From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Alexander Potapenko <glider@google.com>,
Sebastian Alba Vives <sebasjosue84@gmail.com>,
Sean Christopherson <seanjc@google.com>,
Herbert Xu <herbert@gondor.apana.org.au>
Subject: [PATCH 6.12 32/35] crypto: ccp: Dont attempt to copy CSR to userspace if PSP command failed
Date: Fri, 24 Apr 2026 15:31:39 +0200 [thread overview]
Message-ID: <20260424132418.538758211@linuxfoundation.org> (raw)
In-Reply-To: <20260424132411.427029259@linuxfoundation.org>
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit abe4a6d6f606113251868c2c4a06ba904bb41eed upstream.
When retrieving the PEK CSR, don't attempt to copy the blob to userspace
if the firmware command failed. If the failure was due to an invalid
length, i.e. the userspace buffer+length was too small, copying the number
of bytes _firmware_ requires will overflow the kernel-allocated buffer and
leak data to userspace.
BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]
BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]
BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26
Read of size 2084 at addr ffff898144612e20 by task syz.9.219/21405
CPU: 14 UID: 0 PID: 21405 Comm: syz.9.219 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY
Tainted: [U]=USER, [O]=OOT_MODULE
Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025
Call Trace:
<TASK>
dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120
print_address_description ../mm/kasan/report.c:378 [inline]
print_report+0xbc/0x260 ../mm/kasan/report.c:482
kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595
check_region_inline ../mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200
instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]
_inline_copy_to_user ../include/linux/uaccess.h:205 [inline]
_copy_to_user+0x66/0xa0 ../lib/usercopy.c:26
copy_to_user ../include/linux/uaccess.h:236 [inline]
sev_ioctl_do_pek_csr+0x31f/0x590 ../drivers/crypto/ccp/sev-dev.c:1872
sev_ioctl+0x3a4/0x490 ../drivers/crypto/ccp/sev-dev.c:2562
vfs_ioctl ../fs/ioctl.c:51 [inline]
__do_sys_ioctl ../fs/ioctl.c:597 [inline]
__se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583
do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
WARN if the driver says the command succeeded, but the firmware error code
says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any
firwmware error.
Reported-by: Alexander Potapenko <glider@google.com>
Reported-by: Sebastian Alba Vives <sebasjosue84@gmail.com>
Fixes: e799035609e1 ("crypto: ccp: Implement SEV_PEK_CSR ioctl command")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/ccp/sev-dev.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/crypto/ccp/sev-dev.c
+++ b/drivers/crypto/ccp/sev-dev.c
@@ -1541,7 +1541,10 @@ cmd:
ret = __sev_do_cmd_locked(SEV_CMD_PEK_CSR, &data, &argp->error);
- /* If we query the CSR length, FW responded with expected data. */
+ /*
+ * Firmware will returns the length of the CSR blob (either the minimum
+ * required length or the actual length written), return it to the user.
+ */
input.length = data.len;
if (copy_to_user((void __user *)argp->data, &input, sizeof(input))) {
@@ -1549,6 +1552,9 @@ cmd:
goto e_free_blob;
}
+ if (ret || WARN_ON_ONCE(argp->error))
+ goto e_free_blob;
+
if (blob) {
if (copy_to_user(input_address, blob, input.length))
ret = -EFAULT;
next prev parent reply other threads:[~2026-04-24 13:44 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-24 13:31 [PATCH 6.12 00/35] 6.12.84-rc1 review Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 01/35] mm/userfaultfd: fix hugetlb fault mutex hash calculation Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 02/35] PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 03/35] ima: verify if the segment size has changed Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 04/35] ima: do not copy measurement list to kdump kernel Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 05/35] wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 06/35] rust: warn on bindgen < 0.69.5 and libclang >= 19.1 Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 07/35] net: ethernet: mtk_eth_soc: initialize PPE per-tag-layer MTU registers Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 08/35] drm/amdgpu: replace PASID IDR with XArray Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 09/35] scripts: generate_rust_analyzer.py: define scripts Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 10/35] mm/pagewalk: fix race between concurrent split and refault Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 11/35] ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 12/35] scripts/dtc: Remove unused dts_version in dtc-lexer.l Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 13/35] rxrpc: only handle RESPONSE during service challenge Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 14/35] fs/ntfs3: validate rec->used in journal-replay file record check Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 15/35] f2fs: fix to avoid memory leak in f2fs_rename() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 16/35] fuse: reject oversized dirents in page cache Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 17/35] fuse: Check for large folio with SPLICE_F_MOVE Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 18/35] fuse: quiet down complaints in fuse_conn_limit_write Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 19/35] ksmbd: require minimum ACE size in smb_check_perm_dacl() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 20/35] smb: server: fix active_num_conn leak on transport allocation failure Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 21/35] smb: server: fix max_connections off-by-one in tcp accept path Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 22/35] smb: client: require a full NFS mode SID before reading mode bits Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 23/35] smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 24/35] ksmbd: validate response sizes in ipc_validate_msg() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 25/35] ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 26/35] ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 27/35] ksmbd: use check_add_overflow() to prevent u16 DACL size overflow Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 28/35] f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 29/35] ALSA: usb-audio: apply quirk for MOONDROP JU Jiu Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 30/35] ALSA: caiaq: take a reference on the USB device in create_card() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 31/35] net/packet: fix TOCTOU race on mmapd vnet_hdr in tpacket_snd() Greg Kroah-Hartman
2026-04-24 13:31 ` Greg Kroah-Hartman [this message]
2026-04-24 13:31 ` [PATCH 6.12 33/35] crypto: ccp: Dont attempt to copy PDH cert to userspace if PSP command failed Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 34/35] crypto: ccp: Dont attempt to copy ID " Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 35/35] rxrpc: Fix missing validation of ticket length in non-XDR key preparsing Greg Kroah-Hartman
2026-04-24 16:29 ` [PATCH 6.12 00/35] 6.12.84-rc1 review Peter Schneider
2026-04-24 19:36 ` Pavel Machek
2026-04-24 20:17 ` Florian Fainelli
2026-04-24 21:52 ` Mark Brown
2026-04-24 22:27 ` Shuah Khan
2026-04-25 3:27 ` Barry K. Nathan
2026-04-25 5:14 ` Christian Van
2026-04-25 7:33 ` Brett A C Sheffield
2026-04-25 12:24 ` Miguel Ojeda
2026-04-25 20:06 ` Ron Economos
2026-04-25 21:32 ` Francesco Dolcini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260424132418.538758211@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=glider@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=patches@lists.linux.dev \
--cc=seanjc@google.com \
--cc=sebasjosue84@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox