Commit dd09eb44 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'tsm-fixes-7.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/devsec/tsm 

Pull tsm fix from Dan Williams:

 - Fix a VMM controlled buffer length used to emit TDX attestation
   reports

* tag 'tsm-fixes-7.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/devsec/tsm:
  virt: tdx-guest: Fix handling of host controlled 'quote' buffer length
parents faf44e54 c3fd16c3

drivers/virt/coco/tdx-guest/tdx-guest.c

+10 −2
Original line number Diff line number Diff line
@@ -171,6 +171,8 @@ static void tdx_mr_deinit(const struct attribute_group *mr_grp) 
#define GET_QUOTE_SUCCESS		0

#define GET_QUOTE_IN_FLIGHT		0xffffffffffffffff



#define TDX_QUOTE_MAX_LEN		(GET_QUOTE_BUF_SIZE - sizeof(struct tdx_quote_buf))



/* struct tdx_quote_buf: Format of Quote request buffer.

 * @version: Quote format version, filled by TD.

 * @status: Status code of Quote request, filled by VMM.
@@ -269,6 +271,7 @@ static int tdx_report_new_locked(struct tsm_report *report, void *data) 
	u8 *buf;

	struct tdx_quote_buf *quote_buf = quote_data;

	struct tsm_report_desc *desc = &report->desc;

	u32 out_len;

	int ret;

	u64 err;
@@ -306,12 +309,17 @@ static int tdx_report_new_locked(struct tsm_report *report, void *data) 
		return ret;

	}



	buf = kvmemdup(quote_buf->data, quote_buf->out_len, GFP_KERNEL);

	out_len = READ_ONCE(quote_buf->out_len);



	if (out_len > TDX_QUOTE_MAX_LEN)

		return -EFBIG;



	buf = kvmemdup(quote_buf->data, out_len, GFP_KERNEL);

	if (!buf)

		return -ENOMEM;



	report->outblob = buf;

	report->outblob_len = quote_buf->out_len;

	report->outblob_len = out_len;



	/*

	 * TODO: parse the PEM-formatted cert chain out of the quote buffer when