Re: [PATCH v15 01/13] x86/sev: Carve out and export SNP guest messaging init routines

From: Nikunj A. Dadhania
Date: Mon Dec 09 2024 - 01:17:16 EST




On 12/7/2024 1:57 AM, Borislav Petkov wrote:
> On Thu, Dec 05, 2024 at 11:53:53AM +0530, Nikunj A. Dadhania wrote:
>>> * get_report - I don't think so:
>>>
>>> /*
>>> * The intermediate response buffer is used while decrypting the
>>> * response payload. Make sure that it has enough space to cover the
>>> * authtag.
>>> */
>>> resp_len = sizeof(report_resp->data) + mdesc->ctx->authsize;
>>> report_resp = kzalloc(resp_len, GFP_KERNEL_ACCOUNT);
>>>
>>> That resp_len is limited and that's on the guest_ioctl path which cannot
>>> happen concurrently?
>>
>> It is a trusted allocation, but should it be accounted as it is part of
>> the userspace ioctl path ?
>
> Well, it is unlocked_ioctl() and snp_guest_ioctl() is not taking any locks.
> What's stopping anyone from writing a nasty little program which hammers the
> sev-guest on the ioctl interface until the OOM killer activates?
>
> IOW, this should probably remain _ACCOUNT AFAICT.

Both get_report()/get_ext_report() are in the unlocked_ioctl(), we will
retain the _ACCOUNT

That leaves us with only one site: snp_init_crypto(), should I fold this change
in current patch ?
Regards
Nikunj