Re: potential bufferovflows in drivers/s390/crypto/

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 20.06.2018 11:21, Georgi Guninski wrote:
> I don't have s390 arch so can't verify these.
>
> They look like classical buffer overflows, are they really?
>
> In 4.9.109:
>
> ---snippets
> drivers/s390/crypto/zcrypt_cca_key.h
>
> * @mex: pointer to user input data
> * @p: pointer to memory area for the key
>
> memset(key, 0, sizeof(*key));
> 	temp = key->pvtMeSec.exponent +
> 		sizeof(key->pvtMeSec.exponent) - mex->inputdatalength;
> 	if (copy_from_user(temp, mex->b_key, mex->inputdatalength))
> 		return -EFAULT;
>
> ****
>
> drivers/s390/crypto/zcrypt_msgtype6.c
>
> static int ICAMEX_msg_to_type6MEX_msgX(struct zcrypt_device *zdev,
>
> 	msg->length = mex->inputdatalength + 2;
> 	if (copy_from_user(msg->text, mex->inputdata, mex->inputdatalength))
> 		return -EFAULT;
>
>
> ---end snippets
> I don't see any checks on "inputdatalength" and it appears to come
> from userspace.
>
The first function you mention has been removed in the meantime.
However, it looks like the mex->inputdatalength value is in fact not
validated at ICAMEX_msg_to_type6MEX_msgX() before copy_from_user()
is called. I'll check this in detail and fix immediately.

Great finding, Thanks and have a nice day
Harald Freudenberger

--
To unsubscribe from this list: send the line "unsubscribe linux-s390" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Kernel Development]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Info]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Linux Media]     [Device Mapper]

  Powered by Linux