[PATCH] crypto: ccp: Fix SNP range list bounds check

Next message: Dmitry Baryshkov: "[PATCH v4 00/16] media: iris: Add AR50LT core support and enable Agatti platform"
Previous message: Dmitry Baryshkov: "Re: [PATCH] arm64: dts: qcom: sdm850-lenovo-yoga-c630: lower PSCI cluster idle"
Next in thread: Tom Lendacky: "Re: [PATCH] crypto: ccp: Fix SNP range list bounds check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: ZongYao . Chen

Date: Fri Jun 12 2026 - 05:26:44 EST

From: Zongyao Chen <ZongYao.Chen@xxxxxxxxxxxxxxxxx>

snp_filter_reserved_mem_regions() checks the range list size before
adding a new entry. If the page-sized SNP_INIT_EX buffer is already
full, the next matching resource can still write one entry past the end
of the buffer.

Check that there is room for the next entry before appending it, and
compute the next entry pointer only after the bounds check.

Fixes: 1ca5614b84ee ("crypto: ccp: Add support to initialize the AMD-SP for SEV-SNP")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Zongyao Chen <ZongYao.Chen@xxxxxxxxxxxxxxxxx>
---
drivers/crypto/ccp/sev-dev.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
index d1e9e0ac63b6..9e6efb3ec175 100644
--- a/drivers/crypto/ccp/sev-dev.c
+++ b/drivers/crypto/ccp/sev-dev.c
@@ -1324,17 +1324,19 @@ static int snp_get_platform_data(struct sev_device *sev, int *error)
static int snp_filter_reserved_mem_regions(struct resource *rs, void *arg)
{
struct sev_data_range_list *range_list = arg;
- struct sev_data_range *range = &range_list->ranges[range_list->num_elements];
+ struct sev_data_range *range;
size_t size;

/*
* Ensure the list of HV_FIXED pages that will be passed to firmware
* do not exceed the page-sized argument buffer.
*/
- if ((range_list->num_elements * sizeof(struct sev_data_range) +
+ if (((range_list->num_elements + 1) * sizeof(struct sev_data_range) +
sizeof(struct sev_data_range_list)) > PAGE_SIZE)
return -E2BIG;

+ range = &range_list->ranges[range_list->num_elements];
+
switch (rs->desc) {
case E820_TYPE_RESERVED:
case E820_TYPE_PMEM:
--
2.47.3