On Wed, Jul 07, 2021, Brijesh Singh wrote:
> +static unsigned long snp_handle_psc(struct vcpu_svm *svm, struct ghcb *ghcb)
> +{
> + struct kvm_vcpu *vcpu = &svm->vcpu;
> + int level, op, rc = PSC_UNDEF_ERR;
> + struct snp_psc_desc *info;
> + struct psc_entry *entry;
> + gpa_t gpa;
> +
> + if (!sev_snp_guest(vcpu->kvm))
> + goto out;
> +
> + if (!setup_vmgexit_scratch(svm, true, sizeof(ghcb->save.sw_scratch))) {
> + pr_err("vmgexit: scratch area is not setup.\n");
> + rc = PSC_INVALID_HDR;
> + goto out;
> + }
> +
> + info = (struct snp_psc_desc *)svm->ghcb_sa;
> + entry = &info->entries[info->hdr.cur_entry];
Grabbing "entry" here is unnecessary and confusing.
> +
> + if ((info->hdr.cur_entry >= VMGEXIT_PSC_MAX_ENTRY) ||
> + (info->hdr.end_entry >= VMGEXIT_PSC_MAX_ENTRY) ||
> + (info->hdr.cur_entry > info->hdr.end_entry)) {
There's a TOCTOU bug here if the guest uses the GHCB instead of a scratch area.
If the guest uses the scratch area, then KVM makes a full copy into kernel memory.
But if the guest uses the GHCB, then KVM maps the GHCB into kernel address space
but doesn't make a full copy, i.e. the guest can modify the data while it's being
processed by KVM.
IIRC, Peter and I discussed the sketchiness of the GHCB mapping offline a few
times, but determined that there were no existing SEV-ES bugs because the guest
could only submarine its own emulation request. But here, it could coerce KVM
into running off the end of a buffer.
I think you can get away with capturing cur_entry/end_entry locally, though
copying the GHCB would be more robust. That would also make the code a bit
prettier, e.g.
cur = info->hdr.cur_entry;
end = info->hdr.end_entry;
> + rc = PSC_INVALID_ENTRY;
> + goto out;
> + }
> +
> + while (info->hdr.cur_entry <= info->hdr.end_entry) {
Make this a for loop?
for ( ; cur_entry < end_entry; cur_entry++)
> + entry = &info->entries[info->hdr.cur_entry];
Does this need array_index_nospec() treatment?
> + gpa = gfn_to_gpa(entry->gfn);
> + level = RMP_TO_X86_PG_LEVEL(entry->pagesize);
> + op = entry->operation;
> +
> + if (!IS_ALIGNED(gpa, page_level_size(level))) {
> + rc = PSC_INVALID_ENTRY;
> + goto out;
> + }
> +
> + rc = __snp_handle_psc(vcpu, op, gpa, level);
> + if (rc)
> + goto out;
> +
> + info->hdr.cur_entry++;
> + }
> +
> +out:
And for the copy case:
info->hdr.cur_entry = cur;
> + return rc ? map_to_psc_vmgexit_code(rc) : 0;
> +}
