All of lore.kernel.org
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Harald Freudenberger" <freude@linux.ibm.com>
Cc: "Heiko Carstens" <hca@linux.ibm.com>,
	"Vasily Gorbik" <gor@linux.ibm.com>,
	linux-s390@vger.kernel.org,
	"Alexander Gordeev" <agordeev@linux.ibm.com>
Subject: Re: [PATCH v1 1/1] s390/zcrypt: Fix missing mem scrub at clear key import in cca_clr2cipherkey()
Date: Fri, 10 Jul 2026 13:56:54 +0000	[thread overview]
Message-ID: <20260710135655.1B8AB1F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260710132658.77231-2-freude@linux.ibm.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Missing bounds validation on the hardware-provided length field `t->len` leads to out-of-bounds reads and writes from the CPRB reply block.
--

--- Patch [1]: [PATCH v1 1/1] s390/zcrypt: Fix missing mem scrub at clear key import in cca_clr2cipherkey() ---
commit ca71a93310e3d552d6d70f4020264235acf62e73
Author: Harald Freudenberger <freude@linux.ibm.com>

s390/zcrypt: Fix missing mem scrub at clear key import in cca_clr2cipherkey()

This commit adds a scrub parameter to _ip_cprb_helper() to control whether
the internal CPRB buffer is zeroed out before freeing. This prevents clear
key material from being left in memory during key token import.

> diff --git a/drivers/s390/crypto/zcrypt_ccamisc.c b/drivers/s390/crypto/zcrypt_ccamisc.c
> index 84936a795b956..6a237e880b40b 100644
> --- a/drivers/s390/crypto/zcrypt_ccamisc.c
> +++ b/drivers/s390/crypto/zcrypt_ccamisc.c
> @@ -971,7 +971,8 @@ static int _ip_cprb_helper(u16 cardnr, u16 domain,
>  			   int clr_key_bit_size,
>  			   u8 *key_token,
>  			   int *key_token_size,
> -			   u32 xflags)
> +			   u32 xflags,
> +			   bool scrub)
>  {

[ ... ]

> @@ -1111,7 +1112,7 @@ static int _ip_cprb_helper(u16 cardnr, u16 domain,
>  	*key_token_size = t->len;

[Severity: High]
This isn't a bug introduced by this patch, but is it possible for the
hardware-provided t->len field to cause an out-of-bounds read or write?

Looking at _ip_cprb_helper() in drivers/s390/crypto/zcrypt_ccamisc.c, the
t->len field is used directly from the untrusted hardware response:

drivers/s390/crypto/zcrypt_ccamisc.c:_ip_cprb_helper() {
    ...
    t = (struct cipherkeytoken *)prepparm->kb.tlv1.key_token;
    memcpy(key_token, t, t->len);
    *key_token_size = t->len;
    ...
}

If a malfunctioning or compromised coprocessor returns a CPRB reply block
with a valid outer kb.len but a maliciously large inner t->len, could this
memcpy copy up to 64KB of adjacent kernel memory, overflowing the 16KB
token allocation in cca_clr2cipherkey()?

A similar pattern also appears to exist in cca_gencipherkey(). Would it be
safer to validate t->len against the source CPRB reply block size and the
destination buffer size before using it?

>  out:
> -	free_cprbmem(mem, PARMBSIZE, false, xflags);
> +	free_cprbmem(mem, PARMBSIZE, scrub, xflags);
>  	return rc;
>  }

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260710132658.77231-2-freude@linux.ibm.com?part=1

      reply	other threads:[~2026-07-10 13:56 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-10 13:26 [PATCH v1 0/1] Fix missing mem scrub at clear key import in cca_clr2cipherkey() Harald Freudenberger
2026-07-10 13:26 ` [PATCH v1 1/1] s390/zcrypt: " Harald Freudenberger
2026-07-10 13:56   ` sashiko-bot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260710135655.1B8AB1F00A3A@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=agordeev@linux.ibm.com \
    --cc=freude@linux.ibm.com \
    --cc=gor@linux.ibm.com \
    --cc=hca@linux.ibm.com \
    --cc=linux-s390@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.