Commit 0d3e0dfd authored Mar 05, 2025 by Jarkko Sakkinen Committed by Ingo Molnar Mar 05, 2025

x86/sgx: Fix size overflows in sgx_encl_create()



The total size calculated for EPC can overflow u64 given the added up page
for SECS.  Further, the total size calculated for shmem can overflow even
when the EPC size stays within limits of u64, given that it adds the extra
space for 128 byte PCMD structures (one for each page).

Address this by pre-evaluating the micro-architectural requirement of
SGX: the address space size must be power of two. This is eventually
checked up by ECREATE but the pre-check has the additional benefit of
making sure that there is some space for additional data.

Fixes: 888d2491 ("x86/sgx: Add SGX_IOC_ENCLAVE_CREATE")
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Dave Hansen <dave.hansen@intel.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Link: https://lore.kernel.org/r/20250305050006.43896-1-jarkko@kernel.org

Closes: https://lore.kernel.org/linux-sgx/c87e01a0-e7dd-4749-a348-0980d3444f04@stanley.mountain/

parent f6bdaab7

arch/x86/kernel/cpu/sgx/ioctl.c

+7 −0

Original line number	Diff line number	Diff line
		@@ -64,6 +64,13 @@ static int sgx_encl_create(struct sgx_encl encl, struct sgx_secs secs)
		struct file *backing;
		long ret;

		/*
		* ECREATE would detect this too, but checking here also ensures
		* that the 'encl_size' calculations below can never overflow.
		*/
		if (!is_power_of_2(secs->size))
		return -EINVAL;

		va_page = sgx_encl_grow(encl, true);
		if (IS_ERR(va_page))
		return PTR_ERR(va_page);