RE: [PATCH v2] crypto: ccp - Use kzalloc for sev ioctl interfaces to prevent kernel memory leak

From: Kalra, Ashish
Date: Mon May 16 2022 - 14:11:37 EST

Next message: José Expósito: "[PATCH for-5.19/uclogic 0/4] Add support for XP-PEN Deco L"
Previous message: T.J. Mercier: "Re: [PATCH v2] dma-buf: Move sysfs work out of DMA-BUF export path"
In reply to: Sean Christopherson: "Re: [PATCH v2] crypto: ccp - Use kzalloc for sev ioctl interfaces to prevent kernel memory leak"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[AMD Official Use Only - General]

Hello Sean,

-----Original Message-----
From: Sean Christopherson <seanjc@xxxxxxxxxx>
Sent: Monday, May 16, 2022 12:43 PM
To: Kalra, Ashish <Ashish.Kalra@xxxxxxx>
Cc: Peter Gonda <pgonda@xxxxxxxxxx>; Allen, John <John.Allen@xxxxxxx>; Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>; Linux Crypto Mailing List <linux-crypto@xxxxxxxxxxxxxxx>; Lendacky, Thomas <Thomas.Lendacky@xxxxxxx>; LKML <linux-kernel@xxxxxxxxxxxxxxx>; Andy Nguyen <theflow@xxxxxxxxxx>; David Rientjes <rientjes@xxxxxxxxxx>; stable@xxxxxxxxxxxxxxx
Subject: Re: [PATCH v2] crypto: ccp - Use kzalloc for sev ioctl interfaces to prevent kernel memory leak

On Mon, May 16, 2022, Kalra, Ashish wrote:
> > >Would it be safer to memset @data here to all zeros too?
> >
> > It will be, but this command/function is safe as firmware will fill
> > in the whole buffer here with the PLATFORM STATUS data retuned to the user.
>
> > That does seem safe for now but I thought we decided it would be
> > prudent to not trust the PSPs implementation here and clear all the
> > buffers that eventually get sent to userspace?
>
> Yes, but the issue is when the user programs a buffer size larger the
> one filled in by the firmware. In this case firmware is always going
> to fill up the whole buffer with PLATFORM_STATUS data, so it will be
> always be safe. The issue is mainly with the kernel side doing a
> copy_to_user() based on user programmed length instead of the firmware returned buffer length.

>Peter's point is that it costs the kernel very little to be paranoid and not make assumptions about whether or not the PSP will fill an entire struct as expected.

>I agree it feels a bit silly since all fields are output, but on the other hand the PSP spec just says:

> The following data structure is written to memory at STATUS_PADDR

>and the data structure has several reserved fields. I don't love assuming that the PSP will always write zeros for the reserved fields and not do something like:

> if (rmp_initialized)
> data[3] |= IS_RMP_INIT;
> else
> data[3] &= ~IS_RMP_INIT;

>Given that zeroing @data in the kernel is easy and this is not a hot patch, I prefer the paranoid approach unless the PSP spec is much more explicit in saying that it writes all bits and bytes on success.

I agree with that and we will resend a v3 of the crypto patch with this change added.

Thanks,
Ashish

Next message: José Expósito: "[PATCH for-5.19/uclogic 0/4] Add support for XP-PEN Deco L"
Previous message: T.J. Mercier: "Re: [PATCH v2] dma-buf: Move sysfs work out of DMA-BUF export path"
In reply to: Sean Christopherson: "Re: [PATCH v2] crypto: ccp - Use kzalloc for sev ioctl interfaces to prevent kernel memory leak"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]