KVM: SVM: Fix sparse: incorrect type in argument 1 (different base types)

Commit Message

Al Viro Feb. 21, 2018, 5:49 p.m. UTC

On Mon, Feb 19, 2018 at 10:12:28AM -0600, Brijesh Singh wrote:
> Fix sparse: incorrect type in argument 1 (different base types). Typecast
> the userspace address argument.

Better question: why the hell do we want that access_ok(), anyway?  The only
thing we do to params.uaddr is
        if (blob) {
                if (copy_to_user((void __user *)(uintptr_t)params.uaddr, blob, params.len))
                        ret = -EFAULT;
        }

downstream.  What does that access_ok() buy us?  It does not guarantee that
copy_to_user() won't fail.  It does not clamp params.len (we'd just done
that explicitly).  So why not somethings like this:

Comments

Brijesh Singh Feb. 21, 2018, 7:59 p.m. UTC | #1

On 2/21/18 11:49 AM, Al Viro wrote:
> On Mon, Feb 19, 2018 at 10:12:28AM -0600, Brijesh Singh wrote:
>> Fix sparse: incorrect type in argument 1 (different base types). Typecast
>> the userspace address argument.
> Better question: why the hell do we want that access_ok(), anyway?  The only
> thing we do to params.uaddr is
>         if (blob) {
>                 if (copy_to_user((void __user *)(uintptr_t)params.uaddr, blob, params.len))
>                         ret = -EFAULT;
>         }
>
> downstream.  What does that access_ok() buy us?  It does not guarantee that
> copy_to_user() won't fail.  


Sure, checking access_ok() does not guarantee that later
copy_from_user() will not fail. But it does eliminate one possible
reason for the failure. We are trying to validate most of the user
inputs before we invoke  SEV command. The SEV command handler does heavy
lifting (which includes setting up PSP mailbox,  issuing FW command, 
and handling the response etc). I would like to avoid invoking SEV
command when we know for sure that copy_to_user() will fail later.


> It does not clamp params.len (we'd just done
> that explicitly).  So why not somethings like this:
>
> diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
> index b3e488a74828..ba2c1a606985 100644
> --- a/arch/x86/kvm/svm.c
> +++ b/arch/x86/kvm/svm.c
> @@ -6239,13 +6239,15 @@ static int sev_launch_measure(struct kvm *kvm, struct kvm_sev_cmd *argp)
>  	struct kvm_sev_info *sev = &kvm->arch.sev_info;
>  	struct sev_data_launch_measure *data;
>  	struct kvm_sev_launch_measure params;
> +	void __user *measure = (void __user *)(uintptr_t)argp->data;
> +	void __user *p = NULL;
>  	void *blob = NULL;
>  	int ret;
>  
>  	if (!sev_guest(kvm))
>  		return -ENOTTY;
>  
> -	if (copy_from_user(&params, (void __user *)(uintptr_t)argp->data, sizeof(params)))
> +	if (copy_from_user(&params, measure, sizeof(params)))
>  		return -EFAULT;
>  
>  	data = kzalloc(sizeof(*data), GFP_KERNEL);
> @@ -6256,17 +6258,13 @@ static int sev_launch_measure(struct kvm *kvm, struct kvm_sev_cmd *argp)
>  	if (!params.len)
>  		goto cmd;
>  
> -	if (params.uaddr) {
> +	p = (void __user *)(uintptr_t)params.uaddr;
> +	if (p) {
>  		if (params.len > SEV_FW_BLOB_MAX_SIZE) {
>  			ret = -EINVAL;
>  			goto e_free;
>  		}
>  
> -		if (!access_ok(VERIFY_WRITE, params.uaddr, params.len)) {
> -			ret = -EFAULT;
> -			goto e_free;
> -		}
> -
>  		ret = -ENOMEM;
>  		blob = kmalloc(params.len, GFP_KERNEL);
>  		if (!blob)
> @@ -6290,13 +6288,13 @@ static int sev_launch_measure(struct kvm *kvm, struct kvm_sev_cmd *argp)
>  		goto e_free_blob;
>  
>  	if (blob) {
> -		if (copy_to_user((void __user *)(uintptr_t)params.uaddr, blob, params.len))
> +		if (copy_to_user(p, blob, params.len))
>  			ret = -EFAULT;
>  	}
>  
>  done:
>  	params.len = data->len;
> -	if (copy_to_user((void __user *)(uintptr_t)argp->data, &params, sizeof(params)))
> +	if (copy_to_user(measure, &params, sizeof(params)))
>  		ret = -EFAULT;
>  e_free_blob:
>  	kfree(blob);

Al Viro Feb. 21, 2018, 8:18 p.m. UTC | #2

On Wed, Feb 21, 2018 at 01:59:55PM -0600, Brijesh Singh wrote:

> Sure, checking access_ok() does not guarantee that later
> copy_from_user() will not fail. But it does eliminate one possible
> reason for the failure. We are trying to validate most of the user
> inputs before we invoke  SEV command.

That makes no sense whatsoever.  If user is deliberately fuzzing
your code or trying to DoS it, that "validation" doesn't buy you
anything - they can just as well feed you NULL, after all.

What is the rationale for that?  "Userland is accidentally feeding
us garbage pointers" is the case where slowness is the least of your
concerns...

Brijesh Singh Feb. 22, 2018, 3:56 p.m. UTC | #3

On 02/21/2018 02:18 PM, Al Viro wrote:
> On Wed, Feb 21, 2018 at 01:59:55PM -0600, Brijesh Singh wrote:
> 
>> Sure, checking access_ok() does not guarantee that later
>> copy_from_user() will not fail. But it does eliminate one possible
>> reason for the failure. We are trying to validate most of the user
>> inputs before we invoke  SEV command.
> 
> That makes no sense whatsoever.  If user is deliberately fuzzing
> your code or trying to DoS it, that "validation" doesn't buy you
> anything - they can just as well feed you NULL, after all.
> 


Currently, we let user query the blob length with params.len == 0 || 
param.uaddr == NULL. We could limit it to just params.len == 0.


> What is the rationale for that?  "Userland is accidentally feeding
> us garbage pointers" is the case where slowness is the least of your
> concerns...
> 

My intent was to do some obvious failure checks on user inputs before 
invoking the HW. I do see your point that if userspace is feeding us 
garbage then slowness is least of our concern. If you think that we 
should not be using access_ok() in this particular case then I am okay 
with it.

Paolo Bonzini Feb. 23, 2018, 6:05 p.m. UTC | #4

On 22/02/2018 16:56, Brijesh Singh wrote:
> 
> 
> On 02/21/2018 02:18 PM, Al Viro wrote:
>> On Wed, Feb 21, 2018 at 01:59:55PM -0600, Brijesh Singh wrote:
>>
>>> Sure, checking access_ok() does not guarantee that later
>>> copy_from_user() will not fail. But it does eliminate one possible
>>> reason for the failure. We are trying to validate most of the user
>>> inputs before we invoke  SEV command.
>>
>> That makes no sense whatsoever.  If user is deliberately fuzzing
>> your code or trying to DoS it, that "validation" doesn't buy you
>> anything - they can just as well feed you NULL, after all.
>>
> 
> 
> Currently, we let user query the blob length with params.len == 0 ||
> param.uaddr == NULL. We could limit it to just params.len == 0.
> 
> 
>> What is the rationale for that?  "Userland is accidentally feeding
>> us garbage pointers" is the case where slowness is the least of your
>> concerns...
>>
> 
> My intent was to do some obvious failure checks on user inputs before
> invoking the HW. I do see your point that if userspace is feeding us
> garbage then slowness is least of our concern. If you think that we
> should not be using access_ok() in this particular case then I am okay
> with it.

Can you please send a patch?  Thanks!

Paolo

Brijesh Singh Feb. 23, 2018, 6:26 p.m. UTC | #5

On 02/23/2018 12:05 PM, Paolo Bonzini wrote:
> On 22/02/2018 16:56, Brijesh Singh wrote:
>>
>>
>> On 02/21/2018 02:18 PM, Al Viro wrote:
>>> On Wed, Feb 21, 2018 at 01:59:55PM -0600, Brijesh Singh wrote:
>>>
>>>> Sure, checking access_ok() does not guarantee that later
>>>> copy_from_user() will not fail. But it does eliminate one possible
>>>> reason for the failure. We are trying to validate most of the user
>>>> inputs before we invoke  SEV command.
>>>
>>> That makes no sense whatsoever.  If user is deliberately fuzzing
>>> your code or trying to DoS it, that "validation" doesn't buy you
>>> anything - they can just as well feed you NULL, after all.
>>>
>>
>>
>> Currently, we let user query the blob length with params.len == 0 ||
>> param.uaddr == NULL. We could limit it to just params.len == 0.
>>
>>
>>> What is the rationale for that?  "Userland is accidentally feeding
>>> us garbage pointers" is the case where slowness is the least of your
>>> concerns...
>>>
>>
>> My intent was to do some obvious failure checks on user inputs before
>> invoking the HW. I do see your point that if userspace is feeding us
>> garbage then slowness is least of our concern. If you think that we
>> should not be using access_ok() in this particular case then I am okay
>> with it.
> 
> Can you please send a patch?  Thanks!
> 

Sure, I will send patch soon.

-Brijesh

Patch

diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index b3e488a74828..ba2c1a606985 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -6239,13 +6239,15 @@  static int sev_launch_measure(struct kvm *kvm, struct kvm_sev_cmd *argp)
 	struct kvm_sev_info *sev = &kvm->arch.sev_info;
 	struct sev_data_launch_measure *data;
 	struct kvm_sev_launch_measure params;
+	void __user *measure = (void __user *)(uintptr_t)argp->data;
+	void __user *p = NULL;
 	void *blob = NULL;
 	int ret;
 
 	if (!sev_guest(kvm))
 		return -ENOTTY;
 
-	if (copy_from_user(&params, (void __user *)(uintptr_t)argp->data, sizeof(params)))
+	if (copy_from_user(&params, measure, sizeof(params)))
 		return -EFAULT;
 
 	data = kzalloc(sizeof(*data), GFP_KERNEL);
@@ -6256,17 +6258,13 @@  static int sev_launch_measure(struct kvm *kvm, struct kvm_sev_cmd *argp)
 	if (!params.len)
 		goto cmd;
 
-	if (params.uaddr) {
+	p = (void __user *)(uintptr_t)params.uaddr;
+	if (p) {
 		if (params.len > SEV_FW_BLOB_MAX_SIZE) {
 			ret = -EINVAL;
 			goto e_free;
 		}
 
-		if (!access_ok(VERIFY_WRITE, params.uaddr, params.len)) {
-			ret = -EFAULT;
-			goto e_free;
-		}
-
 		ret = -ENOMEM;
 		blob = kmalloc(params.len, GFP_KERNEL);
 		if (!blob)
@@ -6290,13 +6288,13 @@  static int sev_launch_measure(struct kvm *kvm, struct kvm_sev_cmd *argp)
 		goto e_free_blob;
 
 	if (blob) {
-		if (copy_to_user((void __user *)(uintptr_t)params.uaddr, blob, params.len))
+		if (copy_to_user(p, blob, params.len))
 			ret = -EFAULT;
 	}
 
 done:
 	params.len = data->len;
-	if (copy_to_user((void __user *)(uintptr_t)argp->data, &params, sizeof(params)))
+	if (copy_to_user(measure, &params, sizeof(params)))
 		ret = -EFAULT;
 e_free_blob:
 	kfree(blob);