I don't have s390 arch so can't verify these. They look like classical buffer overflows, are they really? In 4.9.109: ---snippets drivers/s390/crypto/zcrypt_cca_key.h * @mex: pointer to user input data * @p: pointer to memory area for the key memset(key, 0, sizeof(*key)); temp = key->pvtMeSec.exponent + sizeof(key->pvtMeSec.exponent) - mex->inputdatalength; if (copy_from_user(temp, mex->b_key, mex->inputdatalength)) return -EFAULT; **** drivers/s390/crypto/zcrypt_msgtype6.c static int ICAMEX_msg_to_type6MEX_msgX(struct zcrypt_device *zdev, msg->length = mex->inputdatalength + 2; if (copy_from_user(msg->text, mex->inputdata, mex->inputdatalength)) return -EFAULT; ---end snippets I don't see any checks on "inputdatalength" and it appears to come from userspace. -- blog: https://j.ludost.net/blog -- To unsubscribe from this list: send the line "unsubscribe linux-s390" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
