| Message ID | alpine.DEB.2.21.1903251146160.188887@chino.kir.corp.google.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | KVM: SVM: prevent DBG_DECRYPT and DBG_ENCRYPT overflow | expand |
On 3/25/19 1:47 PM, David Rientjes wrote: > This ensures that the address and length provided to DBG_DECRYPT and > DBG_ENCRYPT do not cause an overflow. > > At the same time, pass the actual number of pages pinned in memory to > sev_unpin_memory() as a cleanup. > > Reported-by: Cfir Cohen <cfir@google.com> > Signed-off-by: David Rientjes <rientjes@google.com> > --- > arch/x86/kvm/svm.c | 12 +++++++++--- > 1 file changed, 9 insertions(+), 3 deletions(-) > Reviewed-by: Brijesh Singh <brijesh.singh@amd.com> thanks
On Thu, 28 Mar 2019, Singh, Brijesh wrote: > > This ensures that the address and length provided to DBG_DECRYPT and > > DBG_ENCRYPT do not cause an overflow. > > > > At the same time, pass the actual number of pages pinned in memory to > > sev_unpin_memory() as a cleanup. > > > > Reported-by: Cfir Cohen <cfir@google.com> > > Signed-off-by: David Rientjes <rientjes@google.com> > > --- > > arch/x86/kvm/svm.c | 12 +++++++++--- > > 1 file changed, 9 insertions(+), 3 deletions(-) > > > > > Reviewed-by: Brijesh Singh <brijesh.singh@amd.com> > > thanks > Paolo, Radim, I don't see this in kvm.git, is it ready to be staged?
On 25/03/19 19:47, David Rientjes wrote: > This ensures that the address and length provided to DBG_DECRYPT and > DBG_ENCRYPT do not cause an overflow. > > At the same time, pass the actual number of pages pinned in memory to > sev_unpin_memory() as a cleanup. > > Reported-by: Cfir Cohen <cfir@google.com> > Signed-off-by: David Rientjes <rientjes@google.com> > --- > arch/x86/kvm/svm.c | 12 +++++++++--- > 1 file changed, 9 insertions(+), 3 deletions(-) > > diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c > --- a/arch/x86/kvm/svm.c > +++ b/arch/x86/kvm/svm.c > @@ -6799,7 +6799,8 @@ static int sev_dbg_crypt(struct kvm *kvm, struct kvm_sev_cmd *argp, bool dec) > struct page **src_p, **dst_p; > struct kvm_sev_dbg debug; > unsigned long n; > - int ret, size; > + unsigned int size; > + int ret; > > if (!sev_guest(kvm)) > return -ENOTTY; > @@ -6807,6 +6808,11 @@ static int sev_dbg_crypt(struct kvm *kvm, struct kvm_sev_cmd *argp, bool dec) > if (copy_from_user(&debug, (void __user *)(uintptr_t)argp->data, sizeof(debug))) > return -EFAULT; > > + if (!debug.len || debug.src_uaddr + debug.len < debug.src_uaddr) > + return -EINVAL; > + if (!debug.dst_uaddr) > + return -EINVAL; > + > vaddr = debug.src_uaddr; > size = debug.len; > vaddr_end = vaddr + size; > @@ -6857,8 +6863,8 @@ static int sev_dbg_crypt(struct kvm *kvm, struct kvm_sev_cmd *argp, bool dec) > dst_vaddr, > len, &argp->error); > > - sev_unpin_memory(kvm, src_p, 1); > - sev_unpin_memory(kvm, dst_p, 1); > + sev_unpin_memory(kvm, src_p, n); > + sev_unpin_memory(kvm, dst_p, n); > > if (ret) > goto err; > Queued, thanks. Paolo
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c --- a/arch/x86/kvm/svm.c +++ b/arch/x86/kvm/svm.c @@ -6799,7 +6799,8 @@ static int sev_dbg_crypt(struct kvm *kvm, struct kvm_sev_cmd *argp, bool dec) struct page **src_p, **dst_p; struct kvm_sev_dbg debug; unsigned long n; - int ret, size; + unsigned int size; + int ret; if (!sev_guest(kvm)) return -ENOTTY; @@ -6807,6 +6808,11 @@ static int sev_dbg_crypt(struct kvm *kvm, struct kvm_sev_cmd *argp, bool dec) if (copy_from_user(&debug, (void __user *)(uintptr_t)argp->data, sizeof(debug))) return -EFAULT; + if (!debug.len || debug.src_uaddr + debug.len < debug.src_uaddr) + return -EINVAL; + if (!debug.dst_uaddr) + return -EINVAL; + vaddr = debug.src_uaddr; size = debug.len; vaddr_end = vaddr + size; @@ -6857,8 +6863,8 @@ static int sev_dbg_crypt(struct kvm *kvm, struct kvm_sev_cmd *argp, bool dec) dst_vaddr, len, &argp->error); - sev_unpin_memory(kvm, src_p, 1); - sev_unpin_memory(kvm, dst_p, 1); + sev_unpin_memory(kvm, src_p, n); + sev_unpin_memory(kvm, dst_p, n); if (ret) goto err;
This ensures that the address and length provided to DBG_DECRYPT and DBG_ENCRYPT do not cause an overflow. At the same time, pass the actual number of pages pinned in memory to sev_unpin_memory() as a cleanup. Reported-by: Cfir Cohen <cfir@google.com> Signed-off-by: David Rientjes <rientjes@google.com> --- arch/x86/kvm/svm.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-)