Linux s390 Architecture development
 help / color / mirror / Atom feed
From: Holger Dengler <dengler@linux.ibm.com>
To: Harald Freudenberger <freude@linux.ibm.com>
Cc: fcallies@linux.ibm.com, linux-s390@vger.kernel.org,
	Heiko Carstens <hca@linux.ibm.com>,
	Vasily Gorbik <gor@linux.ibm.com>,
	Alexander Gordeev <agordeev@linux.ibm.com>
Subject: Re: [PATCH v5 1/1] s390/zcrypt: Improve zcrypt reply message verification checks
Date: Mon, 13 Jul 2026 15:21:47 +0200	[thread overview]
Message-ID: <995f0618-ff76-4bd5-a0fc-4592ecd13484@linux.ibm.com> (raw)
In-Reply-To: <20260710151005.79765-2-freude@linux.ibm.com>

On 7/10/26 17:10, Harald Freudenberger wrote:
> Add or improve checks related to buffer sizes and reply sizes to the
> handling of replies from the crypto cards for CCA and EP11 (AP message
> type 6) messages. The verification code related to reply field length
> was not designed well and thus firmware deficiencies could lead to
> unexpected behavior in the zcrypt device driver. Thus improve the code
> to more closely inspect especially length fields at message replies.
> 
> The 3 hunks of this patch deal with CCA, EP11 and (CCA) RNG replies
> and improve the checking for reply buffer size by using size_t instead
> of int. RNG replies an additional check makes sure the hard coded
> limit of the data buffer is not exceeded. Also there was a condition
> with additional data for an CCA reply where some of the field values
> where unchecked used to invoke memcpy into user
> space. zcrypt_msgtype6_receive() now checks all the relevant fields
> before convert_type86_xcrb() uses them.
> 
> Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
> Cc: stable@vger.kernel.org

See my comments below.

> ---
>   drivers/s390/crypto/zcrypt_msgtype6.c | 42 ++++++++++++++++++++++-----
>   1 file changed, 34 insertions(+), 8 deletions(-)
> 
> diff --git a/drivers/s390/crypto/zcrypt_msgtype6.c b/drivers/s390/crypto/zcrypt_msgtype6.c
> index 40f72cdf284d..8252fd185663 100644
> --- a/drivers/s390/crypto/zcrypt_msgtype6.c
> +++ b/drivers/s390/crypto/zcrypt_msgtype6.c
[...]
> @@ -863,7 +870,8 @@ static void zcrypt_msgtype6_receive(struct ap_queue *aq,
>   	    t86r->cprbx.cprb_ver_id == 0x02) {
>   		switch (resp_type->type) {
>   		case CEXXC_RESPONSE_TYPE_ICA:
> -			len = sizeof(struct type86x_reply) + t86r->length;
> +			len = (size_t)sizeof(struct type86x_reply) +
> +				(size_t)t86r->length;

Is the explicit cast for sizeof() really necessary. I would assume, that 
the following should be sufficient:

	len = sizeof(struct type86x_reply) +
		(size_t)t86r->length;

>   			if (len > reply->bufsize || len > msg->bufsize ||
>   			    len != reply->len) {
>   				pr_debug("len mismatch => EMSGSIZE\n");
> @@ -874,10 +882,27 @@ static void zcrypt_msgtype6_receive(struct ap_queue *aq,
>   			msg->len = len;
>   			break;
>   		case CEXXC_RESPONSE_TYPE_XCRB:
> -			if (t86r->fmt2.count2)
> -				len = t86r->fmt2.offset2 + t86r->fmt2.count2;
> -			else
> -				len = t86r->fmt2.offset1 + t86r->fmt2.count1;
> +			len1 = (size_t)t86r->fmt2.offset1 +
> +				(size_t)t86r->fmt2.count1;
> +			if (t86r->fmt2.offset1 > reply->len ||
> +			    t86r->fmt2.count1 > reply->len ||
> +			    len1 > reply->len) {

Wouldn't it be sufficient to check only (len1 > reply->len)? If 
(t86r->fmt2.offset1 > reply->len) is true, than also (len1 > reply->len) 
will be true (and the same for count1).

Or did I miss something?

> +				pr_debug("len mismatch => EMSGSIZE\n");
> +				msg->rc = -EMSGSIZE;
> +				goto out;
> +			}
> +			if (t86r->fmt2.count2) {
> +				len2 = (size_t)t86r->fmt2.offset2 +
> +					(size_t)t86r->fmt2.count2;
> +				if (t86r->fmt2.offset2 > reply->len ||
> +				    t86r->fmt2.count2 > reply->len ||
> +				    len2 > reply->len) {

Same here.

[...]

-- 
Mit freundlichen Grüßen / Kind regards
Holger Dengler


      parent reply	other threads:[~2026-07-13 13:21 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-10 15:10 [PATCH v5 0/1] Improve zcrypt reply message verification checks Harald Freudenberger
2026-07-10 15:10 ` [PATCH v5 1/1] s390/zcrypt: " Harald Freudenberger
2026-07-10 15:29   ` sashiko-bot
2026-07-13 13:21   ` Holger Dengler [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=995f0618-ff76-4bd5-a0fc-4592ecd13484@linux.ibm.com \
    --to=dengler@linux.ibm.com \
    --cc=agordeev@linux.ibm.com \
    --cc=fcallies@linux.ibm.com \
    --cc=freude@linux.ibm.com \
    --cc=gor@linux.ibm.com \
    --cc=hca@linux.ibm.com \
    --cc=linux-s390@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox