[PATCH v1 0/1] pkey: Fix for PKEY_VERIFYPROTK ioctl

[PATCH v1 0/1] pkey: Fix for PKEY_VERIFYPROTK ioctl

[Holger Dengler]

The PKEY_VERIFYPROTK ioctl is used to verify protected key blobs. Part of
the verification is the check for supported keytypes. The following patch
1/1 fixes the keytype check in this ioctl.

The patch applies to Linus' master branch.

Holger Dengler (1):
  pkey: Fix bitsize check in PKEY_VERIFYPROTK ioctl

 drivers/s390/crypto/pkey_api.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)


base-commit: 9ecfb2f7287a967b418ba69f10d45ead0d360593
-- 
2.54.0

[PATCH v1 1/1] pkey: Fix bitsize check in PKEY_VERIFYPROTK ioctl

[Holger Dengler]

As part of the verification, the PKEY_VERIFYPROTK ioctl checks for
supported keytype, which are derived from the bit-size of the key. The
calculation for the bit-size of a protected key has to take into
account, that the length of the protected key blob also includes the
length of the wrapping key verification pattern (WKVP). Subtract the
length of the MKVP from the protected key length fixes this
calculation.

Fixes: 8fcc231ce3be ("s390/pkey: Introduce pkey base with handler registry and handler modules")
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
---
 drivers/s390/crypto/pkey_api.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c
index d6b595eb3370..2160e1de3014 100644
--- a/drivers/s390/crypto/pkey_api.c
+++ b/drivers/s390/crypto/pkey_api.c
@@ -334,7 +334,8 @@ static int pkey_ioctl_verifyprotk(struct pkey_verifyprotk __user *uvp)
 	if (copy_from_user(&kvp, uvp, sizeof(kvp)))
 		return -EFAULT;
 
-	keytype = pkey_aes_bitsize_to_keytype(8 * kvp.protkey.len);
+	keytype = pkey_aes_bitsize_to_keytype(8 * (kvp.protkey.len -
+						   AES_WK_VP_SIZE));
 	if (!keytype) {
 		PKEY_DBF_ERR("%s unknown/unsupported protkey length %u\n",
 			     __func__, kvp.protkey.len);
-- 
2.54.0

Re: [PATCH v1 1/1] pkey: Fix bitsize check in PKEY_VERIFYPROTK ioctl

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [Critical] An integer wrap-around in the key bit-size calculation bypasses length validation, leading to massive out-of-bounds memory accesses during a subsequent memcpy().
--

commit 26c99ec1350980042dcf4518941f9831c98478fc
Author: Holger Dengler <dengler@linux.ibm.com>

pkey: Fix bitsize check in PKEY_VERIFYPROTK ioctl

This commit updates the bit-size calculation for protected keys in the
PKEY_VERIFYPROTK ioctl to account for the wrapping key verification pattern
(WKVP). It subtracts the length of the WKVP from the protected key length to
fix the calculation.

> diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c
> --- a/drivers/s390/crypto/pkey_api.c
> +++ b/drivers/s390/crypto/pkey_api.c
> @@ -334,7 +334,8 @@ static int pkey_ioctl_verifyprotk(struct pkey_verifyprotk __user *uvp)
>  	if (copy_from_user(&kvp, uvp, sizeof(kvp)))
>  		return -EFAULT;
>  
> -	keytype = pkey_aes_bitsize_to_keytype(8 * kvp.protkey.len);
> +	keytype = pkey_aes_bitsize_to_keytype(8 * (kvp.protkey.len -
> +						   AES_WK_VP_SIZE));

[Severity: Critical]
This is a pre-existing issue, but does this calculation allow an integer
wrap-around that bypasses length validation?

Because kvp.protkey.len is a user-controlled 32-bit unsigned integer and
there is no explicit bounds check against MAXPROTKEYSIZE, a malicious user
can provide an enormous length. For example, if kvp.protkey.len is
536870960 (0x20000030), subtracting AES_WK_VP_SIZE (32) yields 536870928.
Multiplying by 8 results in 4294967424 (0x100000080), which truncates to
128 in 32-bit arithmetic. 

pkey_aes_bitsize_to_keytype(128) then returns PKEY_KEYTYPE_AES_128, passing
the !keytype check.

