From: sashiko-bot@kernel.org
To: "Harald Freudenberger" <freude@linux.ibm.com>
Cc: "Heiko Carstens" <hca@linux.ibm.com>,
"Alexander Gordeev" <agordeev@linux.ibm.com>,
linux-s390@vger.kernel.org, "Vasily Gorbik" <gor@linux.ibm.com>
Subject: Re: [PATCH v5 1/1] s390/zcrypt: Improve zcrypt reply message verification checks
Date: Fri, 10 Jul 2026 15:29:20 +0000 [thread overview]
Message-ID: <20260710152920.9826E1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260710151005.79765-2-freude@linux.ibm.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [Medium] Uninitialized memory usage and buffer reuse leading to kernel heap information leak
--
--- Patch [1]: [PATCH v5 1/1] s390/zcrypt: Improve zcrypt reply message verification checks ---
commit 52b1c279b5cba2ecec495171bd1e75b2e86fc109
Author: Harald Freudenberger <freude@linux.ibm.com>
s390/zcrypt: Improve zcrypt reply message verification checks
This commit improves reply message verification checks for CCA and EP11
messages in the zcrypt device driver. It updates length field checking to use
size_t and ensures bounds checking before using values to invoke memcpy.
Cc: stable@vger.kernel.org
> diff --git a/drivers/s390/crypto/zcrypt_msgtype6.c b/drivers/s390/crypto/zcrypt_msgtype6.c
> index 40f72cdf284d3..8252fd1856638 100644
> --- a/drivers/s390/crypto/zcrypt_msgtype6.c
> +++ b/drivers/s390/crypto/zcrypt_msgtype6.c
> @@ -853,7 +860,7 @@ static void zcrypt_msgtype6_receive(struct ap_queue *aq,
> };
> struct ap_response_type *resp_type = &msg->response;
> struct type86x_reply *t86r;
> - int len;
> + size_t len, len1, len2 = 0;
>
> /* Copy the reply message to the request message buffer. */
> if (!reply)
> @@ -863,7 +870,8 @@ static void zcrypt_msgtype6_receive(struct ap_queue *aq,
> t86r->cprbx.cprb_ver_id == 0x02) {
[Severity: Medium]
This is a pre-existing issue, but is it possible for a short reply to cause
an out-of-bounds read here? The cprb_ver_id field is accessed before verifying
that reply->len is large enough to contain the CPRBX header.
Additionally, if the hardware returns a response that hits the else branch
in zcrypt_msgtype6_receive():
drivers/s390/crypto/zcrypt_msgtype6.c:zcrypt_msgtype6_receive() {
...
} else {
memcpy(msg->msg, reply->msg, sizeof(error_reply));
msg->len = sizeof(error_reply);
}
...
}
Only 8 bytes (sizeof(error_reply)) are copied, and the rest of msg->msg
remains user-controlled from the original request.
Could a malicious user craft a request via ZSECSENDCPRB embedding specific
values for cprb_ver_id and fmt2.offset2/count2, and if a short response
forces the else branch, bypass verification?
If convert_response_xcrb() reads the mixed buffer, sees TYPE86_RSP_CODE,
and validates cprb_ver_id == 0x02 from the user's data, it would call
convert_type86_xcrb(), which then copies arbitrary kernel heap memory to
user space using the user-controlled offsets:
drivers/s390/crypto/zcrypt_msgtype6.c:convert_type86_xcrb() {
...
if (z_copy_to_user(userspace, xcrb->reply_data_addr,
data + msg->fmt2.offset2, msg->fmt2.count2))
return -EFAULT;
...
}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260710151005.79765-2-freude@linux.ibm.com?part=1
prev parent reply other threads:[~2026-07-10 15:29 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-10 15:10 [PATCH v5 0/1] Improve zcrypt reply message verification checks Harald Freudenberger
2026-07-10 15:10 ` [PATCH v5 1/1] s390/zcrypt: " Harald Freudenberger
2026-07-10 15:29 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260710152920.9826E1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=agordeev@linux.ibm.com \
--cc=freude@linux.ibm.com \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=linux-s390@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox