* [PATCH][v4] virt: tdx-guest: Don't free decrypted memory
@ 2024-06-19 11:18 Li RongQing
2024-07-04 1:00 ` Li,Rongqing
2024-11-27 16:48 ` Edgecombe, Rick P
0 siblings, 2 replies; 6+ messages in thread
From: Li RongQing @ 2024-06-19 11:18 UTC (permalink / raw)
To: kirill.shutemov, dave.hansen, x86, linux-coco, linux-kernel,
rick.p.edgecombe
Cc: Li RongQing
In CoCo VMs it is possible for the untrusted host to cause
set_memory_decrypted() to fail such that an error is returned
and the resulting memory is shared. Callers need to take care
to handle these errors to avoid returning decrypted (shared)
memory to the page allocator, which could lead to functional
or security issues.
Leak the decrypted memory when set_memory_decrypted() fails,
and don't need to print an error since set_memory_decrypted()
will call WARN_ONCE().
Reviewed-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Reviewed-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Signed-off-by: Li RongQing <lirongqing@baidu.com>
---
diff with v3: modify the commit log as suggested by Kirill
diff with v2: remove print error
diff with v1: leak the page, and print error
drivers/virt/coco/tdx-guest/tdx-guest.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/virt/coco/tdx-guest/tdx-guest.c b/drivers/virt/coco/tdx-guest/tdx-guest.c
index 1253bf7..8575d98 100644
--- a/drivers/virt/coco/tdx-guest/tdx-guest.c
+++ b/drivers/virt/coco/tdx-guest/tdx-guest.c
@@ -124,10 +124,8 @@ static void *alloc_quote_buf(void)
if (!addr)
return NULL;
- if (set_memory_decrypted((unsigned long)addr, count)) {
- free_pages_exact(addr, len);
+ if (set_memory_decrypted((unsigned long)addr, count))
return NULL;
- }
return addr;
}
--
2.9.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
* RE: [PATCH][v4] virt: tdx-guest: Don't free decrypted memory
2024-06-19 11:18 [PATCH][v4] virt: tdx-guest: Don't free decrypted memory Li RongQing
@ 2024-07-04 1:00 ` Li,Rongqing
2024-11-27 6:25 ` 答复: " Li,Rongqing
2024-11-27 16:48 ` Edgecombe, Rick P
1 sibling, 1 reply; 6+ messages in thread
From: Li,Rongqing @ 2024-07-04 1:00 UTC (permalink / raw)
To: kirill.shutemov@linux.intel.com, dave.hansen@linux.intel.com,
x86@kernel.org, linux-coco@lists.linux.dev,
linux-kernel@vger.kernel.org, rick.p.edgecombe@intel.com
> In CoCo VMs it is possible for the untrusted host to cause
> set_memory_decrypted() to fail such that an error is returned and the resulting
> memory is shared. Callers need to take care to handle these errors to avoid
> returning decrypted (shared) memory to the page allocator, which could lead to
> functional or security issues.
>
> Leak the decrypted memory when set_memory_decrypted() fails, and don't
> need to print an error since set_memory_decrypted() will call WARN_ONCE().
>
> Reviewed-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
> Reviewed-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
> Signed-off-by: Li RongQing <lirongqing@baidu.com>
> ---
Ping
Thank
-LiRongQing
^ permalink raw reply [flat|nested] 6+ messages in thread
* 答复: [PATCH][v4] virt: tdx-guest: Don't free decrypted memory
2024-07-04 1:00 ` Li,Rongqing
@ 2024-11-27 6:25 ` Li,Rongqing
0 siblings, 0 replies; 6+ messages in thread
From: Li,Rongqing @ 2024-11-27 6:25 UTC (permalink / raw)
To: kirill.shutemov@linux.intel.com, dave.hansen@linux.intel.com,
x86@kernel.org, linux-coco@lists.linux.dev,
linux-kernel@vger.kernel.org, rick.p.edgecombe@intel.com
> > In CoCo VMs it is possible for the untrusted host to cause
> > set_memory_decrypted() to fail such that an error is returned and the
> > resulting memory is shared. Callers need to take care to handle these
> > errors to avoid returning decrypted (shared) memory to the page
> > allocator, which could lead to functional or security issues.
> >
> > Leak the decrypted memory when set_memory_decrypted() fails, and don't
> > need to print an error since set_memory_decrypted() will call WARN_ONCE().
> >
> > Reviewed-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
> > Reviewed-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
> > Signed-off-by: Li RongQing <lirongqing@baidu.com>
> > ---
>
>
> Ping
Ping
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH][v4] virt: tdx-guest: Don't free decrypted memory
2024-06-19 11:18 [PATCH][v4] virt: tdx-guest: Don't free decrypted memory Li RongQing
2024-07-04 1:00 ` Li,Rongqing
@ 2024-11-27 16:48 ` Edgecombe, Rick P
2024-12-02 18:05 ` Dave Hansen
1 sibling, 1 reply; 6+ messages in thread
From: Edgecombe, Rick P @ 2024-11-27 16:48 UTC (permalink / raw)
To: kirill.shutemov@linux.intel.com, linux-coco@lists.linux.dev,
Li, Rongqing, linux-kernel@vger.kernel.org,
dave.hansen@linux.intel.com, x86@kernel.org
On Wed, 2024-06-19 at 19:18 +0800, Li RongQing wrote:
> In CoCo VMs it is possible for the untrusted host to cause
> set_memory_decrypted() to fail such that an error is returned
> and the resulting memory is shared. Callers need to take care
> to handle these errors to avoid returning decrypted (shared)
> memory to the page allocator, which could lead to functional
> or security issues.
