From: Vincent Donnefort <vdonnefort@google.com>
To: Quentin Perret <qperret@google.com>
Cc: maz@kernel.org, oliver.upton@linux.dev, joey.gouly@arm.com,
suzuki.poulose@arm.com, yuzenghui@huawei.com,
catalin.marinas@arm.com, will@kernel.org,
sebastianene@google.com, keirf@google.com,
linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev,
linux-kernel@vger.kernel.org, kernel-team@android.com
Subject: Re: [PATCH] KVM: arm64: Validate input range for pKVM mem transitions
Date: Fri, 19 Sep 2025 11:06:14 +0100 [thread overview]
Message-ID: <aM0rFlaVKRkNxQPS@google.com> (raw)
In-Reply-To: <cf3v4dn233bf6y74ythiqulwfnshcdmddsdx3iqcenqjos5cct@zkcw7g5ieei7>
On Fri, Sep 19, 2025 at 09:52:20AM +0000, Quentin Perret wrote:
> On Thursday 18 Sep 2025 at 19:00:49 (+0100), Vincent Donnefort wrote:
> > There's currently no verification for host issued ranges in most of the
> > pKVM memory transitions. The subsequent end boundary might therefore be
> > subject to overflow and could evade the later checks.
> >
> > Close this loophole with an additional range_is_valid() check on a per
> > public function basis.
> >
> > host_unshare_guest transition is already protected via
> > __check_host_shared_guest(), while assert_host_shared_guest() callers
> > are already ignoring host checks.
> >
> > Signed-off-by: Vincent Donnefort <vdonnefort@google.com>
> >
> > diff --git a/arch/arm64/kvm/hyp/nvhe/mem_protect.c b/arch/arm64/kvm/hyp/nvhe/mem_protect.c
> > index 8957734d6183..b156fb0bad0f 100644
> > --- a/arch/arm64/kvm/hyp/nvhe/mem_protect.c
> > +++ b/arch/arm64/kvm/hyp/nvhe/mem_protect.c
> > @@ -443,6 +443,11 @@ static bool range_is_memory(u64 start, u64 end)
> > return is_in_mem_range(end - 1, &r);
> > }
> >
> > +static bool range_is_valid(u64 start, u64 end)
> > +{
> > + return start < end;
> > +}
> > +
> > static inline int __host_stage2_idmap(u64 start, u64 end,
> > enum kvm_pgtable_prot prot)
> > {
> > @@ -776,6 +781,9 @@ int __pkvm_host_donate_hyp(u64 pfn, u64 nr_pages)
> > void *virt = __hyp_va(phys);
> > int ret;
> >
> > + if (!range_is_valid(phys, phys + size))
> > + return -EINVAL;
> > +
> > host_lock_component();
> > hyp_lock_component();
> >
> > @@ -804,6 +812,9 @@ int __pkvm_hyp_donate_host(u64 pfn, u64 nr_pages)
> > u64 virt = (u64)__hyp_va(phys);
> > int ret;
> >
> > + if (!range_is_valid(phys, phys + size))
> > + return -EINVAL;
> > +
> > host_lock_component();
> > hyp_lock_component();
> >
> > @@ -887,6 +898,9 @@ int __pkvm_host_share_ffa(u64 pfn, u64 nr_pages)
> > u64 size = PAGE_SIZE * nr_pages;
>
> It occurred to me that this can also overflow, so perhaps fold that
> calculation into your helper as well to be on the safe?
I believe this is currently fine everywhere because nr_pages is solely used for
size computation. But happy to use nr_pages as a range_is_valid() argument
(instead of end) to verify size as well. That'll surely be more future-proof.
Let me respin that.
>
> Thanks,
> Quentin
>
> > int ret;
> >
> > + if (!range_is_valid(phys, phys + size))
> > + return -EINVAL;
> > +
> > host_lock_component();
> > ret = __host_check_page_state_range(phys, size, PKVM_PAGE_OWNED);
> > if (!ret)
> > @@ -902,6 +916,9 @@ int __pkvm_host_unshare_ffa(u64 pfn, u64 nr_pages)
> > u64 size = PAGE_SIZE * nr_pages;
> > int ret;
> >
> > + if (!range_is_valid(phys, phys + size))
> > + return -EINVAL;
> > +
> > host_lock_component();
> > ret = __host_check_page_state_range(phys, size, PKVM_PAGE_SHARED_OWNED);
> > if (!ret)
> > @@ -949,6 +966,9 @@ int __pkvm_host_share_guest(u64 pfn, u64 gfn, u64 nr_pages, struct pkvm_hyp_vcpu
> > if (ret)
> > return ret;
> >
> > + if (!range_is_valid(phys, phys + size))
> > + return -EINVAL;
> > +
> > ret = check_range_allowed_memory(phys, phys + size);
> > if (ret)
> > return ret;
> >
> > base-commit: 8b789f2b7602a818e7c7488c74414fae21392b63
> > --
> > 2.51.0.470.ga7dc726c21-goog
> >
prev parent reply other threads:[~2025-09-19 10:06 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-18 18:00 [PATCH] KVM: arm64: Validate input range for pKVM mem transitions Vincent Donnefort
2025-09-18 21:21 ` Oliver Upton
2025-09-19 10:01 ` Vincent Donnefort
2025-09-19 9:52 ` Quentin Perret
2025-09-19 10:06 ` Vincent Donnefort [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aM0rFlaVKRkNxQPS@google.com \
--to=vdonnefort@google.com \
--cc=catalin.marinas@arm.com \
--cc=joey.gouly@arm.com \
--cc=keirf@google.com \
--cc=kernel-team@android.com \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maz@kernel.org \
--cc=oliver.upton@linux.dev \
--cc=qperret@google.com \
--cc=sebastianene@google.com \
--cc=suzuki.poulose@arm.com \
--cc=will@kernel.org \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox