commit 1d5379d0475419085d3575bd9155f2e558e96390 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

x86/sev: Fix SEV-ES INS/OUTS instructions for word, dword, and qword

Properly type the operands being passed to __put_user()/__get_user().
Otherwise, these routines truncate data for dependent instructions
(e.g., INSW) and only read/write one byte.

This has been tested by sending a string with REP OUTSW to a port and
then reading it back in with REP INSW on the same port.

Previous behavior was to only send and receive the first char of the
size. For example, word operations for "abcd" would only read/write
"ac". With change, the full string is now written and read back.

Fixes: f980f9c31a923 (x86/sev-es: Compile early handler code into kernel image)
Signed-off-by: Michael Sterritt <sterritt@google.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Marc Orr <marcorr@google.com>
Reviewed-by: Peter Gonda <pgonda@google.com>
Reviewed-by: Joerg Roedel <jroedel@suse.de>
Link: https://lkml.kernel.org/r/20211119232757.176201-1-sterritt@google.com

authored by Michael Sterritt and committed by Borislav Petkov 4 years ago 1d5379d0 51523ed1

+39 -18

1 changed file

expand all

unified split

arch

x86

kernel

sev.c

+39 -18

arch/x86/kernel/sev.c

··· 294 char *dst, char *buf, size_t size) 295 { 296 unsigned long error_code = X86_PF_PROT | X86_PF_WRITE; 297 - char __user *target = (char __user *)dst; 298 - u64 d8; 299 - u32 d4; 300 - u16 d2; 301 - u8 d1; 302 303 /* 304 * This function uses __put_user() independent of whether kernel or user ··· 315 * instructions here would cause infinite nesting. 316 */ 317 switch (size) { 318 - case 1: 319 memcpy(&d1, buf, 1); 320 if (__put_user(d1, target)) 321 goto fault; 322 break; 323 - case 2: 324 memcpy(&d2, buf, 2); 325 if (__put_user(d2, target)) 326 goto fault; 327 break; 328 - case 4: 329 memcpy(&d4, buf, 4); 330 if (__put_user(d4, target)) 331 goto fault; 332 break; 333 - case 8: 334 memcpy(&d8, buf, 8); 335 if (__put_user(d8, target)) 336 goto fault; 337 break; 338 default: 339 WARN_ONCE(1, "%s: Invalid size: %zu\n", __func__, size); 340 return ES_UNSUPPORTED; ··· 373 char *src, char *buf, size_t size) 374 { 375 unsigned long error_code = X86_PF_PROT; 376 - char __user *s = (char __user *)src; 377 - u64 d8; 378 - u32 d4; 379 - u16 d2; 380 - u8 d1; 381 382 /* 383 * This function uses __get_user() independent of whether kernel or user ··· 394 * instructions here would cause infinite nesting. 395 */ 396 switch (size) { 397 - case 1: 398 if (__get_user(d1, s)) 399 goto fault; 400 memcpy(buf, &d1, 1); 401 break; 402 - case 2: 403 if (__get_user(d2, s)) 404 goto fault; 405 memcpy(buf, &d2, 2); 406 break; 407 - case 4: 408 if (__get_user(d4, s)) 409 goto fault; 410 memcpy(buf, &d4, 4); 411 break; 412 - case 8: 413 if (__get_user(d8, s)) 414 goto fault; 415 memcpy(buf, &d8, 8); 416 break; 417 default: 418 WARN_ONCE(1, "%s: Invalid size: %zu\n", __func__, size); 419 return ES_UNSUPPORTED;

··· 294 char *dst, char *buf, size_t size) 295 { 296 unsigned long error_code = X86_PF_PROT | X86_PF_WRITE; 297 298 /* 299 * This function uses __put_user() independent of whether kernel or user ··· 320 * instructions here would cause infinite nesting. 321 */ 322 switch (size) { 323 + case 1: { 324 + u8 d1; 325 + u8 __user *target = (u8 __user *)dst; 326 + 327 memcpy(&d1, buf, 1); 328 if (__put_user(d1, target)) 329 goto fault; 330 break; 331 + } 332 + case 2: { 333 + u16 d2; 334 + u16 __user *target = (u16 __user *)dst; 335 + 336 memcpy(&d2, buf, 2); 337 if (__put_user(d2, target)) 338 goto fault; 339 break; 340 + } 341 + case 4: { 342 + u32 d4; 343 + u32 __user *target = (u32 __user *)dst; 344 + 345 memcpy(&d4, buf, 4); 346 if (__put_user(d4, target)) 347 goto fault; 348 break; 349 + } 350 + case 8: { 351 + u64 d8; 352 + u64 __user *target = (u64 __user *)dst; 353 + 354 memcpy(&d8, buf, 8); 355 if (__put_user(d8, target)) 356 goto fault; 357 break; 358 + } 359 default: 360 WARN_ONCE(1, "%s: Invalid size: %zu\n", __func__, size); 361 return ES_UNSUPPORTED; ··· 362 char *src, char *buf, size_t size) 363 { 364 unsigned long error_code = X86_PF_PROT; 365 366 /* 367 * This function uses __get_user() independent of whether kernel or user ··· 388 * instructions here would cause infinite nesting. 389 */ 390 switch (size) { 391 + case 1: { 392 + u8 d1; 393 + u8 __user *s = (u8 __user *)src; 394 + 395 if (__get_user(d1, s)) 396 goto fault; 397 memcpy(buf, &d1, 1); 398 break; 399 + } 400 + case 2: { 401 + u16 d2; 402 + u16 __user *s = (u16 __user *)src; 403 + 404 if (__get_user(d2, s)) 405 goto fault; 406 memcpy(buf, &d2, 2); 407 break; 408 + } 409 + case 4: { 410 + u32 d4; 411 + u32 __user *s = (u32 __user *)src; 412 + 413 if (__get_user(d4, s)) 414 goto fault; 415 memcpy(buf, &d4, 4); 416 break; 417 + } 418 + case 8: { 419 + u64 d8; 420 + u64 __user *s = (u64 __user *)src; 421 if (__get_user(d8, s)) 422 goto fault; 423 memcpy(buf, &d8, 8); 424 break; 425 + } 426 default: 427 WARN_ONCE(1, "%s: Invalid size: %zu\n", __func__, size); 428 return ES_UNSUPPORTED;