Message ID | 20221214202046.719598-1-pgonda@google.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:e747:0:0:0:0:0 with SMTP id c7csp455539wrn; Wed, 14 Dec 2022 12:40:16 -0800 (PST) X-Google-Smtp-Source: AA0mqf5v/o0lXk9Mb15fDr6ZLv2VhT9zA8TR3xTCk9GRYmVXOU3RzcUc+jART1Lk3WFp4dofVcUg X-Received: by 2002:a05:6a20:1395:b0:a9:e225:6f7b with SMTP id w21-20020a056a20139500b000a9e2256f7bmr48253623pzh.0.1671050416652; Wed, 14 Dec 2022 12:40:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1671050416; cv=none; d=google.com; s=arc-20160816; b=KsoW5lu79FdmF4wU32Gkn5ElvfBKm9ZB2R1OJJXvyT8z7CXlDZIhiMiWkvFxJzpTyF siWScpNpXeAOziimgRdfbZPGH0DO4+K3JMQwr2343z2yGJ3TGZ2lhUSTSxj8EziqZzhe MmVVcq2m+J46YTVFIyVaa/Zbya9x+fZrcGBOTk/c1ioKNjYeR4DLjE6zs8LiR8v6DbWG i7j3X4FN0xBUkdGF4QiqGrHVaQp5ReCgXaltmSCVYTL7Da2tLjKSjIuYXdYIAOFyKGCK MquoMPKEN7cmdQq/Gj7oJuxmfpbZuIuf5eDhaxcec9/pCkHKAC6ZGR5Z6IrzemyuvoWu vs8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:mime-version:message-id:date :dkim-signature; bh=L22LQH7KmOjrT8G6djNy9I40Y6DACrH51I/z1yt47rc=; b=B8cCyy4XFkII7UE5Vek4mwg1UaXCSoKOmLeznIaLhPZo3rHS4lT/cC5CeB5gORe/c9 70qXjwIb9B+zV/X2lL+oMMue1J7dBa2s8kIL0VJlEUZidNDnId2GFJv/p3S890SufHjC L4pYq5Xz6RiDL/Zxu12PhdgU/4W8xCg7xA40CcGfkQ5f+7Hp4qpABXTLKR1oVUdQspmt I6LXyJpT2h8w5tMZ2rsS1DOUUzztAiQVS7No7UI8C0TVqsLCtK0Q6VSf2KYK+wMIImSo MrJMOQ1gE5KcLKrsl7jUS0Y3zmvWvRzgLaXt19KBStZjeKMiZdzQ7m+qbQOkT3lpmUJ1 fPzA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=UXt16Brg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 131-20020a630189000000b00454a7fa276esi751705pgb.224.2022.12.14.12.40.03; Wed, 14 Dec 2022 12:40:16 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=UXt16Brg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230198AbiLNUcx (ORCPT <rfc822;jeantsuru.cumc.mandola@gmail.com> + 99 others); Wed, 14 Dec 2022 15:32:53 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36554 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230187AbiLNUcd (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Wed, 14 Dec 2022 15:32:33 -0500 Received: from mail-yb1-xb4a.google.com (mail-yb1-xb4a.google.com [IPv6:2607:f8b0:4864:20::b4a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4F89E5436C for <linux-kernel@vger.kernel.org>; Wed, 14 Dec 2022 12:21:03 -0800 (PST) Received: by mail-yb1-xb4a.google.com with SMTP id t5-20020a5b07c5000000b006dfa2102debso1098889ybq.4 for <linux-kernel@vger.kernel.org>; Wed, 14 Dec 2022 12:21:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:from:subject:mime-version:message-id:date:from:to:cc:subject :date:message-id:reply-to; bh=L22LQH7KmOjrT8G6djNy9I40Y6DACrH51I/z1yt47rc=; b=UXt16BrghWlfjJ3XF28huqJShfounRuXVxB3uz3pPGPcotNdlL2dNrrOF5OwG3WvTt 7fgw/t0HRdPYJAl48IqtiQ3QRWCzeJZozMRHvgzy97kLH8vWOkBNK6Hd+2UeQzPo/kLZ Xq+FAPFw8iWaFFifDrqEwYCRDMwY8Xsgd4b3FPUqP0MPS9FsW/vVNeeZ9IyLQ63P8XRM Jw7Pwrx7WNqbEbmY2mO0Nm4MdgutDRFg/T4crCr2s/m8G1BP3+0ISXdsrYdlxo69VWy8 e174P5Io5tr8AuA8LO/U9kGHNroBuh0mvPHmAbW/eJtHybSPiucqDw0huwjzo60NqAm9 0o7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:from:subject:mime-version:message-id:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=L22LQH7KmOjrT8G6djNy9I40Y6DACrH51I/z1yt47rc=; b=4ZrsszsbAx7ZqImgcPF5itZJhhHHRrWUAIS9H9TPNV03uX90o/FhZoq8awgb9yyCE1 xmIPXvd9L1xVDWjgQkJlo9vSat2ykN4HOLikREXhI04XAbVph6Ay6seKSTLlzUa0ejzm T/xkDVeedmYmWCrIbThSNjsxY9as/BPs2yxwY+xPucQs91pSDhurIIebRnu18ZgpfJcl I01AydfOReLn0o7chEATNueGM9gMrGmqOIuauUpwAVb7rlyv5h+NkJc1jJHQL9NH/3F3 VuC5VWO7hvUqWU5LjruXYBUfvEpQHOtXEcYJUJJ2rhRdj+jn5C96K+Z/ZivUcT7f8/fZ tZ/Q== X-Gm-Message-State: ANoB5pkFrJrvgEY0oZob9cf22ozttbwiFnEG74BzsgrScT5q8GXM0aSc zPYWReclt9TZ8n6SHAjgtQgCyyQI4lY= X-Received: from pgonda1.kir.corp.google.com ([2620:0:1008:11:19c4:743c:e0e0:b558]) (user=pgonda job=sendgmr) by 2002:a25:8743:0:b0:6f0:c9e7:68bf with SMTP id e3-20020a258743000000b006f0c9e768bfmr68411640ybn.78.1671049262522; Wed, 14 Dec 2022 12:21:02 -0800 (PST) Date: Wed, 14 Dec 2022 12:20:46 -0800 Message-Id: <20221214202046.719598-1-pgonda@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.39.0.rc1.256.g54fd8350bd-goog Subject: [PATCH] crypto: ccp - Limit memory allocation in SEV_GET_ID2 ioctl From: Peter Gonda <pgonda@google.com> To: herbert@gondor.apana.org.au Cc: Peter Gonda <pgonda@google.com>, Andy Nguyen <theflow@google.com>, David Rientjes <rientjes@google.com>, stable@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, John Allen <john.allen@amd.com>, "Thomas . Lendacky" <thomas.lendacky@amd.com> Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1752223361264506801?= X-GMAIL-MSGID: =?utf-8?q?1752223361264506801?= |
Series |
crypto: ccp - Limit memory allocation in SEV_GET_ID2 ioctl
|
|
Commit Message
Peter Gonda
Dec. 14, 2022, 8:20 p.m. UTC
Currently userspace can ask for any uint32 size allocation for the
SEV_GET_ID2. Limit this allocation size to the max physically
contiguously allocation: MAX_ORDER.
