From: Thorsten Blum Date: Fri, 17 Oct 2025 21:39:14 +0000 (+0200) Subject: KVM: TDX: Check size of user's kvm_tdx_capabilities array before allocating X-Git-Tag: v6.19-rc1~103^2~6^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=11b79f8318aefc7ddfd12668fd1d80bde1c9f7bc;p=thirdparty%2Flinux.git KVM: TDX: Check size of user's kvm_tdx_capabilities array before allocating When userspace is getting TDX capabilities, retrieve and check the number of user entries before allocating kernel scratch space to avoid having to unwind the allocation if get_user() fails or if 'user_caps' is too small to fit 'caps'. Signed-off-by: Thorsten Blum Tested-by: Rick Edgecombe Link: https://patch.msgid.link/20251017213914.167301-1-thorsten.blum@linux.dev [sean: split to separate patch] Signed-off-by: Sean Christopherson --- diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c index 0ffca14c10718..cc751c0884766 100644 --- a/arch/x86/kvm/vmx/tdx.c +++ b/arch/x86/kvm/vmx/tdx.c @@ -2224,23 +2224,19 @@ static int tdx_get_capabilities(struct kvm_tdx_cmd *cmd) if (cmd->flags) return -EINVAL; + user_caps = u64_to_user_ptr(cmd->data); + if (get_user(nr_user_entries, &user_caps->cpuid.nent)) + return -EFAULT; + + if (nr_user_entries < td_conf->num_cpuid_config) + return -E2BIG; + caps = kzalloc(sizeof(*caps) + sizeof(struct kvm_cpuid_entry2) * td_conf->num_cpuid_config, GFP_KERNEL); if (!caps) return -ENOMEM; - user_caps = u64_to_user_ptr(cmd->data); - if (get_user(nr_user_entries, &user_caps->cpuid.nent)) { - ret = -EFAULT; - goto out; - } - - if (nr_user_entries < td_conf->num_cpuid_config) { - ret = -E2BIG; - goto out; - } - ret = init_kvm_tdx_caps(td_conf, caps); if (ret) goto out;