Further down in pkey_ioctl_verifyprotk(), the unvalidated oversized length
is passed into memcpy(t->protkey, kvp.protkey.protkey, kvp.protkey.len).
Since kvp.protkey.protkey is a 64-byte array on the kernel stack and t
points to an 80-byte heap allocation, wouldn't this cause catastrophic
out-of-bounds memory accesses?

>  	if (!keytype) {
>  		PKEY_DBF_ERR("%s unknown/unsupported protkey length %u\n",
>  			     __func__, kvp.protkey.len);

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260619074541.1710716-2-dengler@linux.ibm.com?part=1

Re: [PATCH v1 1/1] pkey: Fix bitsize check in PKEY_VERIFYPROTK ioctl

[Holger Dengler]

On 6/19/26 10:00, sashiko-bot@kernel.org wrote:
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
> 
> Pre-existing issues:
> - [Critical] An integer wrap-around in the key bit-size calculation bypasses length validation, leading to massive out-of-bounds memory accesses during a subsequent memcpy().
> --

This issue is already fixed and on its way.

-- 
Mit freundlichen Grüßen / Kind regards
Holger Dengler

Re: [PATCH v1 1/1] pkey: Fix bitsize check in PKEY_VERIFYPROTK ioctl

[Ingo Franzki]

On 19.06.2026 09:45, Holger Dengler wrote:
> As part of the verification, the PKEY_VERIFYPROTK ioctl checks for
> supported keytype, which are derived from the bit-size of the key. The
> calculation for the bit-size of a protected key has to take into
> account, that the length of the protected key blob also includes the
> length of the wrapping key verification pattern (WKVP). Subtract the
> length of the MKVP from the protected key length fixes this
> calculation.
> 
> Fixes: 8fcc231ce3be ("s390/pkey: Introduce pkey base with handler registry and handler modules")
> Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
> ---
>  drivers/s390/crypto/pkey_api.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c
> index d6b595eb3370..2160e1de3014 100644
> --- a/drivers/s390/crypto/pkey_api.c
> +++ b/drivers/s390/crypto/pkey_api.c
> @@ -334,7 +334,8 @@ static int pkey_ioctl_verifyprotk(struct pkey_verifyprotk __user *uvp)
>  	if (copy_from_user(&kvp, uvp, sizeof(kvp)))
>  		return -EFAULT;
>  
> -	keytype = pkey_aes_bitsize_to_keytype(8 * kvp.protkey.len);
> +	keytype = pkey_aes_bitsize_to_keytype(8 * (kvp.protkey.len -
> +						   AES_WK_VP_SIZE));
>  	if (!keytype) {
>  		PKEY_DBF_ERR("%s unknown/unsupported protkey length %u\n",
>  			     __func__, kvp.protkey.len);

Why not simply use 

     t->keytype = kvp.protkey.type;

and remove the whole 'keytype = pkey_aes_bitsize_to_keytype(....)' thing ? 
The type of the protected key is already contained in the protected key structure, so why trying to guess it from the size again? 

You will need a length check for the 'memcpy(t->protkey, kvp.protkey.protkey, kvp.protkey.len);' (regardless of how you determine the type).  

-- 
Ingo Franzki
eMail: ifranzki@linux.ibm.com  
Linux on IBM Z Development
IBM Campus 1, 71139 Ehningen, Germany

IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Wolfgang Wendt
Geschäftsführung: David Faller
Sitz der Gesellschaft: Ehningen / Registergericht: Amtsgericht Stuttgart, HRB 243294
IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/

Re: [PATCH v1 1/1] pkey: Fix bitsize check in PKEY_VERIFYPROTK ioctl

[Harald Freudenberger]

