Commit 5bceddd8 authored Apr 20, 2021 by Harald Freudenberger Committed by Greg Kroah-Hartman May 22, 2021

s390/archrandom: add parameter check for s390_arch_random_generate



[ Upstream commit 28096067686c5a5cbd4c35b079749bd805df5010 ]

A review of the code showed, that this function which is exposed
within the whole kernel should do a parameter check for the
amount of bytes requested. If this requested bytes is too high
an unsigned int overflow could happen causing this function to
try to memcpy a really big memory chunk.

This is not a security issue as there are only two invocations
of this function from arch/s390/include/asm/archrandom.h and both
are not exposed to userland.

Reported-by: Sven Schnelle <svens@linux.ibm.com>
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

parent b3d6fe4f

arch/s390/crypto/arch_random.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -53,6 +53,10 @@ static DECLARE_DELAYED_WORK(arch_rng_work, arch_rng_refill_buffer);

		bool s390_arch_random_generate(u8 *buf, unsigned int nbytes)
		{
		/* max hunk is ARCH_RNG_BUF_SIZE */
		if (nbytes > ARCH_RNG_BUF_SIZE)
		return false;

		/* lock rng buffer */
		if (!spin_trylock(&arch_rng_lock))
		return false;