* [PATCH] misc: nsm: bound the device-reported response length
@ 2026-06-21 2:42 ` Bryam Vargas via B4 Relay
0 siblings, 0 replies; 4+ messages in thread
From: Bryam Vargas @ 2026-06-21 2:42 UTC (permalink / raw)
To: Greg Kroah-Hartman, Arnd Bergmann, Alexander Graf
Cc: linux-kernel, The AWS Nitro Enclaves Team
nsm_sendrecv_msg_locked() stores the virtqueue used-ring length reported
by the NSM device into msg->resp.len without bounding it to the response
buffer. A malicious or buggy backend can report a length larger than the
response buffer; parse_resp_raw() then copies that many bytes out of the
fixed buffer to user space, disclosing adjacent kernel heap (an
out-of-bounds read). The request path already floors its length in
fill_req_raw(); the response path lacks the symmetric check.
Clamp the stored length to the size of the response buffer. Well-behaved
devices report no more than the posted buffer size, so conforming traffic
is unaffected.
Fixes: b9873755a6c8 ("misc: Add Nitro Secure Module driver")
Cc: stable@vger.kernel.org
Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
---
drivers/misc/nsm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/misc/nsm.c b/drivers/misc/nsm.c
index ef7b32742340..f759fbba049a 100644
--- a/drivers/misc/nsm.c
+++ b/drivers/misc/nsm.c
@@ -243,7 +243,7 @@ static int nsm_sendrecv_msg_locked(struct nsm *nsm)
goto cleanup;
}
- msg->resp.len = len;
+ msg->resp.len = min_t(unsigned int, len, sizeof(msg->resp.data));
rc = 0;
---
base-commit: 1a3746ccbb0a97bed3c06ccde6b880013b1dddc1
change-id: 20260620-b4-disp-a54b7dd6-4cbda73d614b
Best regards,
--
Bryam Vargas <hexlabsecurity@proton.me>
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH] misc: nsm: bound the device-reported response length
@ 2026-06-21 2:42 ` Bryam Vargas via B4 Relay
0 siblings, 0 replies; 4+ messages in thread
From: Bryam Vargas via B4 Relay @ 2026-06-21 2:42 UTC (permalink / raw)
To: Greg Kroah-Hartman, Arnd Bergmann, Alexander Graf
Cc: linux-kernel, The AWS Nitro Enclaves Team
From: Bryam Vargas <hexlabsecurity@proton.me>
nsm_sendrecv_msg_locked() stores the virtqueue used-ring length reported
by the NSM device into msg->resp.len without bounding it to the response
buffer. A malicious or buggy backend can report a length larger than the
response buffer; parse_resp_raw() then copies that many bytes out of the
fixed buffer to user space, disclosing adjacent kernel heap (an
out-of-bounds read). The request path already floors its length in
fill_req_raw(); the response path lacks the symmetric check.
Clamp the stored length to the size of the response buffer. Well-behaved
devices report no more than the posted buffer size, so conforming traffic
is unaffected.
Fixes: b9873755a6c8 ("misc: Add Nitro Secure Module driver")
Cc: stable@vger.kernel.org
Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
---
drivers/misc/nsm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/misc/nsm.c b/drivers/misc/nsm.c
index ef7b32742340..f759fbba049a 100644
--- a/drivers/misc/nsm.c
+++ b/drivers/misc/nsm.c
@@ -243,7 +243,7 @@ static int nsm_sendrecv_msg_locked(struct nsm *nsm)
goto cleanup;
}
- msg->resp.len = len;
+ msg->resp.len = min_t(unsigned int, len, sizeof(msg->resp.data));
rc = 0;
---
base-commit: 1a3746ccbb0a97bed3c06ccde6b880013b1dddc1
change-id: 20260620-b4-disp-a54b7dd6-4cbda73d614b
Best regards,
--
Bryam Vargas <hexlabsecurity@proton.me>
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] misc: nsm: bound the device-reported response length
2026-06-21 2:42 ` Bryam Vargas via B4 Relay
(?)
