Re: [PATCH v2 4/5] uio_hv_generic: Don't free decrypted memory

Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@xxxxxxxxxxxxxxx> · Mon, 11 Mar 2024 22:04:56 -0700

On 3/11/24 9:15 AM, mhkelley58@xxxxxxxxx wrote:
> From: Rick Edgecombe <rick.p.edgecombe@xxxxxxxxx>
>
> In CoCo VMs it is possible for the untrusted host to cause
> set_memory_encrypted() or set_memory_decrypted() to fail such that an
> error is returned and the resulting memory is shared. Callers need to
> take care to handle these errors to avoid returning decrypted (shared)
> memory to the page allocator, which could lead to functional or security
> issues.
>
> The VMBus device UIO driver could free decrypted/shared pages if
> set_memory_decrypted() fails. Check the decrypted field in the gpadl
> to decide whether to free the memory.
>
> Signed-off-by: Rick Edgecombe <rick.p.edgecombe@xxxxxxxxx>
> Signed-off-by: Michael Kelley <mhklinux@xxxxxxxxxxx>
> ---

Looks good to me.

Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@xxxxxxxxxxxxxxx>
>  drivers/uio/uio_hv_generic.c | 12 ++++++++----
>  1 file changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/uio/uio_hv_generic.c b/drivers/uio/uio_hv_generic.c
> index 20d9762331bd..6be3462b109f 100644
> --- a/drivers/uio/uio_hv_generic.c
> +++ b/drivers/uio/uio_hv_generic.c
> @@ -181,12 +181,14 @@ hv_uio_cleanup(struct hv_device *dev, struct hv_uio_private_data *pdata)
>  {
>  	if (pdata->send_gpadl.gpadl_handle) {
>  		vmbus_teardown_gpadl(dev->channel, &pdata->send_gpadl);
> -		vfree(pdata->send_buf);
> +		if (!pdata->send_gpadl.decrypted)
> +			vfree(pdata->send_buf);
>  	}
>  
>  	if (pdata->recv_gpadl.gpadl_handle) {
>  		vmbus_teardown_gpadl(dev->channel, &pdata->recv_gpadl);
> -		vfree(pdata->recv_buf);
> +		if (!pdata->recv_gpadl.decrypted)
> +			vfree(pdata->recv_buf);
>  	}
>  }
>  
> @@ -295,7 +297,8 @@ hv_uio_probe(struct hv_device *dev,
>  	ret = vmbus_establish_gpadl(channel, pdata->recv_buf,
>  				    RECV_BUFFER_SIZE, &pdata->recv_gpadl);
>  	if (ret) {
> -		vfree(pdata->recv_buf);
> +		if (!pdata->recv_gpadl.decrypted)
> +			vfree(pdata->recv_buf);
>  		goto fail_close;
>  	}
>  
> @@ -317,7 +320,8 @@ hv_uio_probe(struct hv_device *dev,
>  	ret = vmbus_establish_gpadl(channel, pdata->send_buf,
>  				    SEND_BUFFER_SIZE, &pdata->send_gpadl);
>  	if (ret) {
> -		vfree(pdata->send_buf);
> +		if (!pdata->send_gpadl.decrypted)
> +			vfree(pdata->send_buf);
>  		goto fail_close;
>  	}
>  

-- 
Sathyanarayanan Kuppuswamy
Linux Kernel Developer