From: sashiko-bot@kernel.org
To: "Sean Christopherson" <seanjc@google.com>
Cc: kvm@vger.kernel.org
Subject: Re: [PATCH v2 2/2] KVM: TDX: Return EINVAL, not EOPNOTSUPP, for NULL INIT_MEM_REGION source
Date: Tue, 30 Jun 2026 21:49:52 +0000 [thread overview]
Message-ID: <20260630214952.98C851F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260630213711.479692-3-seanjc@google.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] The `region.nr_pages << PAGE_SHIFT` calculation can overflow a 64-bit integer, bypassing GPA boundary validation and leading to a host denial of service.
--
commit a54da29c3e4be3226e4ebf9df2f4182c350df998
Author: Sean Christopherson <seanjc@google.com>
KVM: TDX: Return EINVAL, not EOPNOTSUPP, for NULL INIT_MEM_REGION source
Return EINVAL instead of EOPNOTSUPP if userspace attempts to pass a NULL
pointer for the source page of INIT_MEM_REGION, so that KVM's ABI is
consistent between TDX and SNP.
> diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c
> index ffe9d0db58c59..b0ec054732b90 100644
> --- a/arch/x86/kvm/vmx/tdx.c
> +++ b/arch/x86/kvm/vmx/tdx.c
[ ... ]
> @@ -3247,8 +3244,8 @@ static int tdx_vcpu_init_mem_region(struct kvm_vcpu *vcpu, struct kvm_tdx_cmd *c
> if (copy_from_user(®ion, u64_to_user_ptr(cmd->data), sizeof(region)))
> return -EFAULT;
>
> - if (!PAGE_ALIGNED(region.source_addr) || !PAGE_ALIGNED(region.gpa) ||
> - !region.nr_pages ||
> + if (!PAGE_ALIGNED(region.source_addr) || !region.source_addr ||
> + !PAGE_ALIGNED(region.gpa) || !region.nr_pages ||
> region.gpa + (region.nr_pages << PAGE_SHIFT) <= region.gpa ||
> !vt_is_tdx_private_gpa(kvm, region.gpa) ||
> !vt_is_tdx_private_gpa(kvm, region.gpa + (region.nr_pages << PAGE_SHIFT) - 1))
[Severity: High]
This is a pre-existing issue, but in tdx_vcpu_init_mem_region(), does the
calculation region.nr_pages << PAGE_SHIFT overflow a 64-bit integer?
If userspace calls KVM_TDX_INIT_MEM_REGION with region.nr_pages set to a
value where the top 12 bits are non-zero (e.g., (1ULL << 52) + 1), the left
shift by PAGE_SHIFT discards the top 12 bits, evaluating to a small value.
Does this allow a malicious host userspace to bypass the overflow check
region.gpa + (region.nr_pages << PAGE_SHIFT) <= region.gpa and the
vt_is_tdx_private_gpa bounds check?
If bypassed, the while loop would then iterate based on the large un-shifted
region.nr_pages value. If a guest_memfd is mapped at a shared GPA and
initialization is started just before it, the loop could incrementally walk
into the shared GPA space.
Since KVM invokes tdh_mr_extend on that shared GPA, which the TDX module
rejects, could this trigger KVM's TDX_BUG_ON_2 and cause a host denial of
service?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260630213711.479692-1-seanjc@google.com?part=2
next prev parent reply other threads:[~2026-06-30 21:49 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-30 21:37 [PATCH v2 0/2] KVM: x86: gmem populate fix and cleanups Sean Christopherson
2026-06-30 21:37 ` [PATCH v2 1/2] KVM: SEV: Explicitly disallow NULL user address for SNP_LAUNCH_UPDATE Sean Christopherson
2026-07-01 21:15 ` Ackerley Tng
2026-07-01 21:22 ` Sean Christopherson
2026-06-30 21:37 ` [PATCH v2 2/2] KVM: TDX: Return EINVAL, not EOPNOTSUPP, for NULL INIT_MEM_REGION source Sean Christopherson
2026-06-30 21:49 ` sashiko-bot [this message]
2026-07-01 20:13 ` Ackerley Tng
2026-07-01 20:54 ` Sean Christopherson
2026-07-01 7:27 ` Yan Zhao
2026-07-01 8:02 ` Binbin Wu
2026-07-01 17:12 ` Sean Christopherson
2026-07-02 1:12 ` Binbin Wu
2026-07-01 9:22 ` Kiryl Shutsemau
2026-07-02 2:32 ` Xiaoyao Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260630214952.98C851F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=seanjc@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.