[PATCH] KVM: SVM: Fix page overflow in sev_dbg_crypt() for ENCRYPT path

Next message: Mashiro Chen: "Re: [PATCH net v3] net: rose: defer rose_neigh cleanup to workqueue to fix UAF"
Previous message: Anshuman Khandual: "Re: [RFC V1 07/16] arm64/mm: Convert READ_ONCE() as p4dp_get() while accessing P4D"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ashutosh Desai

Date: Fri Apr 10 2026 - 01:09:06 EST

In sev_dbg_crypt(), the per-iteration transfer length is bounded by
the source page offset (PAGE_SIZE - s_off) but not by the destination
page offset (PAGE_SIZE - d_off). When d_off > s_off, the encrypt
path (__sev_dbg_encrypt_user) performs a read-modify-write using a
single-page intermediate buffer (dst_tpage):

1. __sev_dbg_decrypt() expands the size to round_up(len + (d_off & 15), 16)
before issuing the PSP command. If len + (d_off & 15) > PAGE_SIZE,
the PSP writes beyond the end of the 4096-byte dst_tpage allocation.

2. The subsequent memcpy()/copy_from_user() into
page_address(dst_tpage) + (d_off & 15) of 'len' bytes overflows
by up to 15 bytes under the same condition.

Trigger example: s_off = 0, d_off = 1, debug.len = PAGE_SIZE -
the PSP is instructed to write round_up(4097, 16) = 4112 bytes to
a 4096-byte buffer.

Fix by also bounding len by (PAGE_SIZE - d_off), the same check that
sev_send_update_data() already performs for its single-page guest
region.

Signed-off-by: Ashutosh Desai <ashutoshdesai993@xxxxxxxxx>
---
arch/x86/kvm/svm/sev.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index 3f9c1aa39..a7eb24179 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -1340,6 +1340,7 @@ static int sev_dbg_crypt(struct kvm *kvm, struct kvm_sev_cmd *argp, bool dec)
s_off = vaddr & ~PAGE_MASK;
d_off = dst_vaddr & ~PAGE_MASK;
len = min_t(size_t, (PAGE_SIZE - s_off), size);
+ len = min_t(size_t, len, PAGE_SIZE - d_off);

if (dec)
ret = __sev_dbg_decrypt_user(kvm,
--
2.34.1