From: sashiko-bot@kernel.org
To: "Holger Dengler" <dengler@linux.ibm.com>
Cc: linux-s390@vger.kernel.org, "Vasily Gorbik" <gor@linux.ibm.com>,
"Heiko Carstens" <hca@linux.ibm.com>,
"Alexander Gordeev" <agordeev@linux.ibm.com>
Subject: Re: [PATCH v1 1/1] pkey: Fix bitsize check in PKEY_VERIFYPROTK ioctl
Date: Fri, 19 Jun 2026 08:00:10 +0000 [thread overview]
Message-ID: <20260619080011.4E1A71F00A3D@smtp.kernel.org> (raw)
In-Reply-To: <20260619074541.1710716-2-dengler@linux.ibm.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [Critical] An integer wrap-around in the key bit-size calculation bypasses length validation, leading to massive out-of-bounds memory accesses during a subsequent memcpy().
--
commit 26c99ec1350980042dcf4518941f9831c98478fc
Author: Holger Dengler <dengler@linux.ibm.com>
pkey: Fix bitsize check in PKEY_VERIFYPROTK ioctl
This commit updates the bit-size calculation for protected keys in the
PKEY_VERIFYPROTK ioctl to account for the wrapping key verification pattern
(WKVP). It subtracts the length of the WKVP from the protected key length to
fix the calculation.
> diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c
> --- a/drivers/s390/crypto/pkey_api.c
> +++ b/drivers/s390/crypto/pkey_api.c
> @@ -334,7 +334,8 @@ static int pkey_ioctl_verifyprotk(struct pkey_verifyprotk __user *uvp)
> if (copy_from_user(&kvp, uvp, sizeof(kvp)))
> return -EFAULT;
>
> - keytype = pkey_aes_bitsize_to_keytype(8 * kvp.protkey.len);
> + keytype = pkey_aes_bitsize_to_keytype(8 * (kvp.protkey.len -
> + AES_WK_VP_SIZE));
[Severity: Critical]
This is a pre-existing issue, but does this calculation allow an integer
wrap-around that bypasses length validation?
Because kvp.protkey.len is a user-controlled 32-bit unsigned integer and
there is no explicit bounds check against MAXPROTKEYSIZE, a malicious user
can provide an enormous length. For example, if kvp.protkey.len is
536870960 (0x20000030), subtracting AES_WK_VP_SIZE (32) yields 536870928.
Multiplying by 8 results in 4294967424 (0x100000080), which truncates to
128 in 32-bit arithmetic.
pkey_aes_bitsize_to_keytype(128) then returns PKEY_KEYTYPE_AES_128, passing
the !keytype check.
Further down in pkey_ioctl_verifyprotk(), the unvalidated oversized length
is passed into memcpy(t->protkey, kvp.protkey.protkey, kvp.protkey.len).
Since kvp.protkey.protkey is a 64-byte array on the kernel stack and t
points to an 80-byte heap allocation, wouldn't this cause catastrophic
out-of-bounds memory accesses?
> if (!keytype) {
> PKEY_DBF_ERR("%s unknown/unsupported protkey length %u\n",
> __func__, kvp.protkey.len);
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260619074541.1710716-2-dengler@linux.ibm.com?part=1
next prev parent reply other threads:[~2026-06-19 8:00 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-19 7:45 [PATCH v1 0/1] pkey: Fix for PKEY_VERIFYPROTK ioctl Holger Dengler
2026-06-19 7:45 ` [PATCH v1 1/1] pkey: Fix bitsize check in " Holger Dengler
2026-06-19 8:00 ` sashiko-bot [this message]
2026-06-19 8:02 ` Holger Dengler
2026-06-19 8:32 ` Ingo Franzki
2026-06-19 8:43 ` Harald Freudenberger
2026-06-19 9:17 ` Ingo Franzki
2026-06-19 8:45 ` Holger Dengler
2026-06-19 8:55 ` Ingo Franzki
2026-06-19 9:34 ` Alexander Gordeev
2026-06-19 10:35 ` Holger Dengler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260619080011.4E1A71F00A3D@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=agordeev@linux.ibm.com \
--cc=dengler@linux.ibm.com \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=linux-s390@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.