[bug report] KVM: SEV: Add KVM_SEV_SNP_LAUNCH_START command

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Brijesh Singh,

Commit 136d8bc931c8 ("KVM: SEV: Add KVM_SEV_SNP_LAUNCH_START
command") from May 1, 2024 (linux-next), leads to the following
Smatch static checker warning:

	arch/x86/kvm/svm/sev.c:2159 snp_launch_start()
	warn: double fget(): 'argp->sev_fd'

arch/x86/kvm/svm/sev.c
    2121 static int snp_launch_start(struct kvm *kvm, struct kvm_sev_cmd *argp)
    2122 {
    2123         struct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info;
    2124         struct sev_data_snp_launch_start start = {0};
    2125         struct kvm_sev_snp_launch_start params;
    2126         int rc;
    2127 
    2128         if (!sev_snp_guest(kvm))
    2129                 return -ENOTTY;
    2130 
    2131         if (copy_from_user(&params, u64_to_user_ptr(argp->data), sizeof(params)))
    2132                 return -EFAULT;
    2133 
    2134         /* Don't allow userspace to allocate memory for more than 1 SNP context. */
    2135         if (sev->snp_context)
    2136                 return -EINVAL;
    2137 
    2138         sev->snp_context = snp_context_create(kvm, argp);
                                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
What this static checker warning is about is that "argp->sev_fd" points
to a file and we create some context here and send a
SEV_CMD_SNP_GCTX_CREATE command using that file.

    2139         if (!sev->snp_context)
    2140                 return -ENOTTY;
    2141 
    2142         if (params.flags)
    2143                 return -EINVAL;
    2144 
    2145         if (params.policy & ~SNP_POLICY_MASK_VALID)
    2146                 return -EINVAL;
    2147 
    2148         /* Check for policy bits that must be set */
    2149         if (!(params.policy & SNP_POLICY_MASK_RSVD_MBO) ||
    2150             !(params.policy & SNP_POLICY_MASK_SMT))
    2151                 return -EINVAL;
    2152 
    2153         if (params.policy & SNP_POLICY_MASK_SINGLE_SOCKET)
    2154                 return -EINVAL;
    2155 
    2156         start.gctx_paddr = __psp_pa(sev->snp_context);
    2157         start.policy = params.policy;
    2158         memcpy(start.gosvw, params.gosvw, sizeof(params.gosvw));
--> 2159         rc = __sev_issue_cmd(argp->sev_fd, SEV_CMD_SNP_LAUNCH_START, &start, &argp->error);
                                      ^^^^^^^^^^^^  ^^^^^^^^^^^^^^^^^^^^^^^^
The user controls which file the ->sev_fd points to so now we're doing
SEV_CMD_SNP_LAUNCH_START command but the file could be different from
what we expected.  Does this matter?  I don't know KVM well enough to
say.  It doesn't seem very safe, but it might be fine.

    2160         if (rc) {
    2161                 pr_debug("%s: SEV_CMD_SNP_LAUNCH_START firmware command failed, rc %d\n",
    2162                          __func__, rc);
    2163                 goto e_free_context;
    2164         }
    2165 
    2166         sev->fd = argp->sev_fd;
                 ^^^^^^^^^^^^^^^^^^^^^^
We save the fd here, but I'm not sure how it's used.

    2167         rc = snp_bind_asid(kvm, &argp->error);
    2168         if (rc) {
    2169                 pr_debug("%s: Failed to bind ASID to SEV-SNP context, rc %d\n",
    2170                          __func__, rc);
    2171                 goto e_free_context;
    2172         }
    2173 
    2174         return 0;
    2175 
    2176 e_free_context:
    2177         snp_decommission_context(kvm);
    2178 
    2179         return rc;
    2180 }

regards,
dan carpenter
[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux