[PATCH] crypto: ccp: Fix SNP range list bounds check

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] crypto: ccp: Fix SNP range list bounds check
@ 2026-06-12  9:25 ZongYao.Chen
  2026-06-12 13:05 ` Tom Lendacky
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: ZongYao.Chen @ 2026-06-12  9:25 UTC (permalink / raw)
  To: Ashish Kalra, Tom Lendacky, John Allen, Herbert Xu,
	David S. Miller
  Cc: Michael Roth, Jarkko Sakkinen, Borislav Petkov (AMD),
	Brijesh Singh, Tianjia Zhang, linux-crypto, linux-kernel,
	Zongyao Chen, stable

From: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>

snp_filter_reserved_mem_regions() checks the range list size before
adding a new entry. If the page-sized SNP_INIT_EX buffer is already
full, the next matching resource can still write one entry past the end
of the buffer.

Check that there is room for the next entry before appending it, and
compute the next entry pointer only after the bounds check.

Fixes: 1ca5614b84ee ("crypto: ccp: Add support to initialize the AMD-SP for SEV-SNP")
Cc: stable@vger.kernel.org
Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
---
 drivers/crypto/ccp/sev-dev.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
index d1e9e0ac63b6..9e6efb3ec175 100644
--- a/drivers/crypto/ccp/sev-dev.c
+++ b/drivers/crypto/ccp/sev-dev.c
@@ -1324,17 +1324,19 @@ static int snp_get_platform_data(struct sev_device *sev, int *error)
 static int snp_filter_reserved_mem_regions(struct resource *rs, void *arg)
 {
 	struct sev_data_range_list *range_list = arg;
-	struct sev_data_range *range = &range_list->ranges[range_list->num_elements];
+	struct sev_data_range *range;
 	size_t size;
 
 	/*
 	 * Ensure the list of HV_FIXED pages that will be passed to firmware
 	 * do not exceed the page-sized argument buffer.
 	 */
-	if ((range_list->num_elements * sizeof(struct sev_data_range) +
+	if (((range_list->num_elements + 1) * sizeof(struct sev_data_range) +
 	     sizeof(struct sev_data_range_list)) > PAGE_SIZE)
 		return -E2BIG;
 
+	range = &range_list->ranges[range_list->num_elements];
+
 	switch (rs->desc) {
 	case E820_TYPE_RESERVED:
 	case E820_TYPE_PMEM:
-- 
2.47.3


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] crypto: ccp: Fix SNP range list bounds check
  2026-06-12  9:25 [PATCH] crypto: ccp: Fix SNP range list bounds check ZongYao.Chen
@ 2026-06-12 13:05 ` Tom Lendacky
  2026-06-12 15:18 ` Tycho Andersen
  2026-06-15 12:05 ` Jarkko Sakkinen
  2 siblings, 0 replies; 4+ messages in thread
From: Tom Lendacky @ 2026-06-12 13:05 UTC (permalink / raw)
  To: ZongYao.Chen, Ashish Kalra, John Allen, Herbert Xu,
	David S. Miller
  Cc: Michael Roth, Jarkko Sakkinen, Borislav Petkov (AMD),
	Brijesh Singh, Tianjia Zhang, linux-crypto, linux-kernel, stable

On 6/12/26 04:25, ZongYao.Chen@linux.alibaba.com wrote:
> [Some people who received this message don't often get email from zongyao.chen@linux.alibaba.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
> 
> From: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
> 
> snp_filter_reserved_mem_regions() checks the range list size before
> adding a new entry. If the page-sized SNP_INIT_EX buffer is already
> full, the next matching resource can still write one entry past the end
> of the buffer.
> 
> Check that there is room for the next entry before appending it, and
> compute the next entry pointer only after the bounds check.
> 
> Fixes: 1ca5614b84ee ("crypto: ccp: Add support to initialize the AMD-SP for SEV-SNP")
> Cc: stable@vger.kernel.org
> Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>

Thanks for the submission, but this has already been fixed with
1b864b6cb213 ("crypto: ccp - Fix snp_filter_reserved_mem_regions()
off-by-one")

Thanks,
Tom

> ---
>  drivers/crypto/ccp/sev-dev.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
> index d1e9e0ac63b6..9e6efb3ec175 100644
> --- a/drivers/crypto/ccp/sev-dev.c
> +++ b/drivers/crypto/ccp/sev-dev.c
> @@ -1324,17 +1324,19 @@ static int snp_get_platform_data(struct sev_device *sev, int *error)
>  static int snp_filter_reserved_mem_regions(struct resource *rs, void *arg)
>  {
>         struct sev_data_range_list *range_list = arg;
> -       struct sev_data_range *range = &range_list->ranges[range_list->num_elements];
> +       struct sev_data_range *range;
>         size_t size;
> 
>         /*
>          * Ensure the list of HV_FIXED pages that will be passed to firmware
>          * do not exceed the page-sized argument buffer.
>          */
> -       if ((range_list->num_elements * sizeof(struct sev_data_range) +
> +       if (((range_list->num_elements + 1) * sizeof(struct sev_data_range) +
>              sizeof(struct sev_data_range_list)) > PAGE_SIZE)
>                 return -E2BIG;
> 
> +       range = &range_list->ranges[range_list->num_elements];
> +
>         switch (rs->desc) {
>         case E820_TYPE_RESERVED:
>         case E820_TYPE_PMEM:
> --
> 2.47.3
> 


