diff options
| author | Harald Freudenberger <freude@linux.ibm.com> | 2018-06-27 09:50:43 +0200 |
|---|---|---|
| committer | Martin Schwidefsky <schwidefsky@de.ibm.com> | 2018-07-02 11:24:55 +0200 |
| commit | 1fee96264a718fc5a2a94a09d5c7e2915a1c76b2 (patch) | |
| tree | 7a489dfd2bb1be1eb443b239410eb901689eca58 /drivers/s390/crypto/zcrypt_cca_key.h | |
| parent | ad82a928eb58471adb2dec2001f5fbe57e5ee4b5 (diff) | |
| download | linux-1fee96264a718fc5a2a94a09d5c7e2915a1c76b2.tar.bz2 | |
s390/zcrypt: add copy_from_user length plausibility checks
There have been identified some places in the zcrypt
device driver where copy_from_user() is called but the
length value is not explicitly checked.
So now some plausibility checks and comments have been
introduced there.
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Acked-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Diffstat (limited to 'drivers/s390/crypto/zcrypt_cca_key.h')
| -rw-r--r-- | drivers/s390/crypto/zcrypt_cca_key.h | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/drivers/s390/crypto/zcrypt_cca_key.h b/drivers/s390/crypto/zcrypt_cca_key.h index 011d61d8a4ae..1752622b95f7 100644 --- a/drivers/s390/crypto/zcrypt_cca_key.h +++ b/drivers/s390/crypto/zcrypt_cca_key.h @@ -99,7 +99,7 @@ struct cca_pvt_ext_CRT_sec { * @mex: pointer to user input data * @p: pointer to memory area for the key * - * Returns the size of the key area or -EFAULT + * Returns the size of the key area or negative errno value. */ static inline int zcrypt_type6_mex_key_en(struct ica_rsa_modexpo *mex, void *p) { @@ -118,6 +118,15 @@ static inline int zcrypt_type6_mex_key_en(struct ica_rsa_modexpo *mex, void *p) unsigned char *temp; int i; + /* + * The inputdatalength was a selection criteria in the dispatching + * function zcrypt_rsa_modexpo(). However, do a plausibility check + * here to make sure the following copy_from_user() can't be utilized + * to compromise the system. + */ + if (WARN_ON_ONCE(mex->inputdatalength > 512)) + return -EINVAL; + memset(key, 0, sizeof(*key)); key->pubHdr = static_pub_hdr; @@ -178,6 +187,15 @@ static inline int zcrypt_type6_crt_key(struct ica_rsa_modexpo_crt *crt, void *p) struct cca_public_sec *pub; int short_len, long_len, pad_len, key_len, size; + /* + * The inputdatalength was a selection criteria in the dispatching + * function zcrypt_rsa_crt(). However, do a plausibility check + * here to make sure the following copy_from_user() can't be utilized + * to compromise the system. + */ + if (WARN_ON_ONCE(crt->inputdatalength > 512)) + return -EINVAL; + memset(key, 0, sizeof(*key)); short_len = (crt->inputdatalength + 1) / 2; |