mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2026-05-21 16:05:29 -04:00
virt: sev-guest: Do not use host-controlled page order in cleanup path
When issuing an extended guest request (SVM_VMGEXIT_EXT_GUEST_REQUEST),
get_ext_report() allocates a buffer to retrieve a certificate blob from the
host, keeping track of its size in report_req->certs_len.
However, the host may return SNP_GUEST_VMM_ERR_INVALID_LEN, indicating
an invalid buffer size, as well as the expected length of such buffer.
get_ext_report() subsequently updates report_req->certs_len with the
host-controlled value, and cleans up the buffer by computing a page order
from such value. This is incorrect, as the host-provided length may not
match the page order of the original allocation, potentially resulting
in corruption in the page allocator.
Fix this by using alloc_pages_exact() instead, and reusing @npages to
compute the size passed to free_pages_exact(). For consistency, also
use @npages to compute the size when allocating the pages, even though
this last change has no functional effect.
Fixes: 3e385c0d6c ("virt: sev-guest: Move SNP Guest Request data pages handling under snp_cmd_mutex")
Signed-off-by: Carlos López <clopez@suse.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Tested-by: Michael Roth <michael.roth@amd.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
Carlos López
committed by
Linus Torvalds
Linus Torvalds
parent
e7f24a388e
commit
23e6a1ca04
@@ -176,7 +176,6 @@ static int get_ext_report(struct snp_guest_dev *snp_dev, struct snp_guest_reques
|
||||
struct snp_guest_req req = {};
|
||||
int ret, npages = 0, resp_len;
|
||||
sockptr_t certs_address;
|
||||
struct page *page;
|
||||
|
||||
if (sockptr_is_null(io->req_data) || sockptr_is_null(io->resp_data))
|
||||
return -EINVAL;
|
||||
@@ -211,16 +210,15 @@ static int get_ext_report(struct snp_guest_dev *snp_dev, struct snp_guest_reques
|
||||
* zeros to indicate that certificate data was not provided.
|
||||
*/
|
||||
npages = report_req->certs_len >> PAGE_SHIFT;
|
||||
page = alloc_pages(GFP_KERNEL_ACCOUNT | __GFP_ZERO,
|
||||
get_order(report_req->certs_len));
|
||||
if (!page)
|
||||
req.certs_data = alloc_pages_exact(npages << PAGE_SHIFT,
|
||||
GFP_KERNEL_ACCOUNT | __GFP_ZERO);
|
||||
if (!req.certs_data)
|
||||
return -ENOMEM;
|
||||
|
||||
req.certs_data = page_address(page);
|
||||
ret = set_memory_decrypted((unsigned long)req.certs_data, npages);
|
||||
if (ret) {
|
||||
pr_err("failed to mark page shared, ret=%d\n", ret);
|
||||
__free_pages(page, get_order(report_req->certs_len));
|
||||
free_pages_exact(req.certs_data, npages << PAGE_SHIFT);
|
||||
return -EFAULT;
|
||||
}
|
||||
|
||||
@@ -277,7 +275,7 @@ static int get_ext_report(struct snp_guest_dev *snp_dev, struct snp_guest_reques
|
||||
if (set_memory_encrypted((unsigned long)req.certs_data, npages))
|
||||
WARN_ONCE(ret, "failed to restore encryption mask (leak it)\n");
|
||||
else
|
||||
__free_pages(page, get_order(report_req->certs_len));
|
||||
free_pages_exact(req.certs_data, npages << PAGE_SHIFT);
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user