RE: [PATCH v2] crypto: ccp - Use kzalloc for sev ioctl interfaces to prevent kernel memory leak

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



[AMD Official Use Only - General]

Hello Sean,

-----Original Message-----
From: Sean Christopherson <seanjc@xxxxxxxxxx> 
Sent: Monday, May 16, 2022 12:43 PM
To: Kalra, Ashish <Ashish.Kalra@xxxxxxx>
Cc: Peter Gonda <pgonda@xxxxxxxxxx>; Allen, John <John.Allen@xxxxxxx>; Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>; Linux Crypto Mailing List <linux-crypto@xxxxxxxxxxxxxxx>; Lendacky, Thomas <Thomas.Lendacky@xxxxxxx>; LKML <linux-kernel@xxxxxxxxxxxxxxx>; Andy Nguyen <theflow@xxxxxxxxxx>; David Rientjes <rientjes@xxxxxxxxxx>; stable@xxxxxxxxxxxxxxx
Subject: Re: [PATCH v2] crypto: ccp - Use kzalloc for sev ioctl interfaces to prevent kernel memory leak

On Mon, May 16, 2022, Kalra, Ashish wrote:
> > >Would it be safer to memset @data here to all zeros too?
> >
> > It will be, but this command/function is safe as firmware will fill 
> > in the whole buffer here with the PLATFORM STATUS data retuned to the user.
> 
> > That does seem safe for now but I thought we decided it would be 
> > prudent to not trust the PSPs implementation here and clear all the 
> > buffers that eventually get sent to userspace?
> 
> Yes, but the issue is when the user programs a buffer size larger the 
> one filled in by the firmware. In this case firmware is always going 
> to fill up the whole buffer with PLATFORM_STATUS data, so it will be 
> always be safe. The issue is mainly with the kernel side doing a 
> copy_to_user() based on user programmed length instead of the firmware returned buffer length.

>Peter's point is that it costs the kernel very little to be paranoid and not make assumptions about whether or not the PSP will fill an entire struct as expected.

>I agree it feels a bit silly since all fields are output, but on the other hand the PSP spec just says:

>  The following data structure is written to memory at STATUS_PADDR

>and the data structure has several reserved fields.  I don't love assuming that the PSP will always write zeros for the reserved fields and not do something like:

>	if (rmp_initialized)
>		data[3] |= IS_RMP_INIT;
>	else
>		data[3] &= ~IS_RMP_INIT;

>Given that zeroing @data in the kernel is easy and this is not a hot patch, I prefer the paranoid approach unless the PSP spec is much more explicit in saying that it writes all bits and bytes on success.

I agree with that and we will resend a v3 of the crypto patch with this change added.

Thanks,
Ashish




[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux