When we return a response packet from NSM, we need to indicate its
length according to the content of the response. Prior to this patch, we
returned the length of the source buffer, which may confuse guest code
that relies on the response size.

Fix it by returning the response payload size instead.

Fixes: bb154e3e0cc715 ("device/virtio-nsm: Support for Nitro Secure Module device")
Reported-by: Vikrant Garg <vikrant1garg@gmail.com>
Signed-off-by: Alexander Graf <graf@amazon.com>
---
 hw/virtio/virtio-nsm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/virtio/virtio-nsm.c b/hw/virtio/virtio-nsm.c
index 098e1aeac6..b22aa74e34 100644
--- a/hw/virtio/virtio-nsm.c
+++ b/hw/virtio/virtio-nsm.c
@@ -1596,7 +1596,7 @@ static void handle_input(VirtIODevice *vdev, VirtQueue *vq)
     g_free(req.iov_base);
     g_free(res.iov_base);
     virtqueue_push(vq, out_elem, 0);
-    virtqueue_push(vq, in_elem, in_elem->in_sg->iov_len);
+    virtqueue_push(vq, in_elem, sz);
     virtio_notify(vdev, vq);
     return;
 
-- 
2.47.1

13.02.2025 14:45, Alexander Graf wrote:
> When we return a response packet from NSM, we need to indicate its
> length according to the content of the response. Prior to this patch, we
> returned the length of the source buffer, which may confuse guest code
> that relies on the response size.
> 
> Fix it by returning the response payload size instead.
> 
> Fixes: bb154e3e0cc715 ("device/virtio-nsm: Support for Nitro Secure Module device")
> Reported-by: Vikrant Garg <vikrant1garg@gmail.com>
> Signed-off-by: Alexander Graf <graf@amazon.com>

This looks like qemu-stable material (9.2.x).
Please let me know if it is not.

Thanks,

/mjt

25.02.2025 12:32, Michael Tokarev wrote:

> This looks like qemu-stable material (9.2.x).

Ah, it is already Cc'd to qemu-stable@, -- n/m.

On 13/2/25 12:45, Alexander Graf wrote:
> When we return a response packet from NSM, we need to indicate its
> length according to the content of the response. Prior to this patch, we
> returned the length of the source buffer, which may confuse guest code
> that relies on the response size.
> 
> Fix it by returning the response payload size instead.
> 
> Fixes: bb154e3e0cc715 ("device/virtio-nsm: Support for Nitro Secure Module device")
> Reported-by: Vikrant Garg <vikrant1garg@gmail.com>
> Signed-off-by: Alexander Graf <graf@amazon.com>
> ---
>   hw/virtio/virtio-nsm.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/hw/virtio/virtio-nsm.c b/hw/virtio/virtio-nsm.c
> index 098e1aeac6..b22aa74e34 100644
> --- a/hw/virtio/virtio-nsm.c
> +++ b/hw/virtio/virtio-nsm.c
> @@ -1596,7 +1596,7 @@ static void handle_input(VirtIODevice *vdev, VirtQueue *vq)
>       g_free(req.iov_base);
>       g_free(res.iov_base);
>       virtqueue_push(vq, out_elem, 0);
> -    virtqueue_push(vq, in_elem, in_elem->in_sg->iov_len);
> +    virtqueue_push(vq, in_elem, sz);
>       virtio_notify(vdev, vq);
>       return;
>   

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>

and per 
https://lore.kernel.org/qemu-devel/CAKXOwk2Eba8qnqKQqCN+=2+N=WRPzAwx3LkoccEwR-3xgt32uw@mail.gmail.com/:
Tested-by: Vikrant Garg <vikrant1garg@gmail.com>

On Thu, Feb 13, 2025, 5:45 PM Alexander Graf <graf@amazon.com> wrote:

> When we return a response packet from NSM, we need to indicate its
> length according to the content of the response. Prior to this patch, we
> returned the length of the source buffer, which may confuse guest code
> that relies on the response size.
>
> Fix it by returning the response payload size instead.
>
> Fixes: bb154e3e0cc715 ("device/virtio-nsm: Support for Nitro Secure Module
> device")
> Reported-by: Vikrant Garg <vikrant1garg@gmail.com>
> Signed-off-by: Alexander Graf <graf@amazon.com>
> ---
>  hw/virtio/virtio-nsm.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>


Reviewed-by: Dorjoy Chowdhury <dorjoychy111@gmail.com>

Thanks for fixing!

Regards,
dorjoy