Memory safety

MEDIUM
torvalds/linux
Commit: f185e05dce6f
Affected: v7.0-rc6 and earlier (mainline prior to this patch)
2026-05-30 10:43 UTC

Description

The commit adds a guard in arch/x86/kvm/svm/sev.c: setup_vmgexit_scratch to WARN_ON_ONCE when min_len is zero and to jump to the error path. This prevents configuring the vMGEXIT scratch area with a zero-length requirement. Previously, a zero min_len could lead to subsequent memory handling with an invalid scratch region, creating a potential memory-safety regression if the code path trusted a non-zero length. The patch ensures non-zero length for the scratch area and surfaces a warning rather than proceeding with a potentially unsafe setup. This is a defensive fix to guard against future bugs and misconfiguration in KVM SEV scratch handling.

Commit Details

Author: Sean Christopherson

Date: 2026-05-01 20:22 UTC

Message:

KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0 Now that all paths in KVM properly validate the length needed for the scratch area, and are guaranteed to pass in a non-zero length, WARN if KVM attempts to configured the scratch area with min_len==0 to guard against future bugs. Cc: stable@vger.kernel.org Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com> Reviewed-by: Michael Roth <michael.roth@amd.com> Signed-off-by: Sean Christopherson <seanjc@google.com> Message-ID: <20260501202250.2115252-8-seanjc@google.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Triage Assessment

Vulnerability Type: Memory safety

Confidence: MEDIUM

Reasoning:

The commit introduces a guard (WARN_ON_ONCE) against configuring a scratch area with min_len == 0 in KVM SEV, preventing a potential misconfiguration that could lead to unsafe memory handling. While not showing a concrete exploit path, it enforces a non-zero length prerequisite and guards against future bugs that could have security implications (memory safety).

Verification Assessment

Vulnerability Type: Memory safety

Confidence: MEDIUM

Affected Versions: v7.0-rc6 and earlier (mainline prior to this patch)

Code Diff

diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 6072fecfe994bb..a3e85348ace995 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3669,6 +3669,9 @@ static int setup_vmgexit_scratch(struct vcpu_svm *svm, bool sync, u64 min_len) u64 scratch_gpa_beg, scratch_gpa_end; void *scratch_va; + if (WARN_ON_ONCE(!min_len)) + goto e_scratch; + scratch_gpa_beg = svm->sev_es.sw_scratch; if (!scratch_gpa_beg) { pr_err("vmgexit: scratch gpa not provided\n");
← Back to Alerts View on GitHub →