Linux s390 Architecture development
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Harald Freudenberger" <freude@linux.ibm.com>
Cc: "Heiko Carstens" <hca@linux.ibm.com>,
	"Vasily Gorbik" <gor@linux.ibm.com>,
	linux-s390@vger.kernel.org,
	"Alexander Gordeev" <agordeev@linux.ibm.com>
Subject: Re: [PATCH v1 1/1] s390/zcrypt: Fix missing mem scrub at clear key import in cca_clr2cipherkey()
Date: Fri, 10 Jul 2026 13:56:54 +0000	[thread overview]
Message-ID: <20260710135655.1B8AB1F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260710132658.77231-2-freude@linux.ibm.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Missing bounds validation on the hardware-provided length field `t->len` leads to out-of-bounds reads and writes from the CPRB reply block.
--

--- Patch [1]: [PATCH v1 1/1] s390/zcrypt: Fix missing mem scrub at clear key import in cca_clr2cipherkey() ---
commit ca71a93310e3d552d6d70f4020264235acf62e73
Author: Harald Freudenberger <freude@linux.ibm.com>

s390/zcrypt: Fix missing mem scrub at clear key import in cca_clr2cipherkey()

This commit adds a scrub parameter to _ip_cprb_helper() to control whether
the internal CPRB buffer is zeroed out before freeing. This prevents clear
key material from being left in memory during key token import.

> diff --git a/drivers/s390/crypto/zcrypt_ccamisc.c b/drivers/s390/crypto/zcrypt_ccamisc.c
> index 84936a795b956..6a237e880b40b 100644
> --- a/drivers/s390/crypto/zcrypt_ccamisc.c
> +++ b/drivers/s390/crypto/zcrypt_ccamisc.c
> @@ -971,7 +971,8 @@ static int _ip_cprb_helper(u16 cardnr, u16 domain,
>  			   int clr_key_bit_size,
>  			   u8 *key_token,
>  			   int *key_token_size,
> -			   u32 xflags)
> +			   u32 xflags,
> +			   bool scrub)
>  {

[ ... ]

> @@ -1111,7 +1112,7 @@ static int _ip_cprb_helper(u16 cardnr, u16 domain,
>  	*key_token_size = t->len;

[Severity: High]
This isn't a bug introduced by this patch, but is it possible for the
hardware-provided t->len field to cause an out-of-bounds read or write?

Looking at _ip_cprb_helper() in drivers/s390/crypto/zcrypt_ccamisc.c, the
t->len field is used directly from the untrusted hardware response:

drivers/s390/crypto/zcrypt_ccamisc.c:_ip_cprb_helper() {
    ...
    t = (struct cipherkeytoken *)prepparm->kb.tlv1.key_token;
    memcpy(key_token, t, t->len);
    *key_token_size = t->len;
    ...
}

If a malfunctioning or compromised coprocessor returns a CPRB reply block
with a valid outer kb.len but a maliciously large inner t->len, could this
memcpy copy up to 64KB of adjacent kernel memory, overflowing the 16KB
token allocation in cca_clr2cipherkey()?

A similar pattern also appears to exist in cca_gencipherkey(). Would it be
safer to validate t->len against the source CPRB reply block size and the
destination buffer size before using it?

>  out:
> -	free_cprbmem(mem, PARMBSIZE, false, xflags);
> +	free_cprbmem(mem, PARMBSIZE, scrub, xflags);
>  	return rc;
>  }

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260710132658.77231-2-freude@linux.ibm.com?part=1

      reply	other threads:[~2026-07-10 13:56 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-10 13:26 [PATCH v1 0/1] Fix missing mem scrub at clear key import in cca_clr2cipherkey() Harald Freudenberger
2026-07-10 13:26 ` [PATCH v1 1/1] s390/zcrypt: " Harald Freudenberger
2026-07-10 13:56   ` sashiko-bot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260710135655.1B8AB1F00A3A@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=agordeev@linux.ibm.com \
    --cc=freude@linux.ibm.com \
    --cc=gor@linux.ibm.com \
    --cc=hca@linux.ibm.com \
    --cc=linux-s390@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox