summaryrefslogtreecommitdiff
path: root/arch/s390
diff options
context:
space:
mode:
authorHarald Freudenberger <freude@linux.ibm.com>2021-04-20 09:23:12 +0300
committerHeiko Carstens <hca@linux.ibm.com>2021-04-21 13:32:12 +0300
commit28096067686c5a5cbd4c35b079749bd805df5010 (patch)
tree3ad7f13a743e387d6fa2162947a42bc01b484d8a /arch/s390
parent70fac8088cfad9f3b379c9082832b4d7532c16c2 (diff)
downloadlinux-28096067686c5a5cbd4c35b079749bd805df5010.tar.xz
s390/archrandom: add parameter check for s390_arch_random_generate
A review of the code showed, that this function which is exposed within the whole kernel should do a parameter check for the amount of bytes requested. If this requested bytes is too high an unsigned int overflow could happen causing this function to try to memcpy a really big memory chunk. This is not a security issue as there are only two invocations of this function from arch/s390/include/asm/archrandom.h and both are not exposed to userland. Reported-by: Sven Schnelle <svens@linux.ibm.com> Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Diffstat (limited to 'arch/s390')
-rw-r--r--arch/s390/crypto/arch_random.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/arch/s390/crypto/arch_random.c b/arch/s390/crypto/arch_random.c
index 7b947728d57e..56007c763902 100644
--- a/arch/s390/crypto/arch_random.c
+++ b/arch/s390/crypto/arch_random.c
@@ -54,6 +54,10 @@ static DECLARE_DELAYED_WORK(arch_rng_work, arch_rng_refill_buffer);
bool s390_arch_random_generate(u8 *buf, unsigned int nbytes)
{
+ /* max hunk is ARCH_RNG_BUF_SIZE */
+ if (nbytes > ARCH_RNG_BUF_SIZE)
+ return false;
+
/* lock rng buffer */
if (!spin_trylock(&arch_rng_lock))
return false;