Re: [PATCH] crypto: ccp: Treat zero-length cert chain as query for blob lengths

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Tom Lendacky <thomas.lendacky@amd.com>
To: Sean Christopherson <seanjc@google.com>,
	Ashish Kalra <ashish.kalra@amd.com>,
	John Allen <john.allen@amd.com>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>
Cc: linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] crypto: ccp: Treat zero-length cert chain as query for blob lengths
Date: Tue, 5 May 2026 09:32:28 -0500	[thread overview]
Message-ID: <d8eb94fe-c2de-4d4f-939e-d09673890965@amd.com> (raw)
In-Reply-To: <20260504222812.2339526-1-seanjc@google.com>

On 5/4/26 17:28, Sean Christopherson wrote:
> When handling a PDH export, treat a zero-length userspace cert chain buffer
> as a request to query the length of the relevant blobs.  Failure to account
> for the zero-length buffer trips a BUG_ON() when running with
> CONFIG_DEBUG_VIRTUAL=y due to trying to get the physical address of the
> ZERO_SIZE_PTR (returned by kzalloc() on the bogus allocation).
> 
>    kernel BUG at arch/x86/mm/physaddr.c:28 !
>   Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
>   CPU: 30 UID: 0 PID: 28580 Comm: syz.2.18 Kdump: loaded
>   Tainted: G        W           6.18.16-smp-DEV #1 NONE
>   Tainted: [W]=WARN
>   Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025
>    RIP: 0010:__phys_addr+0x16a/0x180 arch/x86/mm/physaddr.c:28
>   RSP: 0018:ffffc9008329fc80 EFLAGS: 00010293
>   RAX: ffffffff8179110a RBX: 0000778000000010 RCX: ffff8884e6992600
>   RDX: 0000000000000000 RSI: 0000000080000010 RDI: 0000778000000010
>   RBP: ffffc9008329fdf0 R08: 0000000000000dc0 R09: 00000000ffffffff
>   R10: dffffc0000000000 R11: fffffbfff126d297 R12: dffffc0000000000
>   R13: 1ffff92010653fc8 R14: 0000000080000010 R15: dffffc0000000000
>   FS:  0000555556bec9c0(0000) GS:ffff88aa4ce1c000(0000) knlGS:0000000000000000
>   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>   CR2: 00007fd3159e7000 CR3: 00000004fbc44000 CR4: 0000000000350ef0
>   Call Trace:
>    <TASK>
>     [<ffffffff853d3869>] sev_ioctl_do_pdh_export+0x559/0x7a0 drivers/crypto/ccp/sev-dev.c:2308
>     [<ffffffff853d1fdd>] sev_ioctl+0x2cd/0x480 drivers/crypto/ccp/sev-dev.c:2556
>     [<ffffffff82549ebc>] vfs_ioctl fs/ioctl.c:52 [inline]
>     [<ffffffff82549ebc>] __do_sys_ioctl fs/ioctl.c:598 [inline]
>     [<ffffffff82549ebc>] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:584
>     [<ffffffff8630115f>] do_syscall_x64 arch/x86/entry/syscall_64.c:64 [inline]
>     [<ffffffff8630115f>] do_syscall_64+0x9f/0xf40 arch/x86/entry/syscall_64.c:98
>    [<ffffffff81000136>] entry_SYSCALL_64_after_hwframe+0x76/0x7e
>   RIP: 0033:0x7fd3158eac39
>    </TASK>
> 
> Thankfully, the bug is benign outside of CONFIG_DEBUG_VIRTUAL=y as getting
> the physical address is just arithmetic, and the PSP errors out before
> trying to write to the garbage address (which it must, otherwise querying
> the blob lengths would clobber memory at pfn=0).
> 
> Fixes: 76a2b524a4b1 ("crypto: ccp: Implement SEV_PDH_CERT_EXPORT ioctl command")
> Signed-off-by: Sean Christopherson <seanjc@google.com>

Heh, you beat me to it, I have the same patch ready to send out.

Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>

> ---
>  drivers/crypto/ccp/sev-dev.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
> index d1e9e0ac63b6..ed3b8065f59b 100644
> --- a/drivers/crypto/ccp/sev-dev.c
> +++ b/drivers/crypto/ccp/sev-dev.c
> @@ -2301,7 +2301,8 @@ static int sev_ioctl_do_pdh_export(struct sev_issue_cmd *argp, bool writable)
>  	/* Userspace wants to query the certificate length. */
>  	if (!input.pdh_cert_address ||
>  	    !input.pdh_cert_len ||
> -	    !input.cert_chain_address)
> +	    !input.cert_chain_address ||
> +	    !input.cert_chain_len)
>  		goto cmd;
>  
>  	/* Allocate a physically contiguous buffer to store the PDH blob. */
> 
> base-commit: 2d4aef3da2981e326a88f8b07249083150ae3ef3

     prev parent reply	other threads:[~2026-05-05 14:32 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-04 22:28 [PATCH] crypto: ccp: Treat zero-length cert chain as query for blob lengths Sean Christopherson
2026-05-05 14:32 ` Tom Lendacky [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d8eb94fe-c2de-4d4f-939e-d09673890965@amd.com \
    --to=thomas.lendacky@amd.com \
    --cc=ashish.kalra@amd.com \
    --cc=davem@davemloft.net \
    --cc=herbert@gondor.apana.org.au \
    --cc=john.allen@amd.com \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=seanjc@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox