From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Tyler Fanelli <tfanelli@redhat.com>
Cc: pbonzini@redhat.com, mtosatti@redhat.com, qemu-devel@nongnu.org,
kvm@vger.kernel.org
Subject: Re: [PATCH] i386/sev: Ensure attestation report length is valid before retrieving
Date: Fri, 4 Mar 2022 19:05:24 +0000 [thread overview]
Message-ID: <YiJi9IYqtZvNQIRc@redhat.com> (raw)
In-Reply-To: <20220304183930.502777-1-tfanelli@redhat.com>
On Fri, Mar 04, 2022 at 01:39:32PM -0500, Tyler Fanelli wrote:
> The length of the attestation report buffer is never checked to be
> valid before allocation is made. If the length of the report is returned
> to be 0, the buffer to retrieve the attestation report is allocated with
> length 0 and passed to the kernel to fill with contents of the attestation
> report. Leaving this unchecked is dangerous and could lead to undefined
> behavior.
I don't see the undefined behaviour risk here.
The KVM_SEV_ATTESTATION_REPORT semantics indicate that the kernel
will fill in a valid length if the buffer we provide is too small
and we can re-call with that buffer.
If the kernel tells us the buffer is 0 bytes, then it should be
fine having a second call with length 0. If not, then the kernel
is broken and we're doomed.
The QEMU code looks like it would cope with a zero length, unless
I'm mistaken, it'll just return a zero length attestation report.
> Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
> ---
> target/i386/sev.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/target/i386/sev.c b/target/i386/sev.c
> index 025ff7a6f8..215acd7c6b 100644
> --- a/target/i386/sev.c
> +++ b/target/i386/sev.c
> @@ -616,6 +616,8 @@ static SevAttestationReport *sev_get_attestation_report(const char *mnonce,
> return NULL;
> }
>
> + input.len = 0;
The declaration of 'input' already zero initializes.
> /* Query the report length */
> ret = sev_ioctl(sev->sev_fd, KVM_SEV_GET_ATTESTATION_REPORT,
> &input, &err);
> @@ -626,6 +628,11 @@ static SevAttestationReport *sev_get_attestation_report(const char *mnonce,
> ret, err, fw_error_to_str(err));
> return NULL;
> }
> + } else if (input.len <= 0) {
It can't be less than 0 because 'len' is an unsigned integer.
> + error_setg(errp, "SEV: Failed to query attestation report:"
> + " length returned=%d",
> + input.len);
> + return NULL;
> }
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
prev parent reply other threads:[~2022-03-04 19:10 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-04 18:39 [PATCH] i386/sev: Ensure attestation report length is valid before retrieving Tyler Fanelli
2022-03-04 19:05 ` Daniel P. Berrangé [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YiJi9IYqtZvNQIRc@redhat.com \
--to=berrange@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=mtosatti@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=tfanelli@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).