Linux Kernel TDX Guest Quote Buffer Length Validation Vulnerability

A vulnerability in the Linux kernel's TDX guest handling has been addressed. This issue involved improper management of a host-controlled 'quote' buffer length, which could lead to unintended data exposure. In TDX environments with remote attestation, quotes can be forwarded to an attestation server and are not considered private. The vulnerability allowed contents beyond the allocated pages for the quote buffer to be read into guest userspace, potentially leaking information across container boundaries. The issue has been fixed by validating the length of the response before it is sent to the guest, ensuring that only the allocated bytes are copied and preventing any overflow or unauthorized data access.

Impact

The vulnerability could have allowed unauthorized data leakage from the host to the guest, bypassing container isolation and potentially exposing sensitive information in attestation requests.

Reproduction

The vulnerability can be reproduced in a TDX environment with remote attestation enabled. When the host specifies a response length for the quote buffer that exceeds the guest's allocation, or if there is a race condition that alters the response while the guest is processing it, the vulnerability is triggered. This can result in reading data beyond the allocated buffer pages into the guest userspace.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available in the Linux kernel documentation.