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] crypto: ccp: Fix SNP range list bounds check
  2026-06-12  9:25 [PATCH] crypto: ccp: Fix SNP range list bounds check ZongYao.Chen
  2026-06-12 13:05 ` Tom Lendacky
@ 2026-06-12 15:18 ` Tycho Andersen
  2026-06-15 12:05 ` Jarkko Sakkinen
  2 siblings, 0 replies; 4+ messages in thread
From: Tycho Andersen @ 2026-06-12 15:18 UTC (permalink / raw)
  To: ZongYao.Chen
  Cc: Ashish Kalra, Tom Lendacky, John Allen, Herbert Xu,
	David S. Miller, Michael Roth, Jarkko Sakkinen,
	Borislav Petkov (AMD), Brijesh Singh, Tianjia Zhang, linux-crypto,
	linux-kernel, stable

On Fri, Jun 12, 2026 at 05:25:25PM +0800, ZongYao.Chen@linux.alibaba.com wrote:
> From: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
> 
> snp_filter_reserved_mem_regions() checks the range list size before
> adding a new entry. If the page-sized SNP_INIT_EX buffer is already
> full, the next matching resource can still write one entry past the end
> of the buffer.
> 
> Check that there is room for the next entry before appending it, and
> compute the next entry pointer only after the bounds check.

> Fixes: 1ca5614b84ee ("crypto: ccp: Add support to initialize the AMD-SP for SEV-SNP")
> Cc: stable@vger.kernel.org
> Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>

I believe there is a version of this in the crypto tree already as
1b864b6cb213 ("crypto: ccp - Fix snp_filter_reserved_mem_regions()
off-by-one").

Thanks,

Tycho

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] crypto: ccp: Fix SNP range list bounds check
  2026-06-12  9:25 [PATCH] crypto: ccp: Fix SNP range list bounds check ZongYao.Chen
  2026-06-12 13:05 ` Tom Lendacky
  2026-06-12 15:18 ` Tycho Andersen
@ 2026-06-15 12:05 ` Jarkko Sakkinen
  2 siblings, 0 replies; 4+ messages in thread
From: Jarkko Sakkinen @ 2026-06-15 12:05 UTC (permalink / raw)
  To: ZongYao.Chen
  Cc: Ashish Kalra, Tom Lendacky, John Allen, Herbert Xu,
	David S. Miller, Michael Roth, Borislav Petkov (AMD),
	Brijesh Singh, Tianjia Zhang, linux-crypto, linux-kernel, stable

On Fri, Jun 12, 2026 at 05:25:25PM +0800, ZongYao.Chen@linux.alibaba.com wrote:
> From: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
> 
> snp_filter_reserved_mem_regions() checks the range list size before
> adding a new entry. If the page-sized SNP_INIT_EX buffer is already
> full, the next matching resource can still write one entry past the end
> of the buffer.
> 
> Check that there is room for the next entry before appending it, and
> compute the next entry pointer only after the bounds check.
> 
> Fixes: 1ca5614b84ee ("crypto: ccp: Add support to initialize the AMD-SP for SEV-SNP")
> Cc: stable@vger.kernel.org
> Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
> ---
>  drivers/crypto/ccp/sev-dev.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
> index d1e9e0ac63b6..9e6efb3ec175 100644
> --- a/drivers/crypto/ccp/sev-dev.c
> +++ b/drivers/crypto/ccp/sev-dev.c
> @@ -1324,17 +1324,19 @@ static int snp_get_platform_data(struct sev_device *sev, int *error)
>  static int snp_filter_reserved_mem_regions(struct resource *rs, void *arg)
>  {
>  	struct sev_data_range_list *range_list = arg;
> -	struct sev_data_range *range = &range_list->ranges[range_list->num_elements];
> +	struct sev_data_range *range;
>  	size_t size;
>  
>  	/*
>  	 * Ensure the list of HV_FIXED pages that will be passed to firmware
>  	 * do not exceed the page-sized argument buffer.
>  	 */
> -	if ((range_list->num_elements * sizeof(struct sev_data_range) +
> +	if (((range_list->num_elements + 1) * sizeof(struct sev_data_range) +
>  	     sizeof(struct sev_data_range_list)) > PAGE_SIZE)
>  		return -E2BIG;
>  
> +	range = &range_list->ranges[range_list->num_elements];
> +
>  	switch (rs->desc) {
>  	case E820_TYPE_RESERVED:
>  	case E820_TYPE_PMEM:
> -- 
> 2.47.3
> 

Obvious enough:

Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>

BR, Jarkko

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-06-15 12:05 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-12  9:25 [PATCH] crypto: ccp: Fix SNP range list bounds check ZongYao.Chen
2026-06-12 13:05 ` Tom Lendacky
2026-06-12 15:18 ` Tycho Andersen
2026-06-15 12:05 ` Jarkko Sakkinen

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.