From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Alexander Potapenko <glider@google.com>,
Sebastian Alba Vives <sebasjosue84@gmail.com>,
Sean Christopherson <seanjc@google.com>,
Herbert Xu <herbert@gondor.apana.org.au>
Subject: [PATCH 6.18 52/55] crypto: ccp: Dont attempt to copy CSR to userspace if PSP command failed
Date: Fri, 24 Apr 2026 15:31:31 +0200 [thread overview]
Message-ID: <20260424132440.924147855@linuxfoundation.org> (raw)
In-Reply-To: <20260424132430.006424517@linuxfoundation.org>
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit abe4a6d6f606113251868c2c4a06ba904bb41eed upstream.
When retrieving the PEK CSR, don't attempt to copy the blob to userspace
if the firmware command failed. If the failure was due to an invalid
length, i.e. the userspace buffer+length was too small, copying the number
of bytes _firmware_ requires will overflow the kernel-allocated buffer and
leak data to userspace.
BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]
BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]
BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26
Read of size 2084 at addr ffff898144612e20 by task syz.9.219/21405
CPU: 14 UID: 0 PID: 21405 Comm: syz.9.219 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY
Tainted: [U]=USER, [O]=OOT_MODULE
Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025
Call Trace:
<TASK>
dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120
print_address_description ../mm/kasan/report.c:378 [inline]
print_report+0xbc/0x260 ../mm/kasan/report.c:482
kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595
check_region_inline ../mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200
instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]
_inline_copy_to_user ../include/linux/uaccess.h:205 [inline]
_copy_to_user+0x66/0xa0 ../lib/usercopy.c:26
copy_to_user ../include/linux/uaccess.h:236 [inline]
sev_ioctl_do_pek_csr+0x31f/0x590 ../drivers/crypto/ccp/sev-dev.c:1872
sev_ioctl+0x3a4/0x490 ../drivers/crypto/ccp/sev-dev.c:2562
vfs_ioctl ../fs/ioctl.c:51 [inline]
__do_sys_ioctl ../fs/ioctl.c:597 [inline]
__se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583
do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
WARN if the driver says the command succeeded, but the firmware error code
says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any
firwmware error.
Reported-by: Alexander Potapenko <glider@google.com>
Reported-by: Sebastian Alba Vives <sebasjosue84@gmail.com>
Fixes: e799035609e1 ("crypto: ccp: Implement SEV_PEK_CSR ioctl command")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/ccp/sev-dev.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/crypto/ccp/sev-dev.c
+++ b/drivers/crypto/ccp/sev-dev.c
@@ -1833,7 +1833,10 @@ cmd:
ret = __sev_do_cmd_locked(SEV_CMD_PEK_CSR, &data, &argp->error);
- /* If we query the CSR length, FW responded with expected data. */
+ /*
+ * Firmware will returns the length of the CSR blob (either the minimum
+ * required length or the actual length written), return it to the user.
+ */
input.length = data.len;
if (copy_to_user((void __user *)argp->data, &input, sizeof(input))) {
@@ -1841,6 +1844,9 @@ cmd:
goto e_free_blob;
}
+ if (ret || WARN_ON_ONCE(argp->error))
+ goto e_free_blob;
+
if (blob) {
if (copy_to_user(input_address, blob, input.length))
ret = -EFAULT;
next prev parent reply other threads:[~2026-04-24 13:42 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-24 13:30 [PATCH 6.18 00/55] 6.18.25-rc1 review Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 6.18 01/55] crypto: authencesn - Fix src offset when decrypting in-place Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 6.18 02/55] ipv6: add NULL checks for idev in SRv6 paths Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 6.18 03/55] net: ethernet: mtk_eth_soc: initialize PPE per-tag-layer MTU registers Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 6.18 04/55] drm/amdgpu: replace PASID IDR with XArray Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 6.18 05/55] crypto: krb5enc - fix sleepable flag handling in encrypt dispatch Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 6.18 06/55] crypto: krb5enc - fix async decrypt skipping hash verification Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 6.18 07/55] scripts: generate_rust_analyzer.py: define scripts Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 6.18 08/55] ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 6.18 09/55] ksmbd: validate owner of durable handle on reconnect Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 6.18 10/55] arm64: tlb: Allow XZR argument to TLBI ops Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 6.18 11/55] arm64: tlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 6.18 12/55] arm64: tlb: Introduce __tlbi_sync_s1ish_{kernel,batch}() for TLB maintenance Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 6.18 13/55] arm64: tlb: Pass the corresponding mm to __tlbi_sync_s1ish() Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 6.18 14/55] arm64: cputype: Add C1-Pro definitions Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 6.18 15/55] arm64: errata: Work around early CME DVMSync acknowledgement Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 6.18 16/55] sched/debug: Fix avg_vruntime() usage Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 6.18 17/55] lib/crc: tests: Make crc_kunit test only the enabled CRC variants Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 6.18 18/55] lib/crc: tests: Add CRC_ENABLE_ALL_FOR_KUNIT Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 6.18 19/55] lib/crc: tests: Add a .kunitconfig file Greg Kroah-Hartman
