Re: [PATCH] hwrng: virtio: reject invalid used.len from the device

Next message: Maxwell Doose: "[PATCH] iio: proximity: srf08: replace sprintf with sysfs_emit"
Previous message: Herbert Xu: "Re: [PATCH for-7.1-fixes 1/2] rhashtable: add no_sync_grow option"
In reply to: Michael S. Tsirkin: "Re: [PATCH] hwrng: virtio: reject invalid used.len from the device"
Next in thread: Michael S. Tsirkin: "Re: [PATCH] hwrng: virtio: reject invalid used.len from the device"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Michael Bommarito

Date: Fri Apr 17 2026 - 20:47:33 EST

On Fri, Apr 17, 2026 at 8:31 PM Michael S. Tsirkin <mst@xxxxxxxxxx> wrote:
> Actionable meaning what?

Well, between the BLAKE2 pass and the fact that 99% of guests already
shouldn't trust what's above, I agree that actionable doesn't mean
much to most people, not even for breaking KASLR.

But after doing some research, I realized that SEV-SNP/TDX guests that
expect lockdown=confidentiality might actually expect otherwise under
that security model. Still not a lot to work with, but more than just
correctness in those cases, and those might be the environments that
care the most.

> Maybe clamp at sizeof(vi->data) then? 0 might break buggy devices that
> were working earlier.
> Or just clamp where it's used, for clarity.
> And maybe we need the array_index dance, given
> you are worried about malicious.

Happy to send a v2 with those changes but I can only test on a 1-2 TDX
variants at home and don't have access to an EPYC bare metal box, so
not very confident about your buggy device point