On 2026-06-19 10:32, Ingo Franzki wrote:
> On 19.06.2026 09:45, Holger Dengler wrote:
>> As part of the verification, the PKEY_VERIFYPROTK ioctl checks for
>> supported keytype, which are derived from the bit-size of the key. The
>> calculation for the bit-size of a protected key has to take into
>> account, that the length of the protected key blob also includes the
>> length of the wrapping key verification pattern (WKVP). Subtract the
>> length of the MKVP from the protected key length fixes this
>> calculation.
>> 
>> Fixes: 8fcc231ce3be ("s390/pkey: Introduce pkey base with handler 
>> registry and handler modules")
>> Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
>> ---
>>  drivers/s390/crypto/pkey_api.c | 3 ++-
>>  1 file changed, 2 insertions(+), 1 deletion(-)
>> 
>> diff --git a/drivers/s390/crypto/pkey_api.c 
>> b/drivers/s390/crypto/pkey_api.c
>> index d6b595eb3370..2160e1de3014 100644
>> --- a/drivers/s390/crypto/pkey_api.c
>> +++ b/drivers/s390/crypto/pkey_api.c
>> @@ -334,7 +334,8 @@ static int pkey_ioctl_verifyprotk(struct 
>> pkey_verifyprotk __user *uvp)
>>  	if (copy_from_user(&kvp, uvp, sizeof(kvp)))
>>  		return -EFAULT;
>> 
>> -	keytype = pkey_aes_bitsize_to_keytype(8 * kvp.protkey.len);
>> +	keytype = pkey_aes_bitsize_to_keytype(8 * (kvp.protkey.len -
>> +						   AES_WK_VP_SIZE));
>>  	if (!keytype) {
>>  		PKEY_DBF_ERR("%s unknown/unsupported protkey length %u\n",
>>  			     __func__, kvp.protkey.len);
> 
> Why not simply use
> 
>      t->keytype = kvp.protkey.type;
> 
> and remove the whole 'keytype = pkey_aes_bitsize_to_keytype(....)' 
> thing ?
> The type of the protected key is already contained in the protected
> key structure, so why trying to guess it from the size again?

Not sure how this comes from. However, as this function anyway is only
valid to be called for protected AES keys I would stay with the guessing
from the length.

> 
> You will need a length check for the 'memcpy(t->protkey,
> kvp.protkey.protkey, kvp.protkey.len);' (regardless of how you
> determine the type).

As you wrote, the length still needs to be checked here for <= 
sizeof(t->protkey).

Re: [PATCH v1 1/1] pkey: Fix bitsize check in PKEY_VERIFYPROTK ioctl

[Holger Dengler]

On 6/19/26 10:32, Ingo Franzki wrote:
> On 19.06.2026 09:45, Holger Dengler wrote:
>> As part of the verification, the PKEY_VERIFYPROTK ioctl checks for
>> supported keytype, which are derived from the bit-size of the key. The
>> calculation for the bit-size of a protected key has to take into
>> account, that the length of the protected key blob also includes the
>> length of the wrapping key verification pattern (WKVP). Subtract the
>> length of the MKVP from the protected key length fixes this
>> calculation.
>>
>> Fixes: 8fcc231ce3be ("s390/pkey: Introduce pkey base with handler registry and handler modules")
>> Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
>> ---
>>   drivers/s390/crypto/pkey_api.c | 3 ++-
>>   1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c
>> index d6b595eb3370..2160e1de3014 100644
>> --- a/drivers/s390/crypto/pkey_api.c
>> +++ b/drivers/s390/crypto/pkey_api.c
>> @@ -334,7 +334,8 @@ static int pkey_ioctl_verifyprotk(struct pkey_verifyprotk __user *uvp)
>>   	if (copy_from_user(&kvp, uvp, sizeof(kvp)))
>>   		return -EFAULT;
>>   
>> -	keytype = pkey_aes_bitsize_to_keytype(8 * kvp.protkey.len);
>> +	keytype = pkey_aes_bitsize_to_keytype(8 * (kvp.protkey.len -
>> +						   AES_WK_VP_SIZE));
>>   	if (!keytype) {
>>   		PKEY_DBF_ERR("%s unknown/unsupported protkey length %u\n",
>>   			     __func__, kvp.protkey.len);
> 
> Why not simply use
> 
>       t->keytype = kvp.protkey.type;
> 
> and remove the whole 'keytype = pkey_aes_bitsize_to_keytype(....)' thing ?
> The type of the protected key is already contained in the protected key structure, so why trying to guess it from the size again?
> 
> You will need a length check for the 'memcpy(t->protkey, kvp.protkey.protkey, kvp.protkey.len);' (regardless of how you determine the type).

I think, we need to check both: the derived keytype from the keysize AND 
the the keytype in the struct. The ioctl gets a struct which can contain 
any random data. So, we should first derive the keytype from the keysize 
and compare it with the keytype in the struct. Any mismatch should 
result in an error. I'll add this check in the v2.

And, as I already mentioned: the length-check before the memcpy() is 
mandatory in any way and a fix for this is already on its way.

