From nobody Thu Jun 13 08:18:12 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1646420027; cv=none; d=zohomail.com; s=zohoarc; b=bXQ/etnGSKDgGeS8KgCYEa9BqRw2ykskmsxTs0B1rRYsAcCPe6R52/znRh+PxFIq+MyLUA7uIwHkf3B0VJiOW9i1c2K6ULA5RbO8XqnaBGNL45pOQhrHPZsaPNACQMDu4Y6WY8EjlHHe2Y4A0kXIdOlAnRZU8rbQzigIm5nS2+k= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1646420027; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=EmjO2s/UE4WN1n8czSG/KMxEFj+XCRHlp7UtBZB8uLs=; b=Y5aRS59lUkz4XvbkgW5lHNdQye7D3xdTwTZxtgk/LbFq2ZQNpNtUYrD//MiZ/d9HZcI9IdKGiYVQhKdsMJAZevQQH5jDhH2qHRejda1bL3/Im2AChkp49jIokMH7ZrTEIo7PxbBKQMPWAinOE8HzFzcKfh9U1aw6hhRWtdtYJW4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1646420027214704.9648590209063; Fri, 4 Mar 2022 10:53:47 -0800 (PST) Received: from localhost ([::1]:46370 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nQD3g-0002Mj-Fl for importer@patchew.org; Fri, 04 Mar 2022 13:53:46 -0500 Received: from eggs.gnu.org ([209.51.188.92]:49118) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nQCvf-000496-Jw for qemu-devel@nongnu.org; Fri, 04 Mar 2022 13:45:27 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:36823) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nQCvc-0000n6-KS for qemu-devel@nongnu.org; Fri, 04 Mar 2022 13:45:26 -0500 Received: from mail-qk1-f197.google.com (mail-qk1-f197.google.com [209.85.222.197]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-377-pyb73bu6MgSl0bFZdZ8kDA-1; Fri, 04 Mar 2022 13:44:15 -0500 Received: by mail-qk1-f197.google.com with SMTP id 7-20020a05620a048700b00648b76040f6so6205061qkr.9 for ; Fri, 04 Mar 2022 10:44:15 -0800 (PST) Received: from fedora.redhat.com (pool-71-175-3-221.phlapa.fios.verizon.net. [71.175.3.221]) by smtp.gmail.com with ESMTPSA id f14-20020a05620a12ee00b00508b2c61482sm2725837qkl.25.2022.03.04.10.44.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Mar 2022 10:44:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646419523; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=EmjO2s/UE4WN1n8czSG/KMxEFj+XCRHlp7UtBZB8uLs=; b=SfJu7L2i+FuXJoy3GTA0VNlB9XJVghUVIvRfUn8w2/Wt9O2eYsYY2Ax5ad0r7+YA7yzWLv L8wwL1hA5BmsraBwhyeZlDKtemn7yOHED8CexCupIegGAA6VgH+MLG7epSKPlqIG9XZ56x eQAG8PxviqpoXJpcpVgiGfzG7r4Ku/0= X-MC-Unique: pyb73bu6MgSl0bFZdZ8kDA-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=EmjO2s/UE4WN1n8czSG/KMxEFj+XCRHlp7UtBZB8uLs=; b=Vv1U38Chjr/bZIAw2O5i6HxnRvzAgh+DcW7INraXNOegy6jFaXR/C5jG+q8TqmhNaS Ppd//3wkdfqOW+qIm2zvTTZIFBxl0fI5sEYtlXOY8qt9Skunrfev/d9nI8Jmz5bBgqIT km0KqiRCNChUW3xvzfGG/JlbgKXjFqPtI5WqleqVyOojTgJXJrSQ6TLyfoxz2Y5U/z9D Xcv/xdG9E67Or7Ndm9yfw7UjRrSq5K+61+rvnT1xmCvQ//E5n9ljJSjFXk5JaZFWHuf9 eOD/LcWyMx2h8fvARjj9vSQa9Y7/TdS9fzWcGmuffra0Z8sYR8MqcQXy6lcwAS6TFU0/ d06A== X-Gm-Message-State: AOAM5318ZjtfWXmGrC2InjsPs/x+ljfrBCGsa1QrGeGENTW9H3OmNnFn IxO0TV1jMslOyUQ7+y4NVSYXHTIZTcfpt+/5HATg6/836Gr3GDWKUiKxhEz7FnkywRDjqlY2aFE vfbpaN5Rr0cVnVaKdmM923ek8NlgfCmGfRrXJGQ1y+AFr4UnrTfZ5Yyken3zygOBcrW8= X-Received: by 2002:ae9:ed06:0:b0:662:f250:195a with SMTP id c6-20020ae9ed06000000b00662f250195amr3494294qkg.471.1646419454778; Fri, 04 Mar 2022 10:44:14 -0800 (PST) X-Google-Smtp-Source: ABdhPJwlOh0MWWmR63bDrwguqRku4B7//dRqe5Ce4quEFaf6bml5LdfhTnSK3EUd5JVZsWccUdctww== X-Received: by 2002:ae9:ed06:0:b0:662:f250:195a with SMTP id c6-20020ae9ed06000000b00662f250195amr3494278qkg.471.1646419454514; Fri, 04 Mar 2022 10:44:14 -0800 (PST) From: Tyler Fanelli To: qemu-devel@nongnu.org Subject: [PATCH] i386/sev: Ensure attestation report length is valid before retrieving Date: Fri, 4 Mar 2022 13:39:32 -0500 Message-Id: <20220304183930.502777-1-tfanelli@redhat.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=tfanelli@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=tfanelli@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -28 X-Spam_score: -2.9 X-Spam_bar: -- X-Spam_report: (-2.9 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: pbonzini@redhat.com, mtosatti@redhat.com, kvm@vger.kernel.org, Tyler Fanelli Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1646420027974100001 Content-Type: text/plain; charset="utf-8" The length of the attestation report buffer is never checked to be valid before allocation is made. If the length of the report is returned to be 0, the buffer to retrieve the attestation report is allocated with length 0 and passed to the kernel to fill with contents of the attestation report. Leaving this unchecked is dangerous and could lead to undefined behavior. Signed-off-by: Tyler Fanelli --- target/i386/sev.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/target/i386/sev.c b/target/i386/sev.c index 025ff7a6f8..215acd7c6b 100644 --- a/target/i386/sev.c +++ b/target/i386/sev.c @@ -616,6 +616,8 @@ static SevAttestationReport *sev_get_attestation_report= (const char *mnonce, return NULL; } =20 + input.len =3D 0; + /* Query the report length */ ret =3D sev_ioctl(sev->sev_fd, KVM_SEV_GET_ATTESTATION_REPORT, &input, &err); @@ -626,6 +628,11 @@ static SevAttestationReport *sev_get_attestation_repor= t(const char *mnonce, ret, err, fw_error_to_str(err)); return NULL; } + } else if (input.len <=3D 0) { + error_setg(errp, "SEV: Failed to query attestation report:" + " length returned=3D%d", + input.len); + return NULL; } =20 data =3D g_malloc(input.len); --=20 2.31.1