From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
To: Borislav Petkov <bp@alien8.de>
Cc: x86@kernel.org, linux-sgx@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
Jethro Beekman <jethro@fortanix.com>,
Haitao Huang <haitao.huang@linux.intel.com>,
Chunyang Hui <sanqian.hcy@antfin.com>,
Jordan Hand <jorhand@linux.microsoft.com>,
Nathaniel McCallum <npmccallum@redhat.com>,
Seth Moore <sethmo@google.com>,
Sean Christopherson <sean.j.christopherson@intel.com>,
Suresh Siddha <suresh.b.siddha@intel.com>,
akpm@linux-foundation.org, andriy.shevchenko@linux.intel.com,
asapek@google.com, cedric.xing@intel.com,
chenalexchen@google.com, conradparker@google.com,
cyhanish@google.com, dave.hansen@intel.com,
haitao.huang@intel.com, josh@joshtriplett.org,
kai.huang@intel.com, kai.svahn@intel.com, kmoy@google.com,
ludloff@google.com, luto@kernel.org, nhorman@redhat.com,
puiterwijk@redhat.com, rientjes@google.com, tglx@linutronix.de,
yaozhangx@google.com
Subject: Re: [PATCH v33 11/21] x86/sgx: Linux Enclave Driver
Date: Fri, 3 Jul 2020 06:09:28 +0300 [thread overview]
Message-ID: <20200703030928.GE306897@linux.intel.com> (raw)
In-Reply-To: <20200626091419.GB27151@zn.tnic>
On Fri, Jun 26, 2020 at 11:14:19AM +0200, Borislav Petkov wrote:
> On Thu, Jun 18, 2020 at 01:08:33AM +0300, Jarkko Sakkinen wrote:
> > diff --git a/Documentation/userspace-api/ioctl/ioctl-number.rst b/Documentation/userspace-api/ioctl/ioctl-number.rst
> > index 59472cd6a11d..35f713e3a267 100644
> > --- a/Documentation/userspace-api/ioctl/ioctl-number.rst
> > +++ b/Documentation/userspace-api/ioctl/ioctl-number.rst
> > @@ -323,6 +323,7 @@ Code Seq# Include File Comments
> > <mailto:tlewis@mindspring.com>
> > 0xA3 90-9F linux/dtlk.h
> > 0xA4 00-1F uapi/linux/tee.h Generic TEE subsystem
> > +0xA4 00-1F uapi/asm/sgx.h Intel SGX subsystem (a legit conflict as TEE and SGX do not co-exist)
>
> Maybe add <mailto:linux-sgx@vger.kernel.org> ?
>
> > 0xAA 00-3F linux/uapi/linux/userfaultfd.h
> > 0xAB 00-1F linux/nbd.h
> > 0xAC 00-1F linux/raw.h
>
> ...
>
> > +static int sgx_encl_create(struct sgx_encl *encl, struct sgx_secs *secs)
> > +{
> > + unsigned long encl_size = secs->size + PAGE_SIZE;
>
> Wait, you just copied @secs from user memory in sgx_ioc_enclave_create()
> and now use ->size unverified? You're kidding, right?
The validation is done in sgx_validate_secs().
>
> > + struct sgx_epc_page *secs_epc;
> > + unsigned long ssaframesize;
> > + struct sgx_pageinfo pginfo;
> > + struct sgx_secinfo secinfo;
> > + struct file *backing;
> > + long ret;
> > +
> > + if (atomic_read(&encl->flags) & SGX_ENCL_CREATED)
> > + return -EINVAL;
> > +
> > + ssaframesize = sgx_calc_ssaframesize(secs->miscselect, secs->xfrm);
>
> So this is using more un-validated user input to do further calculations.
> What can possibly go wrong?
>
> I sure hope *I* am wrong and am missing something here.
>
> If not, please, for the next version, audit all your user input and
> validate it before using it. Srsly.
It works but is unclean. I'd guess reason for this is just that code has
evolved into this state over time.
I'd just move the call to sgx_calc_ssaframesize() inside
sgx_validate_secs().
/Jarkko
next prev parent reply other threads:[~2020-07-03 3:09 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200617220844.57423-1-jarkko.sakkinen@linux.intel.com>
2020-06-17 22:08 ` [PATCH v33 11/21] x86/sgx: Linux Enclave Driver Jarkko Sakkinen
2020-06-25 17:23 ` Borislav Petkov
2020-06-25 18:34 ` Sean Christopherson
2020-06-25 18:45 ` Borislav Petkov
2020-06-26 14:19 ` Jarkko Sakkinen
2020-06-25 20:21 ` Jarkko Sakkinen
2020-06-25 20:25 ` Borislav Petkov
2020-06-26 13:40 ` Jarkko Sakkinen
2020-06-25 18:53 ` Borislav Petkov
2020-06-26 14:17 ` Jarkko Sakkinen
2020-06-26 9:14 ` Borislav Petkov
2020-06-26 14:16 ` Sean Christopherson
2020-06-26 14:20 ` Borislav Petkov
2020-07-03 23:04 ` Jarkko Sakkinen
2020-07-03 3:09 ` Jarkko Sakkinen [this message]
2020-06-26 15:34 ` Borislav Petkov
2020-07-04 0:13 ` Jarkko Sakkinen
2020-10-26 21:26 ` Dave Hansen
2020-10-27 1:52 ` Jarkko Sakkinen
2020-10-27 10:05 ` Borislav Petkov
2020-10-27 15:20 ` Dave Hansen
2020-10-27 15:37 ` Borislav Petkov
2020-06-27 17:43 ` Borislav Petkov
2020-06-29 15:27 ` Sean Christopherson
2020-06-29 15:37 ` Borislav Petkov
2020-07-04 1:43 ` Jarkko Sakkinen
2020-07-07 1:38 ` Sean Christopherson
2020-07-07 3:29 ` Jarkko Sakkinen
2020-07-04 1:42 ` Jarkko Sakkinen
2020-07-02 3:59 ` Sean Christopherson
2020-07-04 3:31 ` Jarkko Sakkinen
2020-09-02 3:06 ` Haitao Huang
2020-09-02 16:10 ` Sean Christopherson
2020-09-02 18:40 ` Haitao Huang
2020-09-04 12:01 ` Jarkko Sakkinen
2020-06-17 22:08 ` [PATCH v33 12/21] x86/sgx: Allow a limited use of ATTRIBUTE.PROVISIONKEY for attestation Jarkko Sakkinen
2020-06-29 16:02 ` Borislav Petkov
2020-06-29 22:04 ` Sean Christopherson
2020-06-30 8:49 ` Borislav Petkov
2020-06-30 14:20 ` Sean Christopherson
2020-06-30 17:13 ` Andy Lutomirski
2020-07-02 20:47 ` Dr. Greg
2020-07-03 2:43 ` Jarkko Sakkinen
2020-07-03 2:38 ` Jarkko Sakkinen
2020-07-03 2:32 ` Jarkko Sakkinen
2020-07-03 2:55 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200703030928.GE306897@linux.intel.com \
--to=jarkko.sakkinen@linux.intel.com \
--cc=akpm@linux-foundation.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=asapek@google.com \
--cc=bp@alien8.de \
--cc=cedric.xing@intel.com \
--cc=chenalexchen@google.com \
--cc=conradparker@google.com \
--cc=cyhanish@google.com \
--cc=dave.hansen@intel.com \
--cc=haitao.huang@intel.com \
--cc=haitao.huang@linux.intel.com \
--cc=jethro@fortanix.com \
--cc=jorhand@linux.microsoft.com \
--cc=josh@joshtriplett.org \
--cc=kai.huang@intel.com \
--cc=kai.svahn@intel.com \
--cc=kmoy@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-sgx@vger.kernel.org \
--cc=ludloff@google.com \
--cc=luto@kernel.org \
--cc=nhorman@redhat.com \
--cc=npmccallum@redhat.com \
--cc=puiterwijk@redhat.com \
--cc=rientjes@google.com \
--cc=sanqian.hcy@antfin.com \
--cc=sean.j.christopherson@intel.com \
--cc=sethmo@google.com \
--cc=suresh.b.siddha@intel.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
--cc=yaozhangx@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).