Disclaimer: I could have sworn I sent this last week, but obviously did not,
and I can't remember _why_ I didn't send it.  So don't be too surprised if
there's some glaring flaw or boneheaded mistake.

Ashutosh's fix for a heap OOB/UAF bug in the debug {de,en}crypt code, now
with a selftest to detect the bug (and confirm the fix), and to validate the
functionality.

The rest of the patches completely rewrite the code.  When creating the
selftest, I did the silly thing of testing arbitrary offsets+sizes, and
couldn't trigger the true badness because the test failed long before it got
to the larger sizes.

Specifically (or, at least) the current code fails to handle cases where an
address and the size aren't naturally aligned.  E.g. when encrypting 9 bytes
at offset 8, KVM needs to _decrypt_ destination[31:0] into a temporary buffer,
buffer[31:0], then copy 9 bytes from source[8:0] to buffer[16:8], then encrypt
buffer[31:0] back into destination[31:0].  The current code only ever copies
16 bytes, and bizarrely uses a temporary buffer for the source as well.

A wholesale rewrite in a single patch isn't my first choice, but the existing
code obviously hasn't been tested, and it's so bizarre and unnecessarily
complex that I've zero confidence that an iterative cleanup would be a net
positive, especially given how many hours it would take.

The initial fix is 7.1 material, the rest (including the selftest, because it
won't pass), can wait for 7.2.

v1: https://lore.kernel.org/all/20260410050854.2463447-1-ashutoshdesai993@gmail.com

Ashutosh Desai (1):
  KVM: SVM: Fix page overflow in sev_dbg_crypt() for ENCRYPT path

Sean Christopherson (5):
  KVM: selftests: Add a test to verify SEV {en,de}crypt debug ioctls
  KVM: SEV: Explicitly validate the dst buffer for debug operations
  KVM: SEV: Add helper function to pin/unpin a single page
  KVM: SEV: Rewrite logic to {de,en}crypt memory for debug
  KVM: SEV: Allocate only as many bytes as needed for temp crypt buffers

 arch/x86/kvm/svm/sev.c                        | 423 +++++++++---------
 tools/testing/selftests/kvm/Makefile.kvm      |   1 +
 tools/testing/selftests/kvm/include/x86/sev.h |  24 +
 .../testing/selftests/kvm/x86/sev_dbg_test.c  | 118 +++++
 4 files changed, 347 insertions(+), 219 deletions(-)
 create mode 100644 tools/testing/selftests/kvm/x86/sev_dbg_test.c


base-commit: 39f1c201b93f4ff71631bac72cff6eb155f976a4
-- 
2.54.0.545.g6539524ca2-goog

On Fri, 01 May 2026 13:35:31 -0700, Sean Christopherson wrote:
> Disclaimer: I could have sworn I sent this last week, but obviously did not,
> and I can't remember _why_ I didn't send it.  So don't be too surprised if
> there's some glaring flaw or boneheaded mistake.
> 
> Ashutosh's fix for a heap OOB/UAF bug in the debug {de,en}crypt code, now
> with a selftest to detect the bug (and confirm the fix), and to validate the
> functionality.
> 
> [...]

Applied to kvm-x86 sev, to get as much exposure in -next as possible.

[1/6] KVM: SVM: Fix page overflow in sev_dbg_crypt() for ENCRYPT path
      https://github.com/kvm-x86/linux/commit/78ee2d50185a
[2/6] KVM: selftests: Add a test to verify SEV {en,de}crypt debug ioctls
      https://github.com/kvm-x86/linux/commit/6edd35e77a42
[3/6] KVM: SEV: Explicitly validate the dst buffer for debug operations
      https://github.com/kvm-x86/linux/commit/cb32e895546b
[4/6] KVM: SEV: Add helper function to pin/unpin a single page
      https://github.com/kvm-x86/linux/commit/99694add4af3
[5/6] KVM: SEV: Rewrite logic to {de,en}crypt memory for debug
      https://github.com/kvm-x86/linux/commit/8d6297a3e73e
[6/6] KVM: SEV: Allocate only as many bytes as needed for temp crypt buffers
      https://github.com/kvm-x86/linux/commit/4c735bf1bc22

--
https://github.com/kvm-x86/linux/tree/next