2026-04-24 13:30 ` [PATCH 6.18 20/55] kunit: configs: Enable all CRC tests in all_tests.config Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 21/55] lib/crypto: tests: Add a .kunitconfig file Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 22/55] lib/crypto: tests: Introduce CRYPTO_LIB_ENABLE_ALL_FOR_KUNIT Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 23/55] kunit: configs: Enable all crypto library tests in all_tests.config Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 24/55] lib/crypto: tests: Drop the default to CRYPTO_SELFTESTS Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 25/55] scripts/dtc: Remove unused dts_version in dtc-lexer.l Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 26/55] fs/ntfs3: validate rec->used in journal-replay file record check Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 27/55] f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 28/55] f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 29/55] f2fs: fix to avoid memory leak in f2fs_rename() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 30/55] f2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footer Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 31/55] fuse: reject oversized dirents in page cache Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 32/55] fuse: abort on fatal signal during sync init Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 33/55] fuse: Check for large folio with SPLICE_F_MOVE Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 34/55] fuse: quiet down complaints in fuse_conn_limit_write Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 35/55] fuse: fuse_dev_ioctl_clone() should wait for device file to be initialized Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 36/55] ksmbd: require minimum ACE size in smb_check_perm_dacl() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 37/55] smb: server: fix active_num_conn leak on transport allocation failure Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 38/55] smb: server: fix max_connections off-by-one in tcp accept path Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 39/55] smb: client: require a full NFS mode SID before reading mode bits Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 40/55] smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 41/55] ksmbd: validate response sizes in ipc_validate_msg() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 42/55] ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 43/55] ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 44/55] ksmbd: use check_add_overflow() to prevent u16 DACL size overflow Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 45/55] ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 46/55] writeback: Fix use after free in inode_switch_wbs_work_fn() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 47/55] f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 48/55] ALSA: usb-audio: apply quirk for MOONDROP JU Jiu Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 49/55] ALSA: hda/realtek: Add quirk for Legion S7 15IMH Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 50/55] ALSA: caiaq: take a reference on the USB device in create_card() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 51/55] net/packet: fix TOCTOU race on mmapd vnet_hdr in tpacket_snd() Greg Kroah-Hartman
2026-04-24 13:31 ` Greg Kroah-Hartman [this message]
2026-04-24 13:31 ` [PATCH 6.18 53/55] crypto: ccp: Dont attempt to copy PDH cert to userspace if PSP command failed Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 54/55] crypto: ccp: Dont attempt to copy ID " Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.18 55/55] rxrpc: Fix missing validation of ticket length in non-XDR key preparsing Greg Kroah-Hartman
2026-04-24 19:35 ` [PATCH 6.18 00/55] 6.18.25-rc1 review Pavel Machek
2026-04-24 20:27 ` Florian Fainelli
2026-04-24 21:45 ` Peter Schneider
2026-04-24 21:51 ` Mark Brown
2026-04-24 22:24 ` Shuah Khan
2026-04-25 7:33 ` Brett A C Sheffield
2026-04-25 12:01 ` Miguel Ojeda
2026-04-25 17:49 ` Wentao Guan
2026-04-25 21:37 ` Dileep malepu
2026-04-26 7:00 ` Barry K. Nathan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260424132440.924147855@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=glider@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=patches@lists.linux.dev \
--cc=seanjc@google.com \
--cc=sebasjosue84@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox