From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 26235CAC59A
	for <linux-arm-kernel@archiver.kernel.org>; Sun, 21 Sep 2025 11:29:21 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help
	:List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Type:MIME-Version:
	References:In-Reply-To:Subject:Cc:To:From:Message-ID:Date:Reply-To:
	Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	bh=WKJZFMMsH81W+09vA4YXbb5hqZcWM0YRt6J8Oyh0MfM=; b=dTNznUsL+iKjNFJUwbvylXkMcR
	ym6Pjpx4Fi3rdww6xu0cI01Mk9SMlC4dggjqccXYmFW7jBX9/kH8UP7uRFlkN9TYLSU0MBmTw26j/
	Pl/Vbs07MfzNbqIlyBBmEznpoLuE2ArGlu7Q3TIRu9FxLusRXJOaVzvtmKJMbtv1NNtZYGrV9ZDO/
	WAQUifbNX4ef+rEPl/19JhQqtDam2t2kLye2HpkctSFWI8Z9SxkjLvxcx3IBi3XBOf9t9UF3sYWkn
	kXS6VrrpEBQ/nEH8xnWh1+/IHK3QabsozlhJhEh/2pKuy2SYr4Ut6sxDB6/UVnwR5ofK1iFky4bv4
	2fzReEGw==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux))
	id 1v0IFm-00000007Oko-0FH5;
	Sun, 21 Sep 2025 11:29:14 +0000
Received: from sea.source.kernel.org ([2600:3c0a:e001:78e:0:1991:8:25])
	by bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux))
	id 1v0IFj-00000007OjR-490z
	for linux-arm-kernel@lists.infradead.org;
	Sun, 21 Sep 2025 11:29:13 +0000
Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58])
	by sea.source.kernel.org (Postfix) with ESMTP id 94C1A446C3;
	Sun, 21 Sep 2025 11:29:11 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6EE4CC4CEE7;
	Sun, 21 Sep 2025 11:29:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1758454151;
	bh=TnhBtV7gajUKTHQkLmlYsPEe/PTbeqlRt1FGOsovCI8=;
	h=Date:From:To:Cc:Subject:In-Reply-To:References:From;
	b=kPTb3Y619WykYKRmzfWQRATmeoIv20M6LRcwelGoNTBmnovLE3Gy3rjIO3Lk0XJtq
	 lPkBppKxAEW5YR2p2/3uKK72t7hEGwXBjq8GuYh/tlU82z0a6BJVXgB1xJwVQpDopX
	 HGPS2c4dquESbmF5NDz7AbCzHpT2wzFBoVenS32+B9+wF6dpxoYOSNsOOocCFdQqGP
	 kjSpL5u8x+d1YYv0ANs0h1oV7KW2CFdYkj6vAVY9StDKfVaOHUSZR7bXkFabzMwqFg
	 hwjMIoSO0xtwFyw5WZbxWY4po1fElGvzhhz1zc6V4lxOBNecGIoRov+tr21LUp81eh
	 RfQssSV08yHJQ==
Received: from sofa.misterjones.org ([185.219.108.64] helo=lobster-girl.misterjones.org)
	by disco-boy.misterjones.org with esmtpsa  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.98.2)
	(envelope-from <maz@kernel.org>)
	id 1v0IFh-00000008A8W-0wm3;
	Sun, 21 Sep 2025 11:29:09 +0000
Date: Sun, 21 Sep 2025 12:29:08 +0100
Message-ID: <87plbkxcvv.wl-maz@kernel.org>
From: Marc Zyngier <maz@kernel.org>
To: Vincent Donnefort <vdonnefort@google.com>
Cc: oliver.upton@linux.dev,
	joey.gouly@arm.com,
	suzuki.poulose@arm.com,
	yuzenghui@huawei.com,
	catalin.marinas@arm.com,
	will@kernel.org,
	qperret@google.com,
	sebastianene@google.com,
	keirf@google.com,
	linux-arm-kernel@lists.infradead.org,
	kvmarm@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	kernel-team@android.com
Subject: Re: [PATCH v2] KVM: arm64: Check range args for pKVM mem transitions
In-Reply-To: <20250919155056.2648137-1-vdonnefort@google.com>
References: <20250919155056.2648137-1-vdonnefort@google.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue)
 FLIM-LB/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL-LB/10.8 EasyPG/1.0.0 Emacs/30.1
 (aarch64-unknown-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
X-SA-Exim-Connect-IP: 185.219.108.64
X-SA-Exim-Rcpt-To: vdonnefort@google.com, oliver.upton@linux.dev, joey.gouly@arm.com, suzuki.poulose@arm.com, yuzenghui@huawei.com, catalin.marinas@arm.com, will@kernel.org, qperret@google.com, sebastianene@google.com, keirf@google.com, linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, linux-kernel@vger.kernel.org, kernel-team@android.com
X-SA-Exim-Mail-From: maz@kernel.org
X-SA-Exim-Scanned: No (on disco-boy.misterjones.org); SAEximRunCond expanded to false
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20250921_042912_069640_C90B31DF 
X-CRM114-Status: GOOD (  22.69  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

On Fri, 19 Sep 2025 16:50:56 +0100,
Vincent Donnefort <vdonnefort@google.com> wrote:
> 
> There's currently no verification for host issued ranges in most of the
> pKVM memory transitions. The subsequent end boundary might therefore be
> subject to overflow and could evade the later checks.
> 
> Close this loophole with an additional check_range_args() check on a per
> public function basis.
> 
> host_unshare_guest transition is already protected via
> __check_host_shared_guest(), while assert_host_shared_guest() callers
> are already ignoring host checks.
> 
> Signed-off-by: Vincent Donnefort <vdonnefort@google.com>
> 
> ---
> 
>  v1 -> v2:
>    - Also check for (nr_pages * PAGE_SIZE) overflow. (Quentin)
>    - Rename to check_range_args().
> 
> diff --git a/arch/arm64/kvm/hyp/nvhe/mem_protect.c b/arch/arm64/kvm/hyp/nvhe/mem_protect.c
> index 8957734d6183..65fcd2148f59 100644
> --- a/arch/arm64/kvm/hyp/nvhe/mem_protect.c
> +++ b/arch/arm64/kvm/hyp/nvhe/mem_protect.c
> @@ -712,6 +712,14 @@ static int __guest_check_page_state_range(struct pkvm_hyp_vm *vm, u64 addr,
>  	return check_page_state_range(&vm->pgt, addr, size, &d);
>  }
>  
> +static bool check_range_args(u64 start, u64 nr_pages, u64 *size)
> +{
> +	if (check_mul_overflow(nr_pages, PAGE_SIZE, size))
> +		return false;
> +
> +	return start < (start + *size);

I will echo Oliver's concern on v1: you probably want to convert the
boundary check to be inclusive of the end of the range. Otherwise, a
range that ends at the top of the 64bit range will be represented as
0, and fail the  check despite being perfectly valid.

That's not a problem for PAs, as we will be stuck with at most 56bit
PAs for quite a while, but VAs are a different story, and this sort of
range check should be valid for VAs as well.

Thanks,

	M.

-- 
Jazz isn't dead. It just smells funny.