Re: [PATCH] misc: nsm: bound the device-reported response length

[Bryam Vargas <hexlabsecurity@proton.me>]

On 2026-06-21, Alexander Graf wrote:
> I think as a stick in the ground saying "all virtio drivers are trusted"
> makes a lot of sense given that a lot of the virtualized world runs on
> virtio.

Agreed -- a guest can't attest its backend, so the practical TCB line is the
driver, not the device. I'll treat the NSM transport as untrusted and sweep the
rest of nsm.c on that basis.

> A quick AI scan revealed that the cbor_short_size switch has no default
> branch, which leads to uninitialized array_len.

Confirmed, and it's an uninitialized read rather than an OOB. The switch covers
23..27 with no default, so a device picking 0..22 or 28..31 matches no case and
array_len reaches the two trailing checks unset. Those clamp the result to
<= resp_len - array_offset and <= INT_MAX, so the memcpy in
parse_resp_get_random() stays inside resp->data. What's left is the
uninitialized length plus a plain decode bug: a short array of 0..22 elements is
read from garbage instead of cbor_short_size.

The existing case already handles 23 correctly, so the fix widens that label to
the whole short-form range (same body, no new case value -> no duplicate) and
adds a rejecting default:

-       case CBOR_SHORT_SIZE_MAX_VALUE:        /* short encoding */
+       case 0 ... CBOR_SHORT_SIZE_MAX_VALUE:  /* short form: len IS the value */
                array_len = cbor_short_size;
                break;
        ... U8/U16/U32/U64 cases unchanged ...
+       default:                               /* 28..31 reserved/indefinite */
+               return -EFAULT;

By inspection so far. I'll send that as its own patch this week once it's
through KMSAN here, and the wider nsm.c pass before -rc3.

Thanks for the review,
Bryam