[PATCH v1 0/1] pkey: Fix for PKEY

Linux s390 Architecture development
 help / color / mirror / Atom feed

* [PATCH v1 0/1] pkey: Fix for PKEY_VERIFYPROTK ioctl
@ 2026-06-19  7:45 Holger Dengler
  2026-06-19  7:45 ` [PATCH v1 1/1] pkey: Fix bitsize check in " Holger Dengler
  0 siblings, 1 reply; 4+ messages in thread
From: Holger Dengler @ 2026-06-19  7:45 UTC (permalink / raw)
  To: Harald Freudenberger, Ingo Franzki
  Cc: dengler, linux-s390, Heiko Carstens, Vasily Gorbik,
	Alexander Gordeev

The PKEY_VERIFYPROTK ioctl is used to verify protected key blobs. Part of
the verification is the check for supported keytypes. The following patch
1/1 fixes the keytype check in this ioctl.

The patch applies to Linus' master branch.

Holger Dengler (1):
  pkey: Fix bitsize check in PKEY_VERIFYPROTK ioctl

 drivers/s390/crypto/pkey_api.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)


base-commit: 9ecfb2f7287a967b418ba69f10d45ead0d360593
-- 
2.54.0


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH v1 1/1] pkey: Fix bitsize check in PKEY_VERIFYPROTK ioctl
  2026-06-19  7:45 [PATCH v1 0/1] pkey: Fix for PKEY_VERIFYPROTK ioctl Holger Dengler
@ 2026-06-19  7:45 ` Holger Dengler
  2026-06-19  8:00   ` sashiko-bot
  0 siblings, 1 reply; 4+ messages in thread
From: Holger Dengler @ 2026-06-19  7:45 UTC (permalink / raw)
  To: Harald Freudenberger, Ingo Franzki
  Cc: dengler, linux-s390, Heiko Carstens, Vasily Gorbik,
	Alexander Gordeev

As part of the verification, the PKEY_VERIFYPROTK ioctl checks for
supported keytype, which are derived from the bit-size of the key. The
calculation for the bit-size of a protected key has to take into
account, that the length of the protected key blob also includes the
length of the wrapping key verification pattern (WKVP). Subtract the
length of the MKVP from the protected key length fixes this
calculation.

Fixes: 8fcc231ce3be ("s390/pkey: Introduce pkey base with handler registry and handler modules")
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
---
 drivers/s390/crypto/pkey_api.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c
index d6b595eb3370..2160e1de3014 100644
--- a/drivers/s390/crypto/pkey_api.c
+++ b/drivers/s390/crypto/pkey_api.c
@@ -334,7 +334,8 @@ static int pkey_ioctl_verifyprotk(struct pkey_verifyprotk __user *uvp)
 	if (copy_from_user(&kvp, uvp, sizeof(kvp)))
 		return -EFAULT;
 
-	keytype = pkey_aes_bitsize_to_keytype(8 * kvp.protkey.len);
+	keytype = pkey_aes_bitsize_to_keytype(8 * (kvp.protkey.len -
+						   AES_WK_VP_SIZE));
 	if (!keytype) {
 		PKEY_DBF_ERR("%s unknown/unsupported protkey length %u\n",
 			     __func__, kvp.protkey.len);
-- 
2.54.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH v1 1/1] pkey: Fix bitsize check in PKEY_VERIFYPROTK ioctl
  2026-06-19  7:45 ` [PATCH v1 1/1] pkey: Fix bitsize check in " Holger Dengler
@ 2026-06-19  8:00   ` sashiko-bot
  2026-06-19  8:02     ` Holger Dengler
  0 siblings, 1 reply; 4+ messages in thread
From: sashiko-bot @ 2026-06-19  8:00 UTC (permalink / raw)
  To: Holger Dengler
  Cc: linux-s390, Vasily Gorbik, Heiko Carstens, Alexander Gordeev

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [Critical] An integer wrap-around in the key bit-size calculation bypasses length validation, leading to massive out-of-bounds memory accesses during a subsequent memcpy().
--

commit 26c99ec1350980042dcf4518941f9831c98478fc
Author: Holger Dengler <dengler@linux.ibm.com>

pkey: Fix bitsize check in PKEY_VERIFYPROTK ioctl

This commit updates the bit-size calculation for protected keys in the
PKEY_VERIFYPROTK ioctl to account for the wrapping key verification pattern
(WKVP). It subtracts the length of the WKVP from the protected key length to
fix the calculation.

> diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c
> --- a/drivers/s390/crypto/pkey_api.c
> +++ b/drivers/s390/crypto/pkey_api.c
> @@ -334,7 +334,8 @@ static int pkey_ioctl_verifyprotk(struct pkey_verifyprotk __user *uvp)
>  	if (copy_from_user(&kvp, uvp, sizeof(kvp)))
>  		return -EFAULT;
>  
> -	keytype = pkey_aes_bitsize_to_keytype(8 * kvp.protkey.len);
> +	keytype = pkey_aes_bitsize_to_keytype(8 * (kvp.protkey.len -
> +						   AES_WK_VP_SIZE));

[Severity: Critical]
This is a pre-existing issue, but does this calculation allow an integer
wrap-around that bypasses length validation?

Because kvp.protkey.len is a user-controlled 32-bit unsigned integer and
there is no explicit bounds check against MAXPROTKEYSIZE, a malicious user
can provide an enormous length. For example, if kvp.protkey.len is
536870960 (0x20000030), subtracting AES_WK_VP_SIZE (32) yields 536870928.
Multiplying by 8 results in 4294967424 (0x100000080), which truncates to
128 in 32-bit arithmetic. 

pkey_aes_bitsize_to_keytype(128) then returns PKEY_KEYTYPE_AES_128, passing
the !keytype check.

Further down in pkey_ioctl_verifyprotk(), the unvalidated oversized length
is passed into memcpy(t->protkey, kvp.protkey.protkey, kvp.protkey.len).
Since kvp.protkey.protkey is a 64-byte array on the kernel stack and t
points to an 80-byte heap allocation, wouldn't this cause catastrophic
out-of-bounds memory accesses?

>  	if (!keytype) {
>  		PKEY_DBF_ERR("%s unknown/unsupported protkey length %u\n",
>  			     __func__, kvp.protkey.len);

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260619074541.1710716-2-dengler@linux.ibm.com?part=1

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v1 1/1] pkey: Fix bitsize check in PKEY_VERIFYPROTK ioctl
  2026-06-19  8:00   ` sashiko-bot
@ 2026-06-19  8:02     ` Holger Dengler
  0 siblings, 0 replies; 4+ messages in thread
From: Holger Dengler @ 2026-06-19  8:02 UTC (permalink / raw)
  To: sashiko-reviews
  Cc: linux-s390, Vasily Gorbik, Heiko Carstens, Alexander Gordeev

On 6/19/26 10:00, sashiko-bot@kernel.org wrote:
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
> 
> Pre-existing issues:
> - [Critical] An integer wrap-around in the key bit-size calculation bypasses length validation, leading to massive out-of-bounds memory accesses during a subsequent memcpy().
> --

This issue is already fixed and on its way.

-- 
Mit freundlichen Grüßen / Kind regards
Holger Dengler


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-06-19  8:02 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-19  7:45 [PATCH v1 0/1] pkey: Fix for PKEY_VERIFYPROTK ioctl Holger Dengler
2026-06-19  7:45 ` [PATCH v1 1/1] pkey: Fix bitsize check in " Holger Dengler
2026-06-19  8:00   ` sashiko-bot
2026-06-19  8:02     ` Holger Dengler

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox