On Wed, May 18, 2022 at 8:31 AM John Allen <john.allen@xxxxxxx> wrote: > > For some sev ioctl interfaces, input may be passed that is less than or > equal to SEV_FW_BLOB_MAX_SIZE, but larger than the data that PSP > firmware returns. In this case, kmalloc will allocate memory that is the > size of the input rather than the size of the data. Since PSP firmware > doesn't fully overwrite the buffer, the sev ioctl interfaces with the > issue may return uninitialized slab memory. > > Currently, all of the ioctl interfaces in the ccp driver are safe, but > to prevent future problems, change all ioctl interfaces that allocate > memory with kmalloc to use kzalloc and memset the data buffer to zero > in sev_ioctl_do_platform_status. > > Fixes: 38103671aad3 ("crypto: ccp: Use the stack and common buffer for status commands") > Fixes: e799035609e15 ("crypto: ccp: Implement SEV_PEK_CSR ioctl command") > Fixes: 76a2b524a4b1d ("crypto: ccp: Implement SEV_PDH_CERT_EXPORT ioctl command") > Fixes: d6112ea0cb344 ("crypto: ccp - introduce SEV_GET_ID2 command") > Cc: stable@xxxxxxxxxxxxxxx > Reported-by: Andy Nguyen <theflow@xxxxxxxxxx> > Suggested-by: David Rientjes <rientjes@xxxxxxxxxx> > Suggested-by: Peter Gonda <pgonda@xxxxxxxxxx> > Signed-off-by: John Allen <john.allen@xxxxxxx> Reviewed-by: Peter Gonda <pgonda@xxxxxxxxxx>