Reported-by: Andy Nguyen <theflow@google.com>
Suggested-by: David Rientjes <rientjes@google.com>
Signed-off-by: Peter Gonda <pgonda@google.com>
Cc: stable@vger.kernel.org
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: linux-kernel@vger.kernel.org
Cc: linux-crypto@vger.kernel.org
Cc: John Allen <john.allen@amd.com>
Cc: Thomas.Lendacky <thomas.lendacky@amd.com>
---
drivers/crypto/ccp/sev-dev.c | 4 ++++
1 file changed, 4 insertions(+)
Comments
On Wed, Dec 14, 2022 at 12:20:46PM -0800, Peter Gonda wrote: > Currently userspace can ask for any uint32 size allocation for the > SEV_GET_ID2. Limit this allocation size to the max physically > contiguously allocation: MAX_ORDER. This is just to silence the alloc_pages warning, right? If so how about adding __GFP_NOWARN instead? Cheers,
On Thu, 15 Dec 2022, Herbert Xu wrote: > On Wed, Dec 14, 2022 at 12:20:46PM -0800, Peter Gonda wrote: > > Currently userspace can ask for any uint32 size allocation for the > > SEV_GET_ID2. Limit this allocation size to the max physically > > contiguously allocation: MAX_ORDER. > > This is just to silence the alloc_pages warning, right? If so > how about adding __GFP_NOWARN instead? > The goal was to be more explicit about that, but setting __GFP_NOWARN would result in the same functional behavior. If we're to go that route, it would likely be best to add a comment about the limitation. That said, if AMD would prefer this to be an EINVAL instead of a ENOMEM by introducing a more formal limitation on the length that can be used, that would be preferred so that we don't need to rely on the page allocator's max length to enforce this arbitrarily.
On Tue, Dec 27, 2022 at 05:42:31PM -0800, David Rientjes wrote: > > The goal was to be more explicit about that, but setting __GFP_NOWARN > would result in the same functional behavior. If we're to go that route, > it would likely be best to add a comment about the limitation. > > That said, if AMD would prefer this to be an EINVAL instead of a ENOMEM by > introducing a more formal limitation on the length that can be used, that > would be preferred so that we don't need to rely on the page allocator's > max length to enforce this arbitrarily. Ideally the limit should be set according to the object that you're trying to allocate. But if that is truly unlimited, and you don't want to see a warning, then GFP_NOWARN seems to fit the bill. Thanks,
On Wed, 28 Dec 2022, Herbert Xu wrote: > On Tue, Dec 27, 2022 at 05:42:31PM -0800, David Rientjes wrote: > > > > The goal was to be more explicit about that, but setting __GFP_NOWARN > > would result in the same functional behavior. If we're to go that route, > > it would likely be best to add a comment about the limitation. > > > > That said, if AMD would prefer this to be an EINVAL instead of a ENOMEM by > > introducing a more formal limitation on the length that can be used, that > > would be preferred so that we don't need to rely on the page allocator's > > max length to enforce this arbitrarily. > > Ideally the limit should be set according to the object that > you're trying to allocate. But if that is truly unlimited, > and you don't want to see a warning, then GFP_NOWARN seems to > fit the bill. > AMD would be able to speak authoritatively on it, but I think the length of the ID isn't to be assumed by software because it will likely change later. I don't think there's an active vulnerability with the currnet code so we can likely drop stable@vger.kernel.org for this. The kzalloc() will fail if you try to allocate over 2MB. If you try to allocate >32KB, the page allocator will attempt to reclaim but won't oom kill. If you try to allocate <=32KB, there's the potential for oom kill if nothing is reclaimable, but if memory is that scarce I think we have bigger problems. So __GFP_NOWARN will work, but I also think it's subtle enough that it warrants being coupled with a comment.
diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c index 06fc7156c04f..5c16c4406764 100644 --- a/drivers/crypto/ccp/sev-dev.c +++ b/drivers/crypto/ccp/sev-dev.c @@ -878,6 +878,10 @@ static int sev_ioctl_do_get_id2(struct sev_issue_cmd *argp) if (copy_from_user(&input, (void __user *)argp->data, sizeof(input))) return -EFAULT; + /* Max length that can be allocated physically contiguously */ + if (get_order(input.length) >= MAX_ORDER) + return -ENOMEM; + input_address = (void __user *)input.address; if (input.address && input.length) {