-- 
Mit freundlichen Grüßen / Kind regards
Holger Dengler

Re: [PATCH v1 1/1] pkey: Fix bitsize check in PKEY_VERIFYPROTK ioctl

[Ingo Franzki]

On 19.06.2026 10:45, Holger Dengler wrote:
> On 6/19/26 10:32, Ingo Franzki wrote:
>> On 19.06.2026 09:45, Holger Dengler wrote:
>>> As part of the verification, the PKEY_VERIFYPROTK ioctl checks for
>>> supported keytype, which are derived from the bit-size of the key. The
>>> calculation for the bit-size of a protected key has to take into
>>> account, that the length of the protected key blob also includes the
>>> length of the wrapping key verification pattern (WKVP). Subtract the
>>> length of the MKVP from the protected key length fixes this
>>> calculation.
>>>
>>> Fixes: 8fcc231ce3be ("s390/pkey: Introduce pkey base with handler registry and handler modules")
>>> Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
>>> ---
>>>   drivers/s390/crypto/pkey_api.c | 3 ++-
>>>   1 file changed, 2 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c
>>> index d6b595eb3370..2160e1de3014 100644
>>> --- a/drivers/s390/crypto/pkey_api.c
>>> +++ b/drivers/s390/crypto/pkey_api.c
>>> @@ -334,7 +334,8 @@ static int pkey_ioctl_verifyprotk(struct pkey_verifyprotk __user *uvp)
>>>       if (copy_from_user(&kvp, uvp, sizeof(kvp)))
>>>           return -EFAULT;
>>>   -    keytype = pkey_aes_bitsize_to_keytype(8 * kvp.protkey.len);
>>> +    keytype = pkey_aes_bitsize_to_keytype(8 * (kvp.protkey.len -
>>> +                           AES_WK_VP_SIZE));
>>>       if (!keytype) {
>>>           PKEY_DBF_ERR("%s unknown/unsupported protkey length %u\n",
>>>                    __func__, kvp.protkey.len);
>>
>> Why not simply use
>>
>>       t->keytype = kvp.protkey.type;
>>
>> and remove the whole 'keytype = pkey_aes_bitsize_to_keytype(....)' thing ?
>> The type of the protected key is already contained in the protected key structure, so why trying to guess it from the size again?
>>
>> You will need a length check for the 'memcpy(t->protkey, kvp.protkey.protkey, kvp.protkey.len);' (regardless of how you determine the type).
> 
> I think, we need to check both: the derived keytype from the keysize AND the the keytype in the struct. The ioctl gets a struct which can contain any random data. So, we should first derive the keytype from the keysize and compare it with the keytype in the struct. Any mismatch should result in an error. I'll add this check in the v2.

Well, you finally call pkey_handler_verify_key() which calls pckmo_verify_key() and this has the following already:

		keysize = pkey_keytype_to_size(t->keytype);
		if (!keysize || t->len != keysize + AES_WK_VP_SIZE)
			goto out;

So you basically do the same here again. 

You might have to limit the type to AES keys though. 

> 
> And, as I already mentioned: the length-check before the memcpy() is mandatory in any way and a fix for this is already on its way.
> 


-- 
Ingo Franzki
eMail: ifranzki@linux.ibm.com  
Linux on IBM Z Development
IBM Campus 1, 71139 Ehningen, Germany

IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Wolfgang Wendt
Geschäftsführung: David Faller
Sitz der Gesellschaft: Ehningen / Registergericht: Amtsgericht Stuttgart, HRB 243294
IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/

Re: [PATCH v1 1/1] pkey: Fix bitsize check in PKEY_VERIFYPROTK ioctl

[Ingo Franzki]

