diff options
author | Harald Freudenberger <freude@linux.ibm.com> | 2021-04-20 09:23:12 +0300 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2021-05-22 11:59:19 +0300 |
commit | 5bceddd8e48ecdba2362418c84644ff933b2fad0 (patch) | |
tree | e465fef26564c1a35c3933c14666ad1be5494f37 /arch/s390 | |
parent | b3d6fe4fe33d4a05bcef6294e52c315e8a4fb945 (diff) | |
download | linux-5bceddd8e48ecdba2362418c84644ff933b2fad0.tar.xz |
s390/archrandom: add parameter check for s390_arch_random_generate
[ Upstream commit 28096067686c5a5cbd4c35b079749bd805df5010 ]
A review of the code showed, that this function which is exposed
within the whole kernel should do a parameter check for the
amount of bytes requested. If this requested bytes is too high
an unsigned int overflow could happen causing this function to
try to memcpy a really big memory chunk.
This is not a security issue as there are only two invocations
of this function from arch/s390/include/asm/archrandom.h and both
are not exposed to userland.
Reported-by: Sven Schnelle <svens@linux.ibm.com>
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'arch/s390')
-rw-r--r-- | arch/s390/crypto/arch_random.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/arch/s390/crypto/arch_random.c b/arch/s390/crypto/arch_random.c index dd95cdbd22ce..4cbb4b6d85a8 100644 --- a/arch/s390/crypto/arch_random.c +++ b/arch/s390/crypto/arch_random.c @@ -53,6 +53,10 @@ static DECLARE_DELAYED_WORK(arch_rng_work, arch_rng_refill_buffer); bool s390_arch_random_generate(u8 *buf, unsigned int nbytes) { + /* max hunk is ARCH_RNG_BUF_SIZE */ + if (nbytes > ARCH_RNG_BUF_SIZE) + return false; + /* lock rng buffer */ if (!spin_trylock(&arch_rng_lock)) return false; |