hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

s390/zcrypt: add length check for aligned data to avoid overflow in msg-type 6 

Signed-off-by: Ingo Tuchscherer <ingo.tuchscherer@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
This commit is contained in:
Ingo Tuchscherer 2014-03-18 16:30:21 +01:00 committed by Martin Schwidefsky
parent 01d5f3b598
commit ce1ce2f312
2 changed files with 18 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
drivers/s390/crypto/zcrypt_api.c
View File

@ -626,8 +626,8 @@ static long zcrypt_send_ep11_cprb(struct ep11_urb *xcrb)
return -ENOMEM; return -ENOMEM;
if (copy_from_user(ep11_dev_list.targets, if (copy_from_user(ep11_dev_list.targets,
(struct ep11_target_dev *)xcrb->targets, (struct ep11_target_dev __force __user *)
xcrb->targets_num * xcrb->targets, xcrb->targets_num *
sizeof(struct ep11_target_dev))) sizeof(struct ep11_target_dev)))
return -EFAULT; return -EFAULT;
} }

18
drivers/s390/crypto/zcrypt_msgtype6.c
View File

@ -315,6 +315,10 @@ static int XCRB_msg_to_type6CPRB_msgX(struct zcrypt_device *zdev,
char *req_data = ap_msg->message + sizeof(struct type6_hdr) + rcblen; char *req_data = ap_msg->message + sizeof(struct type6_hdr) + rcblen;
char *function_code; char *function_code;
if (CEIL4(xcRB->request_control_blk_length) <
xcRB->request_control_blk_length)
return -EINVAL; /* overflow after alignment*/
/* length checks */ /* length checks */
ap_msg->length = sizeof(struct type6_hdr) + ap_msg->length = sizeof(struct type6_hdr) +
CEIL4(xcRB->request_control_blk_length) + CEIL4(xcRB->request_control_blk_length) +
@ -333,6 +337,10 @@ static int XCRB_msg_to_type6CPRB_msgX(struct zcrypt_device *zdev,
return -EINVAL; return -EINVAL;
} }
if (CEIL4(xcRB->reply_control_blk_length) <
xcRB->reply_control_blk_length)
return -EINVAL; /* overflow after alignment*/
replylen = sizeof(struct type86_fmt2_msg) + replylen = sizeof(struct type86_fmt2_msg) +
CEIL4(xcRB->reply_control_blk_length) + CEIL4(xcRB->reply_control_blk_length) +
xcRB->reply_data_length; xcRB->reply_data_length;
@ -415,12 +423,18 @@ static int xcrb_msg_to_type6_ep11cprb_msgx(struct zcrypt_device *zdev,
unsigned int dom_val; /* domain id */ unsigned int dom_val; /* domain id */
} __packed * payload_hdr; } __packed * payload_hdr;
if (CEIL4(xcRB->req_len) < xcRB->req_len)
return -EINVAL; /* overflow after alignment*/
/* length checks */ /* length checks */
ap_msg->length = sizeof(struct type6_hdr) + xcRB->req_len; ap_msg->length = sizeof(struct type6_hdr) + xcRB->req_len;
if (CEIL4(xcRB->req_len) > MSGTYPE06_MAX_MSG_SIZE - if (CEIL4(xcRB->req_len) > MSGTYPE06_MAX_MSG_SIZE -
(sizeof(struct type6_hdr))) (sizeof(struct type6_hdr)))
return -EINVAL; return -EINVAL;
if (CEIL4(xcRB->resp_len) < xcRB->resp_len)
return -EINVAL; /* overflow after alignment*/
if (CEIL4(xcRB->resp_len) > MSGTYPE06_MAX_MSG_SIZE - if (CEIL4(xcRB->resp_len) > MSGTYPE06_MAX_MSG_SIZE -
(sizeof(struct type86_fmt2_msg))) (sizeof(struct type86_fmt2_msg)))
return -EINVAL; return -EINVAL;
@ -432,7 +446,7 @@ static int xcrb_msg_to_type6_ep11cprb_msgx(struct zcrypt_device *zdev,
/* Import CPRB data from the ioctl input parameter */ /* Import CPRB data from the ioctl input parameter */
if (copy_from_user(&(msg->cprbx.cprb_len), if (copy_from_user(&(msg->cprbx.cprb_len),
(char *)xcRB->req, xcRB->req_len)) { (char __force __user *)xcRB->req, xcRB->req_len)) {
return -EFAULT; return -EFAULT;
} }
@ -645,7 +659,7 @@ static int convert_type86_ep11_xcrb(struct zcrypt_device *zdev,
return -EINVAL; return -EINVAL;
/* Copy response CPRB to user */ /* Copy response CPRB to user */
if (copy_to_user((char *)xcRB->resp, if (copy_to_user((char __force __user *)xcRB->resp,
data + msg->fmt2.offset1, msg->fmt2.count1)) data + msg->fmt2.offset1, msg->fmt2.count1))
return -EFAULT; return -EFAULT;
xcRB->resp_len = msg->fmt2.count1; xcRB->resp_len = msg->fmt2.count1;