Guest buffer is not cleaned in case of malformed guest request

[deodat-pere]

Hi,

It appears that if a guest makes a requests that ends up failing, for example if the request is malformed, then the guest buffer is not cleaned properly. This ends up causing an RMP fault at the next request that is sent, causing the VM to crash.

I was sending purposefully malformed requests from a guest, and noticed that it crashed the guest. After some investigation, I noticed this function, on the snp-host-latest branch, in file arch/x86/kvm/svm/sev.c:

static int __snp_handle_guest_req(struct kvm *kvm, gpa_t req_gpa, gpa_t resp_gpa,
				  sev_ret_code *fw_err)
{
	struct sev_data_snp_guest_request data = {0};
	int ret;

	if (!sev_snp_guest(kvm))
		return -EINVAL;

	ret = snp_setup_guest_buf(kvm, &data, req_gpa, resp_gpa);
	if (ret)
		return ret;

	ret = sev_issue_cmd(kvm, SEV_CMD_SNP_GUEST_REQUEST, &data, fw_err);
	if (ret)
		return ret;

	ret = snp_cleanup_guest_buf(&data);
	if (ret)
		return ret;

	return 0;
}

Especially these lines

ret = sev_issue_cmd(kvm, SEV_CMD_SNP_GUEST_REQUEST, &data, fw_err);
if (ret)
	return ret;

So if the request fails, the function returns right away, without calling snp_cleanup_guest_buf.

I tried modifying this function to always call snp_cleanup_guest_buf and it fixed the crashing issue.

[mdroth]

Thank you for the report. This is a known issue and should be addressed in the latest upstream-posted version of the patches here: https://lore.kernel.org/all/[email protected]/

We will be updating the snp-host-latest branch soon and will have those changes included.