On 09.12.20 07:47, Xiaohui Zhang wrote: > From: Zhang Xiaohui <ruc_zhangxiaohui@xxxxxxx> > > pkey_protkey_aes_attr_read() calls memcpy() without checking the > destination size may trigger a buffer overflower. To me it looks like protkey.len is generated programmatically in pkey_genprotkey/pkey_clr2protkey and this purely depends on the keytype and we do check for known ones. Not sure how this can happen. > > Signed-off-by: Zhang Xiaohui <ruc_zhangxiaohui@xxxxxxx> > --- > drivers/s390/crypto/pkey_api.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c > index 99cb60ea6..abc237130 100644 > --- a/drivers/s390/crypto/pkey_api.c > +++ b/drivers/s390/crypto/pkey_api.c > @@ -1589,6 +1589,8 @@ static ssize_t pkey_protkey_aes_attr_read(u32 keytype, bool is_xts, char *buf, > if (rc) > return rc; > > + if (protkey.len > MAXPROTKEYSIZE) > + protkey.len = MAXPROTKEYSIZE; > protkeytoken.len = protkey.len; > memcpy(&protkeytoken.protkey, &protkey.protkey, protkey.len); > > @@ -1599,6 +1601,8 @@ static ssize_t pkey_protkey_aes_attr_read(u32 keytype, bool is_xts, char *buf, > if (rc) > return rc; > > + if (protkey.len > MAXPROTKEYSIZE) > + protkey.len = MAXPROTKEYSIZE; > protkeytoken.len = protkey.len; > memcpy(&protkeytoken.protkey, &protkey.protkey, protkey.len); > >