@ 2026-06-21 5:38 ` Greg Kroah-Hartman
2026-06-21 8:07 ` Graf (AWS), Alexander
-1 siblings, 1 reply; 4+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-21 5:38 UTC (permalink / raw)
To: hexlabsecurity
Cc: Arnd Bergmann, Alexander Graf, linux-kernel,
The AWS Nitro Enclaves Team
On Sat, Jun 20, 2026 at 09:42:11PM -0500, Bryam Vargas via B4 Relay wrote:
> From: Bryam Vargas <hexlabsecurity@proton.me>
>
> nsm_sendrecv_msg_locked() stores the virtqueue used-ring length reported
> by the NSM device into msg->resp.len without bounding it to the response
> buffer. A malicious or buggy backend can report a length larger than the
> response buffer; parse_resp_raw() then copies that many bytes out of the
> fixed buffer to user space, disclosing adjacent kernel heap (an
> out-of-bounds read). The request path already floors its length in
> fill_req_raw(); the response path lacks the symmetric check.
>
> Clamp the stored length to the size of the response buffer. Well-behaved
> devices report no more than the posted buffer size, so conforming traffic
> is unaffected.
Is this really the only place where a "buggy" device that is bound to
the driver can cause any problems? Shouldn't the driver only be bound
to trusted devices to start with?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] misc: nsm: bound the device-reported response length
2026-06-21 5:38 ` Greg Kroah-Hartman
@ 2026-06-21 8:07 ` Graf (AWS), Alexander
0 siblings, 0 replies; 4+ messages in thread
From: Graf (AWS), Alexander @ 2026-06-21 8:07 UTC (permalink / raw)
To: Greg Kroah-Hartman, hexlabsecurity@proton.me
Cc: Arnd Bergmann, linux-kernel@vger.kernel.org,
The AWS Nitro Enclaves Team
On 21.06.26 07:38, Greg Kroah-Hartman wrote:
> On Sat, Jun 20, 2026 at 09:42:11PM -0500, Bryam Vargas via B4 Relay wrote:
>> From: Bryam Vargas <hexlabsecurity@proton.me>
>>
>> nsm_sendrecv_msg_locked() stores the virtqueue used-ring length reported
>> by the NSM device into msg->resp.len without bounding it to the response
>> buffer. A malicious or buggy backend can report a length larger than the
>> response buffer; parse_resp_raw() then copies that many bytes out of the
>> fixed buffer to user space, disclosing adjacent kernel heap (an
>> out-of-bounds read). The request path already floors its length in
>> fill_req_raw(); the response path lacks the symmetric check.
>>
>> Clamp the stored length to the size of the response buffer. Well-behaved
>> devices report no more than the posted buffer size, so conforming traffic
>> is unaffected.
> Is this really the only place where a "buggy" device that is bound to
> the driver can cause any problems? Shouldn't the driver only be bound
> to trusted devices to start with?
It's close to impossible to understand whether the backing device is
"trusted" or not from a VM's point of view. Even all the fancy "trusted
PCIe" logic is about as secure as "secure HDMI": not at all. The best
thing a VM can do is trust specific drivers IMHO to reduce its TCB. I
think as a stick in the ground saying "all virtio drivers are trusted"
makes a lot of sense given that a lot of the virtualized world runs on
virtio.
Bryam, under that premise, could you please also look at other parts of
the nsm driver that could potentially break the premise of a malicious
host? A quick AI scan revealed that the cbor_short_size switch has no
default branch, which leads to uninitialized array_len. Since the report
looks heavily AI influenced, maybe yours actually finds more?
For this patch:
Reviewed-by: Alexander Graf <graf@amazon.com>
Thanks,
Alex
Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-06-21 8:07 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-21 2:42 [PATCH] misc: nsm: bound the device-reported response length Bryam Vargas
2026-06-21 2:42 ` Bryam Vargas via B4 Relay
2026-06-21 5:38 ` Greg Kroah-Hartman
2026-06-21 8:07 ` Graf (AWS), Alexander
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.