Re: [PATCH] misc: nsm: bound the device-reported response length

From: Graf (AWS), Alexander

Date: Sun Jun 21 2026 - 04:07:21 EST



On 21.06.26 07:38, Greg Kroah-Hartman wrote:
> On Sat, Jun 20, 2026 at 09:42:11PM -0500, Bryam Vargas via B4 Relay wrote:
>> From: Bryam Vargas <hexlabsecurity@xxxxxxxxx>
>>
>> nsm_sendrecv_msg_locked() stores the virtqueue used-ring length reported
>> by the NSM device into msg->resp.len without bounding it to the response
>> buffer. A malicious or buggy backend can report a length larger than the
>> response buffer; parse_resp_raw() then copies that many bytes out of the
>> fixed buffer to user space, disclosing adjacent kernel heap (an
>> out-of-bounds read). The request path already floors its length in
>> fill_req_raw(); the response path lacks the symmetric check.
>>
>> Clamp the stored length to the size of the response buffer. Well-behaved
>> devices report no more than the posted buffer size, so conforming traffic
>> is unaffected.
> Is this really the only place where a "buggy" device that is bound to
> the driver can cause any problems? Shouldn't the driver only be bound
> to trusted devices to start with?


It's close to impossible to understand whether the backing device is
"trusted" or not from a VM's point of view. Even all the fancy "trusted
PCIe" logic is about as secure as "secure HDMI": not at all. The best
thing a VM can do is trust specific drivers IMHO to reduce its TCB. I
think as a stick in the ground saying "all virtio drivers are trusted"
makes a lot of sense given that a lot of the virtualized world runs on
virtio.

Bryam, under that premise, could you please also look at other parts of
the nsm driver that could potentially break the premise of a malicious
host? A quick AI scan revealed that the cbor_short_size switch has no
default branch, which leads to uninitialized array_len. Since the report
looks heavily AI influenced, maybe yours actually finds more?

For this patch:

Reviewed-by: Alexander Graf <graf@xxxxxxxxxx>


Thanks,

Alex



Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597