oPx56SFYHsQWqgEoPxR8HYbvBSXqe40jJF X-Received: by 2002:a05:6a00:1a87:b0:50e:22b:c4a1 with SMTP id e7-20020a056a001a8700b0050e022bc4a1mr19582402pfv.75.1652735630103; Mon, 16 May 2022 14:13:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652735630; cv=none; d=google.com; s=arc-20160816; b=l9/tirP0W3/joVmc2gwQWfD6ifzOkXwfrFUpT8s2CI1PCrlLKlqIfs7Kx+lKw+xqJp 24Q3Jff4Mwplgpbsz+o5CPpIwFvCXX741cZbpl8f4UWIKnUdar5jsEKkRVep+fC8NOYp Krb+9oa5GYuERd5I89HENkyftfKJj9MPEGrUhpqaib30KKa5dEyeaEovK6luK2DkHgoM KXet0d5zaq+71GD2oMPSe6v55mPQ5fshIiW+8Vl4+B69LoTYW+QqiyT4AH3zi4XMkNX/ cbqiqwjK7leLTydApE+kFPYHjcsEUJmmq4pYzt8Y6Hlq3qAtPUAaL5NU+WnCiQzAUEQq YZJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=Lm/q1Gqm1HsV9H33yf52RdsHQedEeeYZq3uFVzTvb3c=; b=z8cWx1itOlp7Bwb4rqH/64ZiQZthirbjYK94EIE+21WqKzZy8bJM/g7IpR0uBRlsiG PaC8TALtddV63xO39rA4/AvyVITByrT2PlXhAygEkwtJAloP9v/tk/PFFtl/mwSAq0bE crPFYA0vF+K6o+yAQWvYpr4+G1oJKq5dIjlvuozgYWQcKWrscUq2oV/kla3/krGAaxyg o/jvh5EX/C1Ejtnf3S1H4YgqtgH+DJlneLspKXYTSkdRk2Qk5rXOU5GS+jGR6WXvwnsc YKRQTnAKHbt3hGCeoDXZvfDoxHE5gkzsj7z5WKpjRbRLjMYSMXcbnVykoFek6aqPuBle yV4g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=PqptGi3r; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 125-20020a630383000000b003aaf1cf402bsi14127739pgd.672.2022.05.16.14.13.17; Mon, 16 May 2022 14:13:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=PqptGi3r; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344358AbiEPRmp (ORCPT + 99 others); Mon, 16 May 2022 13:42:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55906 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344325AbiEPRmo (ORCPT ); Mon, 16 May 2022 13:42:44 -0400 Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9322C37033 for ; Mon, 16 May 2022 10:42:43 -0700 (PDT) Received: by mail-pj1-x1029.google.com with SMTP id w17-20020a17090a529100b001db302efed6so15104412pjh.4 for ; Mon, 16 May 2022 10:42:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=Lm/q1Gqm1HsV9H33yf52RdsHQedEeeYZq3uFVzTvb3c=; b=PqptGi3rkOn4qRvNvz2Epa83/qpOSjYuiDkHBVrzJE/v7wizQGDWZ/Jz0YULI1CGEY KzaSFBzsFgiR/lK9obqCcZ+zQrO76nSYTAeKdayGv2RHdsRU8xUTaxxfPH4Xcn6oGZTA K4Q3PvV8YmDuKjuHj9B463LkBYRXoXqh4zgqP1P3NtPwBAe87YoAbkchTLo/zVcWqV1S 2VVWjZqSlWW4noXVM6GW8iWF8BYerJUAPhMnKwiK3EcOXjGkDG6FyafzrLDQ6dWCUypg X4WxrQPR5dxGONUEnUaNSrvcF/MucQeJzxzeuxixKvU2ZzQ+gPUEwtFH8fwgqHHmMY4F 7HAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=Lm/q1Gqm1HsV9H33yf52RdsHQedEeeYZq3uFVzTvb3c=; b=DjBcDoWCk+nw3TUV99CM3KwL64Q0H6kX30fv7aFScBzlUCD2CbupnCoQ2s3eISBk/v Zy3wdUPiwHlj0u+Rno/bxg6mgtGs4dlYLzxmtANz/suDsVTSLytuvhNrju++QjBijkPX QIhK1VRX4h+a9n83LYOLcAYtlt8PoiLQAjZDc+MdAe/rnaMtrOGirN3IFUrMGaBtwquz IL5apYMog6JsolI0lyqJNTgDDCbaI2N5r6D4rjQ9YCyAlZpV6TKwViYOAs7/aVxLj0LP fFNYl1CKeFzYvPN1v5u/b877+bupBVVnyii3nMw/GtiJX5RQPKpCKI3x0QPtaSoyyloa uCmg== X-Gm-Message-State: AOAM532GeErN9yDMKqWiY1AZR6cMvXszEVU0zk101iE2Mmvw6BQyfxfd 7QlpiSSwNSuQUNT4fSkzXFSrtg== X-Received: by 2002:a17:902:eb87:b0:15e:be95:a3f3 with SMTP id q7-20020a170902eb8700b0015ebe95a3f3mr18357590plg.38.1652722962868; Mon, 16 May 2022 10:42:42 -0700 (PDT) Received: from google.com (157.214.185.35.bc.googleusercontent.com. [35.185.214.157]) by smtp.gmail.com with ESMTPSA id s10-20020a17090a5d0a00b001df2538c61dsm4102030pji.23.2022.05.16.10.42.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 16 May 2022 10:42:42 -0700 (PDT) Date: Mon, 16 May 2022 17:42:38 +0000 From: Sean Christopherson To: "Kalra, Ashish" Cc: Peter Gonda , "Allen, John" , Herbert Xu , Linux Crypto Mailing List , "Lendacky, Thomas" , LKML , Andy Nguyen , David Rientjes , "stable@vger.kernel.org" Subject: Re: [PATCH v2] crypto: ccp - Use kzalloc for sev ioctl interfaces to prevent kernel memory leak Message-ID: References: <20220516154512.259759-1-john.allen@amd.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Mon, May 16, 2022, Kalra, Ashish wrote: > > >Would it be safer to memset @data here to all zeros too? > > > > It will be, but this command/function is safe as firmware will fill in the > > whole buffer here with the PLATFORM STATUS data retuned to the user. > > > That does seem safe for now but I thought we decided it would be prudent to > > not trust the PSPs implementation here and clear all the buffers that > > eventually get sent to userspace? > > Yes, but the issue is when the user programs a buffer size larger the one > filled in by the firmware. In this case firmware is always going to fill up > the whole buffer with PLATFORM_STATUS data, so it will be always be safe. The > issue is mainly with the kernel side doing a copy_to_user() based on user > programmed length instead of the firmware returned buffer length. Peter's point is that it costs the kernel very little to be paranoid and not make assumptions about whether or not the PSP will fill an entire struct as expected. I agree it feels a bit silly since all fields are output, but on the other hand the PSP spec just says: The following data structure is written to memory at STATUS_PADDR and the data structure has several reserved fields. I don't love assuming that the PSP will always write zeros for the reserved fields and not do something like: if (rmp_initialized) data[3] |= IS_RMP_INIT; else data[3] &= ~IS_RMP_INIT; Given that zeroing @data in the kernel is easy and this is not a hot patch, I prefer the paranoid approach unless the PSP spec is much more explicit in saying that it writes all bits and bytes on success.