On 19.06.2026 10:43, Harald Freudenberger wrote:
> On 2026-06-19 10:32, Ingo Franzki wrote:
>> On 19.06.2026 09:45, Holger Dengler wrote:
>>> As part of the verification, the PKEY_VERIFYPROTK ioctl checks for
>>> supported keytype, which are derived from the bit-size of the key. The
>>> calculation for the bit-size of a protected key has to take into
>>> account, that the length of the protected key blob also includes the
>>> length of the wrapping key verification pattern (WKVP). Subtract the
>>> length of the MKVP from the protected key length fixes this
>>> calculation.
>>>
>>> Fixes: 8fcc231ce3be ("s390/pkey: Introduce pkey base with handler registry and handler modules")
>>> Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
>>> ---
>>>  drivers/s390/crypto/pkey_api.c | 3 ++-
>>>  1 file changed, 2 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c
>>> index d6b595eb3370..2160e1de3014 100644
>>> --- a/drivers/s390/crypto/pkey_api.c
>>> +++ b/drivers/s390/crypto/pkey_api.c
>>> @@ -334,7 +334,8 @@ static int pkey_ioctl_verifyprotk(struct pkey_verifyprotk __user *uvp)
>>>      if (copy_from_user(&kvp, uvp, sizeof(kvp)))
>>>          return -EFAULT;
>>>
>>> -    keytype = pkey_aes_bitsize_to_keytype(8 * kvp.protkey.len);
>>> +    keytype = pkey_aes_bitsize_to_keytype(8 * (kvp.protkey.len -
>>> +                           AES_WK_VP_SIZE));
>>>      if (!keytype) {
>>>          PKEY_DBF_ERR("%s unknown/unsupported protkey length %u\n",
>>>                   __func__, kvp.protkey.len);
>>
>> Why not simply use
>>
>>      t->keytype = kvp.protkey.type;
>>
>> and remove the whole 'keytype = pkey_aes_bitsize_to_keytype(....)' thing ?
>> The type of the protected key is already contained in the protected
>> key structure, so why trying to guess it from the size again?
> 
> Not sure how this comes from. However, as this function anyway is only
> valid to be called for protected AES keys I would stay with the guessing
> from the length.

The problem with guessing the type from the length is that there are non-AES protected key types that have the same size as AES keys, e.g. PKEY_KEYTYPE_ECC_P256 and PKEY_KEYTYPE_ECC_ED25519 are both 64 (32+32) bytes in size and would be treated as AES-256 bit key with the current guessing....

> 
>>
>> You will need a length check for the 'memcpy(t->protkey,
>> kvp.protkey.protkey, kvp.protkey.len);' (regardless of how you
>> determine the type).
> 
> As you wrote, the length still needs to be checked here for <= sizeof(t->protkey).


-- 
Ingo Franzki
eMail: ifranzki@linux.ibm.com  
Linux on IBM Z Development
IBM Campus 1, 71139 Ehningen, Germany

IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Wolfgang Wendt
Geschäftsführung: David Faller
Sitz der Gesellschaft: Ehningen / Registergericht: Amtsgericht Stuttgart, HRB 243294
IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/

Re: [PATCH v1 1/1] pkey: Fix bitsize check in PKEY_VERIFYPROTK ioctl

[Alexander Gordeev]

On Fri, Jun 19, 2026 at 09:45:41AM +0200, Holger Dengler wrote:
> As part of the verification, the PKEY_VERIFYPROTK ioctl checks for
> supported keytype, which are derived from the bit-size of the key. The
> calculation for the bit-size of a protected key has to take into
> account, that the length of the protected key blob also includes the
> length of the wrapping key verification pattern (WKVP). Subtract the
> length of the MKVP from the protected key length fixes this
> calculation.
> 
> Fixes: 8fcc231ce3be ("s390/pkey: Introduce pkey base with handler registry and handler modules")

No -stable tag?

> Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
> ---
>  drivers/s390/crypto/pkey_api.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)

Thanks!

Re: [PATCH v1 1/1] pkey: Fix bitsize check in PKEY_VERIFYPROTK ioctl

[Holger Dengler]

On 6/19/26 11:34, Alexander Gordeev wrote:
> On Fri, Jun 19, 2026 at 09:45:41AM +0200, Holger Dengler wrote:
>> As part of the verification, the PKEY_VERIFYPROTK ioctl checks for
>> supported keytype, which are derived from the bit-size of the key. The
>> calculation for the bit-size of a protected key has to take into
>> account, that the length of the protected key blob also includes the
>> length of the wrapping key verification pattern (WKVP). Subtract the
>> length of the MKVP from the protected key length fixes this
>> calculation.
>>
>> Fixes: 8fcc231ce3be ("s390/pkey: Introduce pkey base with handler registry and handler modules")
> 
> No -stable tag?

You're right, cc-stable should be there.

-- 
Mit freundlichen Grüßen / Kind regards
Holger Dengler