)]}' { "commit": "c3fd16c3b98ed726294feab2f94f876290bf7b61", "tree": "ffce4288b4b81f5897225392209f85d17ec54917", "parents": [ "f338e77383789c0cae23ca3d48adcc5e9e137e3c" ], "author": { "name": "Zubin Mithra", "email": "zsm@google.com", "time": "Wed Mar 18 13:40:13 2026 +0000" }, "committer": { "name": "Dan Williams", "email": "dan.j.williams@intel.com", "time": "Fri Mar 20 21:05:50 2026 -0700" }, "message": "virt: tdx-guest: Fix handling of host controlled \u0027quote\u0027 buffer length\n\nValidate host controlled value `quote_buf-\u003eout_len` that determines how\nmany bytes of the quote are copied out to guest userspace. In TDX\nenvironments with remote attestation, quotes are not considered private,\nand can be forwarded to an attestation server.\n\nCatch scenarios where the host specifies a response length larger than\nthe guest\u0027s allocation, or otherwise races modifying the response while\nthe guest consumes it.\n\nThis prevents contents beyond the pages allocated for `quote_buf`\n(up to TSM_REPORT_OUTBLOB_MAX) from being read out to guest userspace,\nand possibly forwarded in attestation requests.\n\nRecall that some deployments want per-container configs-tsm-report\ninterfaces, so the leak may cross container protection boundaries, not\njust local root.\n\nFixes: f4738f56d1dc (\"virt: tdx-guest: Add Quote generation support using TSM_REPORTS\")\nCc: stable@vger.kernel.org\nSigned-off-by: Zubin Mithra \u003czsm@google.com\u003e\nReviewed-by: Dan Williams \u003cdan.j.williams@intel.com\u003e\nReviewed-by: Kiryl Shutsemau (Meta) \u003ckas@kernel.org\u003e\nReviewed-by: Kuppuswamy Sathyanarayanan \u003csathyanarayanan.kuppuswamy@linux.intel.com\u003e\nSigned-off-by: Dan Williams \u003cdan.j.williams@intel.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "4252b147593ad65a90fbd960f51867df2dbef1d6", "old_mode": 33188, "old_path": "drivers/virt/coco/tdx-guest/tdx-guest.c", "new_id": "7cee97559ba292134536fed508a752d406442ad8", "new_mode": 33188, "new_path": "drivers/virt/coco/tdx-guest/tdx-guest.c" } ] }