Re: [PATCH] crypto: ccp: Treat zero-length cert chain as query for blob lengths

[Tom Lendacky]

On 5/4/26 17:28, Sean Christopherson wrote:
> When handling a PDH export, treat a zero-length userspace cert chain buffer
> as a request to query the length of the relevant blobs.  Failure to account
> for the zero-length buffer trips a BUG_ON() when running with
> CONFIG_DEBUG_VIRTUAL=y due to trying to get the physical address of the
> ZERO_SIZE_PTR (returned by kzalloc() on the bogus allocation).
> 
>    kernel BUG at arch/x86/mm/physaddr.c:28 !
>   Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
>   CPU: 30 UID: 0 PID: 28580 Comm: syz.2.18 Kdump: loaded
>   Tainted: G        W           6.18.16-smp-DEV #1 NONE
>   Tainted: [W]=WARN
>   Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025
>    RIP: 0010:__phys_addr+0x16a/0x180 arch/x86/mm/physaddr.c:28
>   RSP: 0018:ffffc9008329fc80 EFLAGS: 00010293
>   RAX: ffffffff8179110a RBX: 0000778000000010 RCX: ffff8884e6992600
>   RDX: 0000000000000000 RSI: 0000000080000010 RDI: 0000778000000010
>   RBP: ffffc9008329fdf0 R08: 0000000000000dc0 R09: 00000000ffffffff
>   R10: dffffc0000000000 R11: fffffbfff126d297 R12: dffffc0000000000
>   R13: 1ffff92010653fc8 R14: 0000000080000010 R15: dffffc0000000000
>   FS:  0000555556bec9c0(0000) GS:ffff88aa4ce1c000(0000) knlGS:0000000000000000
>   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>   CR2: 00007fd3159e7000 CR3: 00000004fbc44000 CR4: 0000000000350ef0
>   Call Trace:
>    <TASK>
>     [<ffffffff853d3869>] sev_ioctl_do_pdh_export+0x559/0x7a0 drivers/crypto/ccp/sev-dev.c:2308
>     [<ffffffff853d1fdd>] sev_ioctl+0x2cd/0x480 drivers/crypto/ccp/sev-dev.c:2556
>     [<ffffffff82549ebc>] vfs_ioctl fs/ioctl.c:52 [inline]
>     [<ffffffff82549ebc>] __do_sys_ioctl fs/ioctl.c:598 [inline]
>     [<ffffffff82549ebc>] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:584
>     [<ffffffff8630115f>] do_syscall_x64 arch/x86/entry/syscall_64.c:64 [inline]
>     [<ffffffff8630115f>] do_syscall_64+0x9f/0xf40 arch/x86/entry/syscall_64.c:98
>    [<ffffffff81000136>] entry_SYSCALL_64_after_hwframe+0x76/0x7e
>   RIP: 0033:0x7fd3158eac39
>    </TASK>
> 
> Thankfully, the bug is benign outside of CONFIG_DEBUG_VIRTUAL=y as getting
> the physical address is just arithmetic, and the PSP errors out before
> trying to write to the garbage address (which it must, otherwise querying
> the blob lengths would clobber memory at pfn=0).
> 
> Fixes: 76a2b524a4b1 ("crypto: ccp: Implement SEV_PDH_CERT_EXPORT ioctl command")
> Signed-off-by: Sean Christopherson <seanjc@xxxxxxxxxx>

Heh, you beat me to it, I have the same patch ready to send out.

Reviewed-by: Tom Lendacky <thomas.lendacky@xxxxxxx>

> ---
>  drivers/crypto/ccp/sev-dev.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
> index d1e9e0ac63b6..ed3b8065f59b 100644
> --- a/drivers/crypto/ccp/sev-dev.c
> +++ b/drivers/crypto/ccp/sev-dev.c
> @@ -2301,7 +2301,8 @@ static int sev_ioctl_do_pdh_export(struct sev_issue_cmd *argp, bool writable)
>  	/* Userspace wants to query the certificate length. */
>  	if (!input.pdh_cert_address ||
>  	    !input.pdh_cert_len ||
> -	    !input.cert_chain_address)
> +	    !input.cert_chain_address ||
> +	    !input.cert_chain_len)
>  		goto cmd;
>  
>  	/* Allocate a physically contiguous buffer to store the PDH blob. */
> 
> base-commit: 2d4aef3da2981e326a88f8b07249083150ae3ef3