[PATCH] crypto: ccp: Treat zero-length cert chain as query for blob lengths

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] crypto: ccp: Treat zero-length cert chain as query for blob lengths
@ 2026-05-04 22:28 Sean Christopherson
  2026-05-05 14:32 ` Tom Lendacky
  0 siblings, 1 reply; 2+ messages in thread
From: Sean Christopherson @ 2026-05-04 22:28 UTC (permalink / raw)
  To: Ashish Kalra, Tom Lendacky, John Allen, Herbert Xu,
	David S. Miller
  Cc: linux-crypto, linux-kernel, Sean Christopherson

When handling a PDH export, treat a zero-length userspace cert chain buffer
as a request to query the length of the relevant blobs.  Failure to account
for the zero-length buffer trips a BUG_ON() when running with
CONFIG_DEBUG_VIRTUAL=y due to trying to get the physical address of the
ZERO_SIZE_PTR (returned by kzalloc() on the bogus allocation).

   kernel BUG at arch/x86/mm/physaddr.c:28 !
  Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
  CPU: 30 UID: 0 PID: 28580 Comm: syz.2.18 Kdump: loaded
  Tainted: G        W           6.18.16-smp-DEV #1 NONE
  Tainted: [W]=WARN
  Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025
   RIP: 0010:__phys_addr+0x16a/0x180 arch/x86/mm/physaddr.c:28
  RSP: 0018:ffffc9008329fc80 EFLAGS: 00010293
  RAX: ffffffff8179110a RBX: 0000778000000010 RCX: ffff8884e6992600
  RDX: 0000000000000000 RSI: 0000000080000010 RDI: 0000778000000010
  RBP: ffffc9008329fdf0 R08: 0000000000000dc0 R09: 00000000ffffffff
  R10: dffffc0000000000 R11: fffffbfff126d297 R12: dffffc0000000000
  R13: 1ffff92010653fc8 R14: 0000000080000010 R15: dffffc0000000000
  FS:  0000555556bec9c0(0000) GS:ffff88aa4ce1c000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00007fd3159e7000 CR3: 00000004fbc44000 CR4: 0000000000350ef0
  Call Trace:
   <TASK>
    [<ffffffff853d3869>] sev_ioctl_do_pdh_export+0x559/0x7a0 drivers/crypto/ccp/sev-dev.c:2308
    [<ffffffff853d1fdd>] sev_ioctl+0x2cd/0x480 drivers/crypto/ccp/sev-dev.c:2556
    [<ffffffff82549ebc>] vfs_ioctl fs/ioctl.c:52 [inline]
    [<ffffffff82549ebc>] __do_sys_ioctl fs/ioctl.c:598 [inline]
    [<ffffffff82549ebc>] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:584
    [<ffffffff8630115f>] do_syscall_x64 arch/x86/entry/syscall_64.c:64 [inline]
    [<ffffffff8630115f>] do_syscall_64+0x9f/0xf40 arch/x86/entry/syscall_64.c:98
   [<ffffffff81000136>] entry_SYSCALL_64_after_hwframe+0x76/0x7e
  RIP: 0033:0x7fd3158eac39
   </TASK>

Thankfully, the bug is benign outside of CONFIG_DEBUG_VIRTUAL=y as getting
the physical address is just arithmetic, and the PSP errors out before
trying to write to the garbage address (which it must, otherwise querying
the blob lengths would clobber memory at pfn=0).

Fixes: 76a2b524a4b1 ("crypto: ccp: Implement SEV_PDH_CERT_EXPORT ioctl command")
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 drivers/crypto/ccp/sev-dev.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
index d1e9e0ac63b6..ed3b8065f59b 100644
--- a/drivers/crypto/ccp/sev-dev.c
+++ b/drivers/crypto/ccp/sev-dev.c
@@ -2301,7 +2301,8 @@ static int sev_ioctl_do_pdh_export(struct sev_issue_cmd *argp, bool writable)
 	/* Userspace wants to query the certificate length. */
 	if (!input.pdh_cert_address ||
 	    !input.pdh_cert_len ||
-	    !input.cert_chain_address)
+	    !input.cert_chain_address ||
+	    !input.cert_chain_len)
 		goto cmd;
 
 	/* Allocate a physically contiguous buffer to store the PDH blob. */

base-commit: 2d4aef3da2981e326a88f8b07249083150ae3ef3
-- 
2.54.0.545.g6539524ca2-goog


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] crypto: ccp: Treat zero-length cert chain as query for blob lengths
  2026-05-04 22:28 [PATCH] crypto: ccp: Treat zero-length cert chain as query for blob lengths Sean Christopherson
@ 2026-05-05 14:32 ` Tom Lendacky
  0 siblings, 0 replies; 2+ messages in thread
From: Tom Lendacky @ 2026-05-05 14:32 UTC (permalink / raw)
  To: Sean Christopherson, Ashish Kalra, John Allen, Herbert Xu,
	David S. Miller
  Cc: linux-crypto, linux-kernel

On 5/4/26 17:28, Sean Christopherson wrote:
> When handling a PDH export, treat a zero-length userspace cert chain buffer
> as a request to query the length of the relevant blobs.  Failure to account
> for the zero-length buffer trips a BUG_ON() when running with
> CONFIG_DEBUG_VIRTUAL=y due to trying to get the physical address of the
> ZERO_SIZE_PTR (returned by kzalloc() on the bogus allocation).
> 
>    kernel BUG at arch/x86/mm/physaddr.c:28 !
>   Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
>   CPU: 30 UID: 0 PID: 28580 Comm: syz.2.18 Kdump: loaded
>   Tainted: G        W           6.18.16-smp-DEV #1 NONE
>   Tainted: [W]=WARN
>   Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025
>    RIP: 0010:__phys_addr+0x16a/0x180 arch/x86/mm/physaddr.c:28
>   RSP: 0018:ffffc9008329fc80 EFLAGS: 00010293
>   RAX: ffffffff8179110a RBX: 0000778000000010 RCX: ffff8884e6992600
>   RDX: 0000000000000000 RSI: 0000000080000010 RDI: 0000778000000010
>   RBP: ffffc9008329fdf0 R08: 0000000000000dc0 R09: 00000000ffffffff
>   R10: dffffc0000000000 R11: fffffbfff126d297 R12: dffffc0000000000
>   R13: 1ffff92010653fc8 R14: 0000000080000010 R15: dffffc0000000000
>   FS:  0000555556bec9c0(0000) GS:ffff88aa4ce1c000(0000) knlGS:0000000000000000
>   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>   CR2: 00007fd3159e7000 CR3: 00000004fbc44000 CR4: 0000000000350ef0
>   Call Trace:
>    <TASK>
>     [<ffffffff853d3869>] sev_ioctl_do_pdh_export+0x559/0x7a0 drivers/crypto/ccp/sev-dev.c:2308
>     [<ffffffff853d1fdd>] sev_ioctl+0x2cd/0x480 drivers/crypto/ccp/sev-dev.c:2556
>     [<ffffffff82549ebc>] vfs_ioctl fs/ioctl.c:52 [inline]
>     [<ffffffff82549ebc>] __do_sys_ioctl fs/ioctl.c:598 [inline]
>     [<ffffffff82549ebc>] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:584
>     [<ffffffff8630115f>] do_syscall_x64 arch/x86/entry/syscall_64.c:64 [inline]
>     [<ffffffff8630115f>] do_syscall_64+0x9f/0xf40 arch/x86/entry/syscall_64.c:98
>    [<ffffffff81000136>] entry_SYSCALL_64_after_hwframe+0x76/0x7e
>   RIP: 0033:0x7fd3158eac39
>    </TASK>
> 
> Thankfully, the bug is benign outside of CONFIG_DEBUG_VIRTUAL=y as getting
> the physical address is just arithmetic, and the PSP errors out before
> trying to write to the garbage address (which it must, otherwise querying
> the blob lengths would clobber memory at pfn=0).
> 
> Fixes: 76a2b524a4b1 ("crypto: ccp: Implement SEV_PDH_CERT_EXPORT ioctl command")
> Signed-off-by: Sean Christopherson <seanjc@google.com>

Heh, you beat me to it, I have the same patch ready to send out.

Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>

> ---
>  drivers/crypto/ccp/sev-dev.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
> index d1e9e0ac63b6..ed3b8065f59b 100644
> --- a/drivers/crypto/ccp/sev-dev.c
> +++ b/drivers/crypto/ccp/sev-dev.c
> @@ -2301,7 +2301,8 @@ static int sev_ioctl_do_pdh_export(struct sev_issue_cmd *argp, bool writable)
>  	/* Userspace wants to query the certificate length. */
>  	if (!input.pdh_cert_address ||
>  	    !input.pdh_cert_len ||
> -	    !input.cert_chain_address)
> +	    !input.cert_chain_address ||
> +	    !input.cert_chain_len)
>  		goto cmd;
>  
>  	/* Allocate a physically contiguous buffer to store the PDH blob. */
> 
> base-commit: 2d4aef3da2981e326a88f8b07249083150ae3ef3


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-05-05 14:32 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-04 22:28 [PATCH] crypto: ccp: Treat zero-length cert chain as query for blob lengths Sean Christopherson
2026-05-05 14:32 ` Tom Lendacky

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox