Patch "x86/sgx: Fix size overflows in sgx_encl_create()" has been added to the 6.6-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 9 Mar 2025 15:48:18 -0400

This is a note to let you know that I've just added the patch titled

    x86/sgx: Fix size overflows in sgx_encl_create()

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     x86-sgx-fix-size-overflows-in-sgx_encl_create.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 16a609d3d04a9fa134dc9ee85ea62dae217d9bf5
Author: Jarkko Sakkinen <jarkko@xxxxxxxxxx>
Date:   Wed Mar 5 07:00:05 2025 +0200

    x86/sgx: Fix size overflows in sgx_encl_create()
    
    [ Upstream commit 0d3e0dfd68fb9e6b0ec865be9f3377cc3ff55733 ]
    
    The total size calculated for EPC can overflow u64 given the added up page
    for SECS.  Further, the total size calculated for shmem can overflow even
    when the EPC size stays within limits of u64, given that it adds the extra
    space for 128 byte PCMD structures (one for each page).
    
    Address this by pre-evaluating the micro-architectural requirement of
    SGX: the address space size must be power of two. This is eventually
    checked up by ECREATE but the pre-check has the additional benefit of
    making sure that there is some space for additional data.
    
    Fixes: 888d24911787 ("x86/sgx: Add SGX_IOC_ENCLAVE_CREATE")
    Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
    Signed-off-by: Jarkko Sakkinen <jarkko@xxxxxxxxxx>
    Signed-off-by: Ingo Molnar <mingo@xxxxxxxxxx>
    Acked-by: Dave Hansen <dave.hansen@xxxxxxxxx>
    Cc: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
    Cc: "H. Peter Anvin" <hpa@xxxxxxxxx>
    Link: https://lore.kernel.org/r/20250305050006.43896-1-jarkko@xxxxxxxxxx
    
    Closes: https://lore.kernel.org/linux-sgx/c87e01a0-e7dd-4749-a348-0980d3444f04@stanley.mountain/
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/arch/x86/kernel/cpu/sgx/ioctl.c b/arch/x86/kernel/cpu/sgx/ioctl.c
index 5d390df214406..a59a0011c930a 100644
--- a/arch/x86/kernel/cpu/sgx/ioctl.c
+++ b/arch/x86/kernel/cpu/sgx/ioctl.c
@@ -64,6 +64,13 @@ static int sgx_encl_create(struct sgx_encl *encl, struct sgx_secs *secs)
 	struct file *backing;
 	long ret;
 
+	/*
+	 * ECREATE would detect this too, but checking here also ensures
+	 * that the 'encl_size' calculations below can never overflow.
+	 */
+	if (!is_power_of_2(secs->size))
+		return -EINVAL;
+
 	va_page = sgx_encl_grow(encl, true);
 	if (IS_ERR(va_page))
 		return PTR_ERR(va_page);







