Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'tsm-fixes-7.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/devsec/tsm
Pull tsm fix from Dan Williams:
- Fix a VMM controlled buffer length used to emit TDX attestation
reports
* tag 'tsm-fixes-7.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/devsec/tsm:
virt: tdx-guest: Fix handling of host controlled 'quote' buffer length
+10
-2
+10
-2
drivers/virt/coco/tdx-guest/tdx-guest.c
+10
-2
drivers/virt/coco/tdx-guest/tdx-guest.c
···
171
171
#define GET_QUOTE_SUCCESS 0
172
172
#define GET_QUOTE_IN_FLIGHT 0xffffffffffffffff
173
173
174
+
#define TDX_QUOTE_MAX_LEN (GET_QUOTE_BUF_SIZE - sizeof(struct tdx_quote_buf))
175
+
174
176
/* struct tdx_quote_buf: Format of Quote request buffer.
175
177
* @version: Quote format version, filled by TD.
176
178
* @status: Status code of Quote request, filled by VMM.
···
271
269
u8 *buf;
272
270
struct tdx_quote_buf *quote_buf = quote_data;
273
271
struct tsm_report_desc *desc = &report->desc;
272
+
u32 out_len;
274
273
int ret;
275
274
u64 err;
276
275
···
309
306
return ret;
310
307
}
311
308
312
-
buf = kvmemdup(quote_buf->data, quote_buf->out_len, GFP_KERNEL);
309
+
out_len = READ_ONCE(quote_buf->out_len);
310
+
311
+
if (out_len > TDX_QUOTE_MAX_LEN)
312
+
return -EFBIG;
313
+
314
+
buf = kvmemdup(quote_buf->data, out_len, GFP_KERNEL);
313
315
if (!buf)
314
316
return -ENOMEM;
315
317
316
318
report->outblob = buf;
317
-
report->outblob_len = quote_buf->out_len;
319
+
report->outblob_len = out_len;
318
320
319
321
/*
320
322
* TODO: parse the PEM-formatted cert chain out of the quote buffer when