summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHolger Dengler <dengler@linux.ibm.com>2026-06-15 18:39:12 +0300
committerAlexander Gordeev <agordeev@linux.ibm.com>2026-06-19 15:51:08 +0300
commitb3d4ab2d7df9426f7f1d3671d7e2108f2ca6e970 (patch)
tree4fb98ecb9fb54ba7542298d7aa7b6ee7f6a87d20
parent69388468721151e15d34657a2e4a654741f32f1b (diff)
downloadlinux-b3d4ab2d7df9426f7f1d3671d7e2108f2ca6e970.tar.xz
s390/pkey: Check length in PKEY_VERIFYPROTK ioctl
Explicitly check the buffer length request structure provided by user-space and fail, if it exceeds the buffer size. Cc: stable@vger.kernel.org Fixes: 8fcc231ce3be ("s390/pkey: Introduce pkey base with handler registry and handler modules") Reported-by: Christian Borntraeger <borntraeger@linux.ibm.com> Reviewed-by: Harald Freudenberger <freude@linux.ibm.com> Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com> Signed-off-by: Holger Dengler <dengler@linux.ibm.com> Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
-rw-r--r--drivers/s390/crypto/pkey_api.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c
index d6b595eb3370..28e1007005f2 100644
--- a/drivers/s390/crypto/pkey_api.c
+++ b/drivers/s390/crypto/pkey_api.c
@@ -334,6 +334,13 @@ static int pkey_ioctl_verifyprotk(struct pkey_verifyprotk __user *uvp)
if (copy_from_user(&kvp, uvp, sizeof(kvp)))
return -EFAULT;
+ if (kvp.protkey.len > sizeof(kvp.protkey.protkey)) {
+ PKEY_DBF_ERR("%s protkey length %u exceeds protkey buffer size\n",
+ __func__, kvp.protkey.len);
+ memzero_explicit(&kvp, sizeof(kvp));
+ return -EINVAL;
+ }
+
keytype = pkey_aes_bitsize_to_keytype(8 * kvp.protkey.len);
if (!keytype) {
PKEY_DBF_ERR("%s unknown/unsupported protkey length %u\n",