* [PATCH][v2] virt: tdx-guest: Don't free decrypted memory
@ 2024-06-14 5:14 Li RongQing
2024-06-14 16:13 ` Edgecombe, Rick P
0 siblings, 1 reply; 3+ messages in thread
From: Li RongQing @ 2024-06-14 5:14 UTC (permalink / raw)
To: kirill.shutemov, dave.hansen, x86, linux-coco, linux-kernel,
rick.p.edgecombe
Cc: Li RongQing
In CoCo VMs it is possible for the untrusted host to cause
set_memory_decrypted() to fail such that an error is returned
and the resulting memory is shared. Callers need to take care
to handle these errors to avoid returning decrypted (shared)
memory to the page allocator, which could lead to functional
or security issues.
So when set_memory_decrypted fails, leak decrypted memory, and
print an error message
Signed-off-by: Li RongQing <lirongqing@baidu.com>
---
diff with v1: leak the page, and print error
drivers/virt/coco/tdx-guest/tdx-guest.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/virt/coco/tdx-guest/tdx-guest.c b/drivers/virt/coco/tdx-guest/tdx-guest.c
index 1253bf7..3a6e76c8 100644
--- a/drivers/virt/coco/tdx-guest/tdx-guest.c
+++ b/drivers/virt/coco/tdx-guest/tdx-guest.c
@@ -125,7 +125,7 @@ static void *alloc_quote_buf(void)
return NULL;
if (set_memory_decrypted((unsigned long)addr, count)) {
- free_pages_exact(addr, len);
+ pr_err("Failed to set Quote buffer decrypted, leak the buffer\n");
return NULL;
}
--
2.9.4
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH][v2] virt: tdx-guest: Don't free decrypted memory
2024-06-14 5:14 [PATCH][v2] virt: tdx-guest: Don't free decrypted memory Li RongQing
@ 2024-06-14 16:13 ` Edgecombe, Rick P
2024-06-17 10:03 ` kirill.shutemov
0 siblings, 1 reply; 3+ messages in thread
From: Edgecombe, Rick P @ 2024-06-14 16:13 UTC (permalink / raw)
To: kirill.shutemov@linux.intel.com, linux-coco@lists.linux.dev,
lirongqing@baidu.com, linux-kernel@vger.kernel.org,
dave.hansen@linux.intel.com, x86@kernel.org
On Fri, 2024-06-14 at 13:14 +0800, Li RongQing wrote:
> In CoCo VMs it is possible for the untrusted host to cause
> set_memory_decrypted() to fail such that an error is returned
> and the resulting memory is shared. Callers need to take care
> to handle these errors to avoid returning decrypted (shared)
> memory to the page allocator, which could lead to functional
> or security issues.
>
> So when set_memory_decrypted fails, leak decrypted memory, and
> print an error message
>
> Signed-off-by: Li RongQing <lirongqing@baidu.com>
> ---
> diff with v1: leak the page, and print error
>
> drivers/virt/coco/tdx-guest/tdx-guest.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/virt/coco/tdx-guest/tdx-guest.c b/drivers/virt/coco/tdx-
> guest/tdx-guest.c
> index 1253bf7..3a6e76c8 100644
> --- a/drivers/virt/coco/tdx-guest/tdx-guest.c
> +++ b/drivers/virt/coco/tdx-guest/tdx-guest.c
> @@ -125,7 +125,7 @@ static void *alloc_quote_buf(void)
> return NULL;
>
> if (set_memory_decrypted((unsigned long)addr, count)) {
> - free_pages_exact(addr, len);
> + pr_err("Failed to set Quote buffer decrypted, leak the
> buffer\n");
> return NULL;
> }
I'm not sure we need the error message, because the set_memory() failure we are
most worried about already has a WARN. But, I could be convinced either way. It
seems to fit with the other code in the file.
Reviewed-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH][v2] virt: tdx-guest: Don't free decrypted memory
2024-06-14 16:13 ` Edgecombe, Rick P
@ 2024-06-17 10:03 ` kirill.shutemov
0 siblings, 0 replies; 3+ messages in thread
From: kirill.shutemov @ 2024-06-17 10:03 UTC (permalink / raw)
To: Edgecombe, Rick P
Cc: linux-coco@lists.linux.dev, lirongqing@baidu.com,
linux-kernel@vger.kernel.org, dave.hansen@linux.intel.com,
x86@kernel.org
On Fri, Jun 14, 2024 at 04:13:46PM +0000, Edgecombe, Rick P wrote:
> On Fri, 2024-06-14 at 13:14 +0800, Li RongQing wrote:
> > In CoCo VMs it is possible for the untrusted host to cause
> > set_memory_decrypted() to fail such that an error is returned
> > and the resulting memory is shared. Callers need to take care
> > to handle these errors to avoid returning decrypted (shared)
> > memory to the page allocator, which could lead to functional
> > or security issues.
> >
> > So when set_memory_decrypted fails, leak decrypted memory, and
> > print an error message
> >
> > Signed-off-by: Li RongQing <lirongqing@baidu.com>
> > ---
> > diff with v1: leak the page, and print error
> >
> > drivers/virt/coco/tdx-guest/tdx-guest.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/virt/coco/tdx-guest/tdx-guest.c b/drivers/virt/coco/tdx-
> > guest/tdx-guest.c
> > index 1253bf7..3a6e76c8 100644
> > --- a/drivers/virt/coco/tdx-guest/tdx-guest.c
> > +++ b/drivers/virt/coco/tdx-guest/tdx-guest.c
> > @@ -125,7 +125,7 @@ static void *alloc_quote_buf(void)
> > return NULL;
> >
> > if (set_memory_decrypted((unsigned long)addr, count)) {
> > - free_pages_exact(addr, len);
> > + pr_err("Failed to set Quote buffer decrypted, leak the
> > buffer\n");
> > return NULL;
> > }
>
> I'm not sure we need the error message, because the set_memory() failure we are
> most worried about already has a WARN.
Yeah, I think we should just remove the pr_err(). It will be shadowed by
the stack trace and WARN() anyway.
--
Kiryl Shutsemau / Kirill A. Shutemov
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-06-17 10:03 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-06-14 5:14 [PATCH][v2] virt: tdx-guest: Don't free decrypted memory Li RongQing
2024-06-14 16:13 ` Edgecombe, Rick P
2024-06-17 10:03 ` kirill.shutemov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox