kernel/vtpm: fix potential UB when accessing guest buffer #603
Conversation
|
This is a followup of #574 with a reference to the discussion we had here: #574 (comment) (thanks @00xc and @cclaudio) I'm reporting the last comment from Carlos, to restart the discussion:
I handled the error path, moving the error handling after the section, not sure what to do with PVALIDATE_LOCK. |
|
I don't think this is the sort of pattern we want to develop for interaction with guest memory. This change will revoke all guest access to the page that is being used by the TPM, and depending on how the guest is built (where it may be reading data, polling for memory changes, etc.), the guest may encounter an unexpected and fatal memory exception as a result of the permission change. This pattern of modifying guest memory from the SVSM will be increasingly common as the SVSM begins to implement paravisor functionality. A much better pattern will be for the SVSM to be written defensively, using atomics or other |
@msft-jlange yeah, I see your point.
Maybe we should use something like https://github.com/rust-vmm/vm-memory/blob/main/src/volatile_memory.rs and when we need to share a buffer with C code, we will need to allocate a tmp one. |
stefano-garzarella
force-pushed
the
vtpm-fix-buffer-ub
branch
from
15633c6 to
7b5bcdd
Compare
@msft-jlange I tried that in this version, but now I have a problem with Note: in the first line, I printed the paddr and the offset, so the buffer is crossing 2 pages. I thought it was the problem, but removing the vTPM driver in OVMF, and booting Linux, where the driver allocates the buffer page aligned, I have the same behavior, of course when Linux tries to access the vTPM : So I tried to reduce the size of the buffer, for example if I do something like this I can't see the double fault if the buffer is page aligned or not (from PAGE_SIZE - 900 it double faults) : Any suggestions on where I'm doing it wrong? |
I can answer my-self.... I did a stack overflow! Increasing the stack size, it works well. So, should I avoid that, right? |
Maybe we can add |
`GuestPtr::read()` returns `T` allocated on the stack. This could be a problem for large objects, so let's add `GuestPtr::read_ref()` which allows us to read `GuestPtr` into a pre-allocated buffer passed by reference. Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Creating a mutable reference to the guest buffer, could have been an UB because the guest could potentially modify it. So, let's copy the guest buffer to an internal one and then copy it back to give the result to the guest. To avoid overflowing the stack, allocate the buffer with Vec. Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
stefano-garzarella
force-pushed
the
vtpm-fix-buffer-ub
branch
from
7b5bcdd to
40d73d5
Compare
|
v2:
@msft-jlange @cclaudio @00xc please take a look. |
| TpmPlatformCommand::SendCommand => tpm_send_command_request(buffer)?, | ||
| TpmPlatformCommand::SendCommand => { | ||
| // Let's use Vec to avoid consuming too much stack. | ||
| let mut buffer: Vec<u8> = vec![0; PAGE_SIZE]; |
There was a problem hiding this comment.
It would be nice to avoid having to allocate an entire page for every request. Is there some header in the payload that indicates how big the request is? If so, you could read that header into a stack local (which should be small), allocate your buffer based on how big the header indicates the data to be, then copy the stack local into the buffer and use read_ref to read the remainder of the command block into the buffer.
There was a problem hiding this comment.
Looking in the SVSM specification, it actually does not say anywhere that the buffer must be PAGE_SIZE, so I think you are right. Although the Linux driver for now always passes a large PAGE_SIZE buffer since it's used also for the response, so in practice it should be the same, but I see your point, I'll try it!
| TpmPlatformCommand::SendCommand => tpm_send_command_request(buffer)?, | ||
| TpmPlatformCommand::SendCommand => { | ||
| // Let's use Vec to avoid consuming too much stack. | ||
| let mut buffer: Vec<u8> = vec![0; PAGE_SIZE]; |
There was a problem hiding this comment.
You should consider using let mut uninit_buffer: Box<MaybeUninit<[u8]>> = Box::new_uninit_slice(PAGE_SIZE) and then you can avoid having to zero-initialize the contents that you are about to write over (and you can also avoid the intermediate Vec representation). This would require GuestPtr::read_ref() to become GuestPtr::read_ptr() (because creating a reference to uninitialized data is UB but creating a pointer to it is not), and after the copy is done, you could use let mut buffer: &[u8] = unsafe { uninit_buffer.assume_init() } to make your buffer safely usable once the copy initialization is complete.
There was a problem hiding this comment.
Cool, thanks for this, I like it, I'll try!
That said, I just discovered that during the path from this code to the TCG TPM C code, we allocate/copy the buffer several times:
- in
TpmSendCommandRequest::send()svsm/kernel/src/protocols/vtpm.rs
Line 116 in 035bb52
- in
TcgTpm::send_tpm_command()svsm/kernel/src/vtpm/tcgtpm/mod.rs
Line 97 in 035bb52
I think the second case maybe we cannot avoid, since the C code seems to expect 2 different buffers for input and output, but maybe, since we have to copy them from/to the guest anyway, we could pass 2 buffers from the beginning and avoid these allocations/copies.
I'll try to see if we can refactor a bit.
Much better now! I left a couple of comments that could tighten up the use of the intermediate buffer, but from a safety perspective, what you have now is perfectly acceptable. |
Creating a mutable reference to the guest buffer, could have been an UB because the guest could potentially modify it.
So, let's copy the guest buffer to an internal one and then copy it back to give the result to the guest. To avoid overflowing the stack, allocate the buffer with Vec.