Commit ce1ce2f3 authored by Ingo Tuchscherer's avatar Ingo Tuchscherer Committed by Martin Schwidefsky

s390/zcrypt: add length check for aligned data to avoid overflow in msg-type 6

Signed-off-by: default avatarIngo Tuchscherer <ingo.tuchscherer@de.ibm.com>
Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
parent 01d5f3b5
...@@ -626,8 +626,8 @@ static long zcrypt_send_ep11_cprb(struct ep11_urb *xcrb) ...@@ -626,8 +626,8 @@ static long zcrypt_send_ep11_cprb(struct ep11_urb *xcrb)
return -ENOMEM; return -ENOMEM;
if (copy_from_user(ep11_dev_list.targets, if (copy_from_user(ep11_dev_list.targets,
(struct ep11_target_dev *)xcrb->targets, (struct ep11_target_dev __force __user *)
xcrb->targets_num * xcrb->targets, xcrb->targets_num *
sizeof(struct ep11_target_dev))) sizeof(struct ep11_target_dev)))
return -EFAULT; return -EFAULT;
} }
......
...@@ -315,6 +315,10 @@ static int XCRB_msg_to_type6CPRB_msgX(struct zcrypt_device *zdev, ...@@ -315,6 +315,10 @@ static int XCRB_msg_to_type6CPRB_msgX(struct zcrypt_device *zdev,
char *req_data = ap_msg->message + sizeof(struct type6_hdr) + rcblen; char *req_data = ap_msg->message + sizeof(struct type6_hdr) + rcblen;
char *function_code; char *function_code;
if (CEIL4(xcRB->request_control_blk_length) <
xcRB->request_control_blk_length)
return -EINVAL; /* overflow after alignment*/
/* length checks */ /* length checks */
ap_msg->length = sizeof(struct type6_hdr) + ap_msg->length = sizeof(struct type6_hdr) +
CEIL4(xcRB->request_control_blk_length) + CEIL4(xcRB->request_control_blk_length) +
...@@ -333,6 +337,10 @@ static int XCRB_msg_to_type6CPRB_msgX(struct zcrypt_device *zdev, ...@@ -333,6 +337,10 @@ static int XCRB_msg_to_type6CPRB_msgX(struct zcrypt_device *zdev,
return -EINVAL; return -EINVAL;
} }
if (CEIL4(xcRB->reply_control_blk_length) <
xcRB->reply_control_blk_length)
return -EINVAL; /* overflow after alignment*/
replylen = sizeof(struct type86_fmt2_msg) + replylen = sizeof(struct type86_fmt2_msg) +
CEIL4(xcRB->reply_control_blk_length) + CEIL4(xcRB->reply_control_blk_length) +
xcRB->reply_data_length; xcRB->reply_data_length;
...@@ -415,12 +423,18 @@ static int xcrb_msg_to_type6_ep11cprb_msgx(struct zcrypt_device *zdev, ...@@ -415,12 +423,18 @@ static int xcrb_msg_to_type6_ep11cprb_msgx(struct zcrypt_device *zdev,
unsigned int dom_val; /* domain id */ unsigned int dom_val; /* domain id */
} __packed * payload_hdr; } __packed * payload_hdr;
if (CEIL4(xcRB->req_len) < xcRB->req_len)
return -EINVAL; /* overflow after alignment*/
/* length checks */ /* length checks */
ap_msg->length = sizeof(struct type6_hdr) + xcRB->req_len; ap_msg->length = sizeof(struct type6_hdr) + xcRB->req_len;
if (CEIL4(xcRB->req_len) > MSGTYPE06_MAX_MSG_SIZE - if (CEIL4(xcRB->req_len) > MSGTYPE06_MAX_MSG_SIZE -
(sizeof(struct type6_hdr))) (sizeof(struct type6_hdr)))
return -EINVAL; return -EINVAL;
if (CEIL4(xcRB->resp_len) < xcRB->resp_len)
return -EINVAL; /* overflow after alignment*/
if (CEIL4(xcRB->resp_len) > MSGTYPE06_MAX_MSG_SIZE - if (CEIL4(xcRB->resp_len) > MSGTYPE06_MAX_MSG_SIZE -
(sizeof(struct type86_fmt2_msg))) (sizeof(struct type86_fmt2_msg)))
return -EINVAL; return -EINVAL;
...@@ -432,7 +446,7 @@ static int xcrb_msg_to_type6_ep11cprb_msgx(struct zcrypt_device *zdev, ...@@ -432,7 +446,7 @@ static int xcrb_msg_to_type6_ep11cprb_msgx(struct zcrypt_device *zdev,
/* Import CPRB data from the ioctl input parameter */ /* Import CPRB data from the ioctl input parameter */
if (copy_from_user(&(msg->cprbx.cprb_len), if (copy_from_user(&(msg->cprbx.cprb_len),
(char *)xcRB->req, xcRB->req_len)) { (char __force __user *)xcRB->req, xcRB->req_len)) {
return -EFAULT; return -EFAULT;
} }
...@@ -645,7 +659,7 @@ static int convert_type86_ep11_xcrb(struct zcrypt_device *zdev, ...@@ -645,7 +659,7 @@ static int convert_type86_ep11_xcrb(struct zcrypt_device *zdev,
return -EINVAL; return -EINVAL;
/* Copy response CPRB to user */ /* Copy response CPRB to user */
if (copy_to_user((char *)xcRB->resp, if (copy_to_user((char __force __user *)xcRB->resp,
data + msg->fmt2.offset1, msg->fmt2.count1)) data + msg->fmt2.offset1, msg->fmt2.count1))
return -EFAULT; return -EFAULT;
xcRB->resp_len = msg->fmt2.count1; xcRB->resp_len = msg->fmt2.count1;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment