KVM: TDX: Check size of user's kvm_tdx_capabilities array before allocating

When userspace is getting TDX capabilities, retrieve and check the number
of user entries before allocating kernel scratch space to avoid having to
unwind the allocation if get_user() fails or if 'user_caps' is too small
to fit 'caps'.

Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Tested-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Link: https://patch.msgid.link/20251017213914.167301-1-thorsten.blum@linux.dev
[sean: split to separate patch]
Signed-off-by: Sean Christopherson <seanjc@google.com>

diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c
index 0ffca14c10718edca98798378a7611e8a84c3c50..cc751c088476679890a4e51a66ee2fa747e1cc46 100644 (file)
--- a/arch/x86/kvm/vmx/tdx.c
+++ b/arch/x86/kvm/vmx/tdx.c
@@ -2224,23 +2224,19 @@ static int tdx_get_capabilities(struct kvm_tdx_cmd *cmd)
        if (cmd->flags)
                return -EINVAL;
 
+       user_caps = u64_to_user_ptr(cmd->data);
+       if (get_user(nr_user_entries, &user_caps->cpuid.nent))
+               return -EFAULT;
+
+       if (nr_user_entries < td_conf->num_cpuid_config)
+               return -E2BIG;
+
        caps = kzalloc(sizeof(*caps) +
                       sizeof(struct kvm_cpuid_entry2) * td_conf->num_cpuid_config,
                       GFP_KERNEL);
        if (!caps)
                return -ENOMEM;
 
-       user_caps = u64_to_user_ptr(cmd->data);
-       if (get_user(nr_user_entries, &user_caps->cpuid.nent)) {
-               ret = -EFAULT;
-               goto out;
-       }
-
-       if (nr_user_entries < td_conf->num_cpuid_config) {
-               ret = -E2BIG;
-               goto out;
-       }
-
        ret = init_kvm_tdx_caps(td_conf, caps);
        if (ret)
                goto out;