s390/zcrypt: add copy_from_user length plausibility checks

There have been identified some places in the zcrypt
device driver where copy_from_user() is called but the
length value is not explicitly checked.

So now some plausibility checks and comments have been
introduced there.

Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Acked-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
This commit is contained in:
Harald Freudenberger 2018-06-27 09:50:43 +02:00 committed by Martin Schwidefsky
parent ad82a928eb
commit 1fee96264a
2 changed files with 37 additions and 3 deletions

View File

@ -99,7 +99,7 @@ struct cca_pvt_ext_CRT_sec {
* @mex: pointer to user input data * @mex: pointer to user input data
* @p: pointer to memory area for the key * @p: pointer to memory area for the key
* *
* Returns the size of the key area or -EFAULT * Returns the size of the key area or negative errno value.
*/ */
static inline int zcrypt_type6_mex_key_en(struct ica_rsa_modexpo *mex, void *p) static inline int zcrypt_type6_mex_key_en(struct ica_rsa_modexpo *mex, void *p)
{ {
@ -118,6 +118,15 @@ static inline int zcrypt_type6_mex_key_en(struct ica_rsa_modexpo *mex, void *p)
unsigned char *temp; unsigned char *temp;
int i; int i;
/*
* The inputdatalength was a selection criteria in the dispatching
* function zcrypt_rsa_modexpo(). However, do a plausibility check
* here to make sure the following copy_from_user() can't be utilized
* to compromise the system.
*/
if (WARN_ON_ONCE(mex->inputdatalength > 512))
return -EINVAL;
memset(key, 0, sizeof(*key)); memset(key, 0, sizeof(*key));
key->pubHdr = static_pub_hdr; key->pubHdr = static_pub_hdr;
@ -178,6 +187,15 @@ static inline int zcrypt_type6_crt_key(struct ica_rsa_modexpo_crt *crt, void *p)
struct cca_public_sec *pub; struct cca_public_sec *pub;
int short_len, long_len, pad_len, key_len, size; int short_len, long_len, pad_len, key_len, size;
/*
* The inputdatalength was a selection criteria in the dispatching
* function zcrypt_rsa_crt(). However, do a plausibility check
* here to make sure the following copy_from_user() can't be utilized
* to compromise the system.
*/
if (WARN_ON_ONCE(crt->inputdatalength > 512))
return -EINVAL;
memset(key, 0, sizeof(*key)); memset(key, 0, sizeof(*key));
short_len = (crt->inputdatalength + 1) / 2; short_len = (crt->inputdatalength + 1) / 2;

View File

@ -246,7 +246,7 @@ int speed_idx_ep11(int req_type)
* @ap_msg: pointer to AP message * @ap_msg: pointer to AP message
* @mex: pointer to user input data * @mex: pointer to user input data
* *
* Returns 0 on success or -EFAULT. * Returns 0 on success or negative errno value.
*/ */
static int ICAMEX_msg_to_type6MEX_msgX(struct zcrypt_queue *zq, static int ICAMEX_msg_to_type6MEX_msgX(struct zcrypt_queue *zq,
struct ap_message *ap_msg, struct ap_message *ap_msg,
@ -272,6 +272,14 @@ static int ICAMEX_msg_to_type6MEX_msgX(struct zcrypt_queue *zq,
} __packed * msg = ap_msg->message; } __packed * msg = ap_msg->message;
int size; int size;
/*
* The inputdatalength was a selection criteria in the dispatching
* function zcrypt_rsa_modexpo(). However, make sure the following
* copy_from_user() never exceeds the allocated buffer space.
*/
if (WARN_ON_ONCE(mex->inputdatalength > PAGE_SIZE))
return -EINVAL;
/* VUD.ciphertext */ /* VUD.ciphertext */
msg->length = mex->inputdatalength + 2; msg->length = mex->inputdatalength + 2;
if (copy_from_user(msg->text, mex->inputdata, mex->inputdatalength)) if (copy_from_user(msg->text, mex->inputdata, mex->inputdatalength))
@ -307,7 +315,7 @@ static int ICAMEX_msg_to_type6MEX_msgX(struct zcrypt_queue *zq,
* @ap_msg: pointer to AP message * @ap_msg: pointer to AP message
* @crt: pointer to user input data * @crt: pointer to user input data
* *
* Returns 0 on success or -EFAULT. * Returns 0 on success or negative errno value.
*/ */
static int ICACRT_msg_to_type6CRT_msgX(struct zcrypt_queue *zq, static int ICACRT_msg_to_type6CRT_msgX(struct zcrypt_queue *zq,
struct ap_message *ap_msg, struct ap_message *ap_msg,
@ -334,6 +342,14 @@ static int ICACRT_msg_to_type6CRT_msgX(struct zcrypt_queue *zq,
} __packed * msg = ap_msg->message; } __packed * msg = ap_msg->message;
int size; int size;
/*
* The inputdatalength was a selection criteria in the dispatching
* function zcrypt_rsa_crt(). However, make sure the following
* copy_from_user() never exceeds the allocated buffer space.
*/
if (WARN_ON_ONCE(crt->inputdatalength > PAGE_SIZE))
return -EINVAL;
/* VUD.ciphertext */ /* VUD.ciphertext */
msg->length = crt->inputdatalength + 2; msg->length = crt->inputdatalength + 2;
if (copy_from_user(msg->text, crt->inputdata, crt->inputdatalength)) if (copy_from_user(msg->text, crt->inputdata, crt->inputdatalength))