Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1fee9626 authored by Harald Freudenberger's avatar Harald Freudenberger Committed by Martin Schwidefsky
Browse files

s390/zcrypt: add copy_from_user length plausibility checks 



There have been identified some places in the zcrypt
device driver where copy_from_user() is called but the
length value is not explicitly checked.

So now some plausibility checks and comments have been
introduced there.

Signed-off-by: default avatarHarald Freudenberger <freude@linux.ibm.com>
Acked-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
parent ad82a928

drivers/s390/crypto/zcrypt_cca_key.h

+19 −1
Original line number Diff line number Diff line
@@ -99,7 +99,7 @@ struct cca_pvt_ext_CRT_sec { 
 * @mex: pointer to user input data

 * @p: pointer to memory area for the key

 *

 * Returns the size of the key area or -EFAULT

 * Returns the size of the key area or negative errno value.

 */

static inline int zcrypt_type6_mex_key_en(struct ica_rsa_modexpo *mex, void *p)

{
@@ -118,6 +118,15 @@ static inline int zcrypt_type6_mex_key_en(struct ica_rsa_modexpo *mex, void *p) 
	unsigned char *temp;

	int i;



	/*

	 * The inputdatalength was a selection criteria in the dispatching

	 * function zcrypt_rsa_modexpo(). However, do a plausibility check

	 * here to make sure the following copy_from_user() can't be utilized

	 * to compromise the system.

	 */

	if (WARN_ON_ONCE(mex->inputdatalength > 512))

		return -EINVAL;



	memset(key, 0, sizeof(*key));



	key->pubHdr = static_pub_hdr;
@@ -178,6 +187,15 @@ static inline int zcrypt_type6_crt_key(struct ica_rsa_modexpo_crt *crt, void *p) 
	struct cca_public_sec *pub;

	int short_len, long_len, pad_len, key_len, size;



	/*

	 * The inputdatalength was a selection criteria in the dispatching

	 * function zcrypt_rsa_crt(). However, do a plausibility check

	 * here to make sure the following copy_from_user() can't be utilized

	 * to compromise the system.

	 */

	if (WARN_ON_ONCE(crt->inputdatalength > 512))

		return -EINVAL;



	memset(key, 0, sizeof(*key));



	short_len = (crt->inputdatalength + 1) / 2;

drivers/s390/crypto/zcrypt_msgtype6.c

+18 −2
Original line number Diff line number Diff line
@@ -246,7 +246,7 @@ int speed_idx_ep11(int req_type) 
 * @ap_msg: pointer to AP message

 * @mex: pointer to user input data

 *

 * Returns 0 on success or -EFAULT.

 * Returns 0 on success or negative errno value.

 */

static int ICAMEX_msg_to_type6MEX_msgX(struct zcrypt_queue *zq,

				       struct ap_message *ap_msg,
@@ -272,6 +272,14 @@ static int ICAMEX_msg_to_type6MEX_msgX(struct zcrypt_queue *zq, 
	} __packed * msg = ap_msg->message;

	int size;



	/*

	 * The inputdatalength was a selection criteria in the dispatching

	 * function zcrypt_rsa_modexpo(). However, make sure the following

	 * copy_from_user() never exceeds the allocated buffer space.

	 */

	if (WARN_ON_ONCE(mex->inputdatalength > PAGE_SIZE))

		return -EINVAL;



	/* VUD.ciphertext */

	msg->length = mex->inputdatalength + 2;

	if (copy_from_user(msg->text, mex->inputdata, mex->inputdatalength))
@@ -307,7 +315,7 @@ static int ICAMEX_msg_to_type6MEX_msgX(struct zcrypt_queue *zq, 
 * @ap_msg: pointer to AP message

 * @crt: pointer to user input data

 *

 * Returns 0 on success or -EFAULT.

 * Returns 0 on success or negative errno value.

 */

static int ICACRT_msg_to_type6CRT_msgX(struct zcrypt_queue *zq,

				       struct ap_message *ap_msg,
@@ -334,6 +342,14 @@ static int ICACRT_msg_to_type6CRT_msgX(struct zcrypt_queue *zq, 
	} __packed * msg = ap_msg->message;

	int size;



	/*

	 * The inputdatalength was a selection criteria in the dispatching

	 * function zcrypt_rsa_crt(). However, make sure the following

	 * copy_from_user() never exceeds the allocated buffer space.

	 */

	if (WARN_ON_ONCE(crt->inputdatalength > PAGE_SIZE))

		return -EINVAL;



	/* VUD.ciphertext */

	msg->length = crt->inputdatalength + 2;

	if (copy_from_user(msg->text, crt->inputdata, crt->inputdatalength))