On 20.06.2018 11:21, Georgi Guninski wrote: > I don't have s390 arch so can't verify these. > > They look like classical buffer overflows, are they really? > > In 4.9.109: > > ---snippets > drivers/s390/crypto/zcrypt_cca_key.h > > * @mex: pointer to user input data > * @p: pointer to memory area for the key > > memset(key, 0, sizeof(*key)); > temp = key->pvtMeSec.exponent + > sizeof(key->pvtMeSec.exponent) - mex->inputdatalength; > if (copy_from_user(temp, mex->b_key, mex->inputdatalength)) > return -EFAULT; > > **** > > drivers/s390/crypto/zcrypt_msgtype6.c > > static int ICAMEX_msg_to_type6MEX_msgX(struct zcrypt_device *zdev, > > msg->length = mex->inputdatalength + 2; > if (copy_from_user(msg->text, mex->inputdata, mex->inputdatalength)) > return -EFAULT; > > > ---end snippets > I don't see any checks on "inputdatalength" and it appears to come > from userspace. > The first function you mention has been removed in the meantime. However, it looks like the mex->inputdatalength value is in fact not validated at ICAMEX_msg_to_type6MEX_msgX() before copy_from_user() is called. I'll check this in detail and fix immediately. Great finding, Thanks and have a nice day Harald Freudenberger -- To unsubscribe from this list: send the line "unsubscribe linux-s390" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
