[PATCH v11 3/7] virt: sev-guest: Remove err in handle_guest_request

From: Dionna Glaze
Date: Wed Jan 11 2023 - 14:40:59 EST

Next message: Dionna Glaze: "[PATCH v11 4/7] virt: sev-guest: interpret VMM errors from guest request"
Previous message: Christian Marangi: "[RESEND PATCH] clk: Warn and add workaround on misuse of .parent_data with .name only"
In reply to: Dionna Glaze: "[PATCH v11 2/7] x86/sev: Change snp_guest_issue_request's fw_err"
Next in thread: Dionna Glaze: "[PATCH v11 4/7] virt: sev-guest: interpret VMM errors from guest request"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The err variable may not be set in the call to snp_issue_guest_request,
yet it is unconditionally written back to fw_err if fw_err is non-null.
This is undefined behavior, and currently returns uninitialized kernel
stack memory to user space.

The fw_err argument is better to just pass through to
snp_issue_guest_request, so that's done by passing along the ioctl
argument. This removes the need for an argument to handle_guest_request.

Instead of using the fw_err field of the argument, which is a bit of a
misnomer, instead change to exitinfo2. The exitinfo2 field type is a
temporary typedef that will be removed.

Cc: Tom Lendacky <Thomas.Lendacky@xxxxxxx>
Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
Cc: Joerg Roedel <jroedel@xxxxxxx>
Cc: Peter Gonda <pgonda@xxxxxxxxxx>
Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
Cc: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>
Cc: Borislav Petkov <Borislav.Petkov@xxxxxxx>
Cc: Haowen Bai <baihaowen@xxxxxxxxx>
Cc: Liam Merwick <liam.merwick@xxxxxxxxxx>
Cc: Yang Yingliang <yangyingliang@xxxxxxxxxx>

Fixes: fce96cf04430 ("virt: Add SEV-SNP guest driver")
Reviewed-by: Tom Lendacky <Thomas.Lendacky@xxxxxxx>
Reviewed-by: Borislav Petkov <Borislav.Petkov@xxxxxxx>
Reviewed-by: Peter Gonda <pgonda@xxxxxxxxxx>
Signed-off-by: Dionna Glaze <dionnaglaze@xxxxxxxxxx>
---
drivers/virt/coco/sev-guest/sev-guest.c | 43 ++++++++++++-------------
include/uapi/linux/sev-guest.h | 12 +++++--
2 files changed, 31 insertions(+), 24 deletions(-)

diff --git a/drivers/virt/coco/sev-guest/sev-guest.c b/drivers/virt/coco/sev-guest/sev-guest.c
index 4ec4174e05a3..e2fcb5215630 100644
--- a/drivers/virt/coco/sev-guest/sev-guest.c
+++ b/drivers/virt/coco/sev-guest/sev-guest.c
@@ -318,11 +318,11 @@ static int enc_payload(struct snp_guest_dev *snp_dev, u64 seqno, int version, u8
return __enc_payload(snp_dev, req, payload, sz);
}

-static int handle_guest_request(struct snp_guest_dev *snp_dev, u64 exit_code, int msg_ver,
+static int handle_guest_request(struct snp_guest_dev *snp_dev, u64 exit_code,
+ struct snp_guest_request_ioctl *arg,
u8 type, void *req_buf, size_t req_sz, void *resp_buf,
- u32 resp_sz, __u64 *fw_err)
+ u32 resp_sz)
{
- unsigned long err;
u64 seqno;
int rc;

@@ -334,7 +334,8 @@ static int handle_guest_request(struct snp_guest_dev *snp_dev, u64 exit_code, in
memset(snp_dev->response, 0, sizeof(struct snp_guest_msg));

/* Encrypt the userspace provided payload */
- rc = enc_payload(snp_dev, seqno, msg_ver, type, req_buf, req_sz);
+ rc = enc_payload(snp_dev, seqno, arg->msg_version, type, req_buf,
+ req_sz);
if (rc)
return rc;

@@ -344,7 +345,8 @@ static int handle_guest_request(struct snp_guest_dev *snp_dev, u64 exit_code, in
* sequence number must be incremented or the VMPCK must be deleted to
* prevent reuse of the IV.
*/
- rc = snp_issue_guest_request(exit_code, &snp_dev->input, &err);
+ rc = snp_issue_guest_request(exit_code, &snp_dev->input,
+ &arg->exitinfo2);

/*
* If the extended guest request fails due to having too small of a
@@ -366,24 +368,22 @@ static int handle_guest_request(struct snp_guest_dev *snp_dev, u64 exit_code, in
* of the VMPCK and the error code being propagated back to the
* user as an ioctl() return code.
*/
- rc = snp_issue_guest_request(exit_code, &snp_dev->input, &err);
+ rc = snp_issue_guest_request(exit_code, &snp_dev->input,
+ &arg->exitinfo2);

/*
* Override the error to inform callers the given extended
* request buffer size was too small and give the caller the
* required buffer size.
*/
- err = SNP_GUEST_REQ_INVALID_LEN;
+ arg->exitinfo2 = SNP_GUEST_REQ_INVALID_LEN;
snp_dev->input.data_npages = certs_npages;
}

- if (fw_err)
- *fw_err = err;
-
if (rc) {
dev_alert(snp_dev->dev,
- "Detected error from ASP request. rc: %d, fw_err: %llu\n",
- rc, *fw_err);
+ "Detected error from ASP request. rc: %d, exitinfo2: %llu\n",
+ rc, (u64)arg->exitinfo2);
goto disable_vmpck;
}

@@ -430,9 +430,9 @@ static int get_report(struct snp_guest_dev *snp_dev, struct snp_guest_request_io
if (!resp)
return -ENOMEM;

- rc = handle_guest_request(snp_dev, SVM_VMGEXIT_GUEST_REQUEST, arg->msg_version,
+ rc = handle_guest_request(snp_dev, SVM_VMGEXIT_GUEST_REQUEST, arg,
SNP_MSG_REPORT_REQ, &req, sizeof(req), resp->data,
- resp_len, &arg->fw_err);
+ resp_len);
if (rc)
goto e_free;

@@ -470,9 +470,8 @@ static int get_derived_key(struct snp_guest_dev *snp_dev, struct snp_guest_reque
if (copy_from_user(&req, (void __user *)arg->req_data, sizeof(req)))
return -EFAULT;

- rc = handle_guest_request(snp_dev, SVM_VMGEXIT_GUEST_REQUEST, arg->msg_version,
- SNP_MSG_KEY_REQ, &req, sizeof(req), buf, resp_len,
- &arg->fw_err);
+ rc = handle_guest_request(snp_dev, SVM_VMGEXIT_GUEST_REQUEST, arg,
+ SNP_MSG_KEY_REQ, &req, sizeof(req), buf, resp_len);
if (rc)
return rc;

@@ -532,12 +531,12 @@ static int get_ext_report(struct snp_guest_dev *snp_dev, struct snp_guest_reques
return -ENOMEM;

snp_dev->input.data_npages = npages;
- ret = handle_guest_request(snp_dev, SVM_VMGEXIT_EXT_GUEST_REQUEST, arg->msg_version,
+ ret = handle_guest_request(snp_dev, SVM_VMGEXIT_EXT_GUEST_REQUEST, arg,
SNP_MSG_REPORT_REQ, &req.data,
- sizeof(req.data), resp->data, resp_len, &arg->fw_err);
+ sizeof(req.data), resp->data, resp_len);

/* If certs length is invalid then copy the returned length */
- if (arg->fw_err == SNP_GUEST_REQ_INVALID_LEN) {
+ if (arg->exitinfo2 == SNP_GUEST_REQ_INVALID_LEN) {
req.certs_len = snp_dev->input.data_npages << PAGE_SHIFT;

if (copy_to_user((void __user *)arg->req_data, &req, sizeof(req)))
@@ -572,7 +571,7 @@ static long snp_guest_ioctl(struct file *file, unsigned int ioctl, unsigned long
if (copy_from_user(&input, argp, sizeof(input)))
return -EFAULT;

- input.fw_err = 0xff;
+ input.exitinfo2 = 0xff;

/* Message version must be non-zero */
if (!input.msg_version)
@@ -603,7 +602,7 @@ static long snp_guest_ioctl(struct file *file, unsigned int ioctl, unsigned long

mutex_unlock(&snp_cmd_mutex);

- if (input.fw_err && copy_to_user(argp, &input, sizeof(input)))
+ if (input.exitinfo2 && copy_to_user(argp, &input, sizeof(input)))
return -EFAULT;

return ret;
diff --git a/include/uapi/linux/sev-guest.h b/include/uapi/linux/sev-guest.h
index 256aaeff7e65..52e994b68d90 100644
--- a/include/uapi/linux/sev-guest.h
+++ b/include/uapi/linux/sev-guest.h
@@ -52,8 +52,16 @@ struct snp_guest_request_ioctl {
__u64 req_data;
__u64 resp_data;

- /* firmware error code on failure (see psp-sev.h) */
- __u64 fw_err;
+ /* bits[63:32]: VMM error code, bits[31:0] firmware error code (see psp-sev.h) */
+
+ union {
+ __u64 fw_err; /* Name deprecated in favor of others */
+ sev_guestreq_err_t exitinfo2;
+ struct {
+ __u32 fw_error;
+ __u32 vmm_error;
+ };
+ };
};

struct snp_ext_report_req {
--
2.39.0.314.g84b9a713c41-goog

Next message: Dionna Glaze: "[PATCH v11 4/7] virt: sev-guest: interpret VMM errors from guest request"
Previous message: Christian Marangi: "[RESEND PATCH] clk: Warn and add workaround on misuse of .parent_data with .name only"
In reply to: Dionna Glaze: "[PATCH v11 2/7] x86/sev: Change snp_guest_issue_request's fw_err"
Next in thread: Dionna Glaze: "[PATCH v11 4/7] virt: sev-guest: interpret VMM errors from guest request"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]