From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail.8bytes.org (mail.8bytes.org [85.214.250.239]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 0C22B3630B3 for ; Tue, 23 Jun 2026 09:16:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=85.214.250.239 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782206167; cv=none; b=Vu1asPOU6t6dj7ymYZZECUFxKNqG0brN3GbUiG3NCchLTP2FquZMcyW53B2On2V8P+i0C+mPN9fl7ll5KRj1RJj21iNFw7v6U1I/0zkym0pJvpqCf3ERzDUFwmBLMW3lZjdnzjafRbtzskZZsHrbrVQxaTn86PS7cLUs8sMNOzU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782206167; c=relaxed/simple; bh=SgieSUQKIZcxPKT1efnQHDrcznVjNoLVpORDYa66UsM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=TsjRQkOAQ5MvONLYxK8PJXDkHjXVmnfzTm4rAvdCbHnNTfIVuR7u1r+e9FGe/A+UOlTZddybRuRlxFzz6RdgbBUC+vIjrrPpiFvtN5IzdTsMsq3an7Q/TINvM4XH/kEvxQsipc8t+HN5WQAjf+YNZLtIG4l7oKiSzeJAPxzR2uE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=8bytes.org; spf=pass smtp.mailfrom=8bytes.org; arc=none smtp.client-ip=85.214.250.239 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=8bytes.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=8bytes.org Received: from io.fritz.box (p200300f6af4fc500cc95bb0c16cd4e45.dip0.t-ipconnect.de [IPv6:2003:f6:af4f:c500:cc95:bb0c:16cd:4e45]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail.8bytes.org (Postfix) with ESMTPSA id 049EA203D3F; Tue, 23 Jun 2026 11:16:03 +0200 (CEST) From: =?UTF-8?q?J=C3=B6rg=20R=C3=B6del?= To: Sean Christopherson , Paolo Bonzini Cc: x86@kernel.org, Kiryl Shutsemau , Rick Edgecombe , Tom Lendacky , Ashish Kalra , Michael Roth , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, linux-coco@lists.linux.dev, Joerg Roedel Subject: [PATCH 1/4] kvm: sev: Fix user-space triggerable WARN_ON on snp_launch_update path Date: Tue, 23 Jun 2026 11:15:53 +0200 Message-ID: <20260623091556.1500930-2-joro@8bytes.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260623091556.1500930-1-joro@8bytes.org> References: <20260623091556.1500930-1-joro@8bytes.org> Precedence: bulk X-Mailing-List: linux-coco@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Joerg Roedel Sashiko reported on an unrelated patch: [Severity: High] This is a pre-existing issue, but can a host userspace process trigger a kernel warning by passing a NULL user address (uaddr = 0) here? If params.uaddr is 0, src becomes NULL and passes the PAGE_ALIGNED(src) check. kvm_gmem_populate() skips fetching the user page and passes src_page = NULL to sev_gmem_post_populate(). That function then unconditionally evaluates: WARN_ON_ONCE(sev_populate_args->type != KVM_SEV_SNP_PAGE_TYPE_ZERO && !src_page) Since the type isn't ZERO, won't this allow an unprivileged user to spam the kernel log? The assessment is correct, so check for this condition earlier in the snp_launch_update() path to avoid the WARN_ON_ONCE. Fixes: dee5a47cc7a45 ("KVM: SEV: Add KVM_SEV_SNP_LAUNCH_UPDATE command") Signed-off-by: Joerg Roedel --- arch/x86/kvm/svm/sev.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 6c6a6d663e29..41dcba5180ca 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -2438,6 +2438,13 @@ static int snp_launch_update(struct kvm *kvm, struct kvm_sev_cmd *argp) if (!PAGE_ALIGNED(src)) return -EINVAL; + /* + * Make sure user-mode did not pass NULL as src with + * type != KVM_SEV_SNP_PAGE_TYPE_ZERO. + */ + if (src == NULL && params.type != KVM_SEV_SNP_PAGE_TYPE_ZERO) + return -EINVAL; + npages = params.len / PAGE_SIZE; /* -- 2.53.0