>
> Leak the decrypted memory when set_memory_decrypted() fails,
> and don't need to print an error since set_memory_decrypted()
> will call WARN_ONCE().
>
> Reviewed-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
> Reviewed-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
> Signed-off-by: Li RongQing <lirongqing@baidu.com>
It needs a Fixes tag.
Fixes: f4738f56d1dc ("virt: tdx-guest: Add Quote generation support using
TSM_REPORTS")
I think it is a worthwhile fix. Without it the guest can be tricked into freeing
shared pages, or trying to execute from them and crashing.
I'm not sure how we missed this case, but from the fixes commit date it may have
been in-flight somewhere when I was doing the treewide search.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH][v4] virt: tdx-guest: Don't free decrypted memory
2024-11-27 16:48 ` Edgecombe, Rick P
@ 2024-12-02 18:05 ` Dave Hansen
2024-12-02 18:10 ` Edgecombe, Rick P
0 siblings, 1 reply; 6+ messages in thread
From: Dave Hansen @ 2024-12-02 18:05 UTC (permalink / raw)
To: Edgecombe, Rick P, kirill.shutemov@linux.intel.com,
linux-coco@lists.linux.dev, Li, Rongqing,
linux-kernel@vger.kernel.org, dave.hansen@linux.intel.com,
x86@kernel.org
On 11/27/24 08:48, Edgecombe, Rick P wrote:
> On Wed, 2024-06-19 at 19:18 +0800, Li RongQing wrote:
>> In CoCo VMs it is possible for the untrusted host to cause
>> set_memory_decrypted() to fail such that an error is returned
>> and the resulting memory is shared. Callers need to take care
>> to handle these errors to avoid returning decrypted (shared)
>> memory to the page allocator, which could lead to functional
>> or security issues.
>>
>> Leak the decrypted memory when set_memory_decrypted() fails,
>> and don't need to print an error since set_memory_decrypted()
>> will call WARN_ONCE().
>>
>> Reviewed-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
>> Reviewed-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
>> Signed-off-by: Li RongQing <lirongqing@baidu.com>
> It needs a Fixes tag.
> Fixes: f4738f56d1dc ("virt: tdx-guest: Add Quote generation support using
> TSM_REPORTS")
>
> I think it is a worthwhile fix. Without it the guest can be tricked into freeing
> shared pages, or trying to execute from them and crashing.
Does this need a "Fixes" and cc:stable@?
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH][v4] virt: tdx-guest: Don't free decrypted memory
2024-12-02 18:05 ` Dave Hansen
@ 2024-12-02 18:10 ` Edgecombe, Rick P
0 siblings, 0 replies; 6+ messages in thread
From: Edgecombe, Rick P @ 2024-12-02 18:10 UTC (permalink / raw)
To: kirill.shutemov@linux.intel.com, linux-coco@lists.linux.dev,
Hansen, Dave, Li, Rongqing, linux-kernel@vger.kernel.org,
dave.hansen@linux.intel.com, x86@kernel.org
On Mon, 2024-12-02 at 10:05 -0800, Dave Hansen wrote:
> On 11/27/24 08:48, Edgecombe, Rick P wrote:
> > On Wed, 2024-06-19 at 19:18 +0800, Li RongQing wrote:
> > > In CoCo VMs it is possible for the untrusted host to cause
> > > set_memory_decrypted() to fail such that an error is returned
> > > and the resulting memory is shared. Callers need to take care
> > > to handle these errors to avoid returning decrypted (shared)
> > > memory to the page allocator, which could lead to functional
> > > or security issues.
> > >
> > > Leak the decrypted memory when set_memory_decrypted() fails,
> > > and don't need to print an error since set_memory_decrypted()
> > > will call WARN_ONCE().
> > >
> > > Reviewed-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
> > > Reviewed-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
> > > Signed-off-by: Li RongQing <lirongqing@baidu.com>
> > It needs a Fixes tag.
> > Fixes: f4738f56d1dc ("virt: tdx-guest: Add Quote generation support using
> > TSM_REPORTS")
> >
> > I think it is a worthwhile fix. Without it the guest can be tricked into freeing
> > shared pages, or trying to execute from them and crashing.
>
> Does this need a "Fixes" and cc:stable@?
Oh yea, probably worth a cc:stable too.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-12-02 18:10 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-06-19 11:18 [PATCH][v4] virt: tdx-guest: Don't free decrypted memory Li RongQing
2024-07-04 1:00 ` Li,Rongqing
2024-11-27 6:25 ` 答复: " Li,Rongqing
2024-11-27 16:48 ` Edgecombe, Rick P
2024-12-02 18:05 ` Dave Hansen
2024-12-02 18:10 ` Edgecombe, Rick P
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).