Re: [PATCH 2/5] crypto: ccp: Reject SEV commands with mismatching command buffer

From: Sean Christopherson <seanjc@google.com>
To: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
	Brijesh Singh <brijesh.singh@amd.com>,
	John Allen <john.allen@amd.com>,
	Vitaly Kuznetsov <vkuznets@redhat.com>,
	Wanpeng Li <wanpengli@tencent.com>,
	Jim Mattson <jmattson@google.com>, Joerg Roedel <joro@8bytes.org>,
	kvm@vger.kernel.org, linux-crypto@vger.kernel.org,
	linux-kernel@vger.kernel.org, Borislav Petkov <bp@suse.de>
Subject: Re: [PATCH 2/5] crypto: ccp: Reject SEV commands with mismatching command buffer
Date: Mon, 5 Apr 2021 16:33:02 +0000	[thread overview]
Message-ID: <YGs7vioH8TVzyckx@google.com> (raw)
In-Reply-To: <bc82825c-03ff-1b3f-7166-f6e5671f0a4f@amd.com>

On Mon, Apr 05, 2021, Tom Lendacky wrote:
> On 4/2/21 6:36 PM, Sean Christopherson wrote:
> > diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
> > index 6556d220713b..4c513318f16a 100644
> > --- a/drivers/crypto/ccp/sev-dev.c
> > +++ b/drivers/crypto/ccp/sev-dev.c
> > @@ -141,6 +141,7 @@ static int __sev_do_cmd_locked(int cmd, void *data, int *psp_ret)
> >  	struct sev_device *sev;
> >  	unsigned int phys_lsb, phys_msb;
> >  	unsigned int reg, ret = 0;
> > +	int buf_len;
> >  
> >  	if (!psp || !psp->sev_data)
> >  		return -ENODEV;
> > @@ -150,7 +151,11 @@ static int __sev_do_cmd_locked(int cmd, void *data, int *psp_ret)
> >  
> >  	sev = psp->sev_data;
> >  
> > -	if (data && WARN_ON_ONCE(is_vmalloc_addr(data)))
> > +	buf_len = sev_cmd_buffer_len(cmd);
> > +	if (WARN_ON_ONCE(!!data != !!buf_len))
> 
> Seems a bit confusing to me.  Can this just be:
> 
> 	if (WARN_ON_ONCE(data && !buf_len))

Or as Christophe pointed out, "!data != !buf_len".

> Or is this also trying to catch the case where buf_len is non-zero but
> data is NULL?

Ya.  It's not necessary to detect "buf_len && !data", but it doesn't incur
additional cost.  Is there a reason _not_ to disallow that?