From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-07.mail-europe.com (mail-07.mail-europe.com [188.165.51.139])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1B7993624C9
	for <linux-kernel@vger.kernel.org>; Mon, 22 Jun 2026 07:50:39 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=188.165.51.139
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1782114645; cv=none; b=geGsOXOs15E+zfvY9x9X5EUVEKW9pZipK5KwIZYRtkRvubQtLaR1TsGGYlGiRAqYCOGWD3nfDbkb2TZ1oJz2pS1sw+jln3RXryShJVCwLWl3cgZWJ3W6h4MNtu9K49RPTG6ARALd7MbGM0UPIIknpml4z9edyCFLs6kJzW/zucc=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1782114645; c=relaxed/simple;
	bh=a2qIIc0GFFgPjSxLAPW76Ly/7FmFU3eVg3IYwLkSwt8=;
	h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type; b=UBVWAxTLa/UaxsZ6QwDGeimxdltLAw4neyDSYCwlapJxy7S/ph/sxiGQo1ewFkQtPZ4e7YDIBAlNrWFm1GcP6xfcexc6PbxWEUT4819+kuqxgwRIFYYKAGvEBwTp8cgSWUlt372F4hWcw2gGEmWsHpz47WgS4GyjB/oNCQajkZ8=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=proton.me; spf=pass smtp.mailfrom=proton.me; dkim=pass (2048-bit key) header.d=proton.me header.i=@proton.me header.b=g4Le3Zsy; arc=none smtp.client-ip=188.165.51.139
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=proton.me
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=proton.me
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=proton.me header.i=@proton.me header.b="g4Le3Zsy"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.me;
	s=protonmail; t=1782114624; x=1782373824;
	bh=HX1l2CPzS43Ph+PlMf8fIZDhqt8IDM6LF+yZHA5LlR8=;
	h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
	 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
	 Message-ID:BIMI-Selector;
	b=g4Le3Zsys5ApbS9CsLBUBP9MhA73nCb/3qg7KRS8Kvbz3PX1585u0sLJ63MSd2UwA
	 dLbaixmCJ2hHVIE2x0HpqPo5SkZB903pkixHN0UfSwhFOOgjC7fMEBQfNtrwwNVWaT
	 GGb7qS77Bp+lJdtpxbmMGVwggYKM/k0NSJwLNIdDuXgA7QO1e6BYKwHw1fxXdQHc7T
	 2xzZvZOVWLXqWzSAgyAaXvWTRlRWjVfQVtYv1KkUWFklEKevgqFfw2Oy/XG7JAYfaT
	 S3VtqkHh+fj78WEirroYtLeFm5Jk2baqR+bxZ6xWffyR44DsYI0Gd3d2XfUvpZeSPD
	 hvSL67efbR2BQ==
Date: Mon, 22 Jun 2026 07:50:20 +0000
To: Alexander Graf <graf@amazon.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Arnd Bergmann <arnd@arndb.de>
From: Bryam Vargas <hexlabsecurity@proton.me>
Cc: The AWS Nitro Enclaves Team <aws-nitro-enclaves-devel@amazon.com>, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] misc: nsm: bound the device-reported response length
Message-ID: <20260622075013.51640-1-hexlabsecurity@proton.me>
In-Reply-To: <5fa26d33-fb13-4f74-b972-43b460ac916d@amazon.com>
References: <20260620-b4-disp-a54b7dd6-v1-1-79d1f236a854@proton.me> <2026062124-unsalted-wiry-6920@gregkh> <5fa26d33-fb13-4f74-b972-43b460ac916d@amazon.com>
Feedback-ID: 199661219:user:proton
X-Pm-Message-ID: 2c03fc854af20f077ef0cedba0ed9c7e532622a6
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 2026-06-21, Alexander Graf wrote:
> I think as a stick in the ground saying "all virtio drivers are trusted"
> makes a lot of sense given that a lot of the virtualized world runs on
> virtio.

Agreed -- a guest can't attest its backend, so the practical TCB line is th=
e
driver, not the device. I'll treat the NSM transport as untrusted and sweep=
 the
rest of nsm.c on that basis.

> A quick AI scan revealed that the cbor_short_size switch has no default
> branch, which leads to uninitialized array_len.

Confirmed, and it's an uninitialized read rather than an OOB. The switch co=
vers
23..27 with no default, so a device picking 0..22 or 28..31 matches no case=
 and
array_len reaches the two trailing checks unset. Those clamp the result to
<=3D resp_len - array_offset and <=3D INT_MAX, so the memcpy in
parse_resp_get_random() stays inside resp->data. What's left is the
uninitialized length plus a plain decode bug: a short array of 0..22 elemen=
ts is
read from garbage instead of cbor_short_size.

The existing case already handles 23 correctly, so the fix widens that labe=
l to
the whole short-form range (same body, no new case value -> no duplicate) a=
nd
adds a rejecting default:

-       case CBOR_SHORT_SIZE_MAX_VALUE:        /* short encoding */
+       case 0 ... CBOR_SHORT_SIZE_MAX_VALUE:  /* short form: len IS the va=
lue */
                array_len =3D cbor_short_size;
                break;
        ... U8/U16/U32/U64 cases unchanged ...
+       default:                               /* 28..31 reserved/indefinit=
e */
+               return -EFAULT;

By inspection so far. I'll send that as its own patch this week once it's
through KMSAN here, and the wider nsm.c pass before -rc3.

Thanks for the review,
Bryam