s390/pkey: Check length in PKEY_VERIFYPROTK ioctl

Explicitly check the buffer length request structure provided by
user-space and fail, if it exceeds the buffer size.

Cc: stable@vger.kernel.org
Fixes: 8fcc231ce3be ("s390/pkey: Introduce pkey base with handler registry and handler modules")
Reported-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Reviewed-by: Harald Freudenberger <freude@linux.ibm.com>
Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com>
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>

diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c
index d6b595eb337093f6e0f8a81eb5eb56b54205b582..28e1007005f21d018600b1599a707c632bd5e44f 100644 (file)
--- a/drivers/s390/crypto/pkey_api.c
+++ b/drivers/s390/crypto/pkey_api.c
@@ -334,6 +334,13 @@ static int pkey_ioctl_verifyprotk(struct pkey_verifyprotk __user *uvp)
        if (copy_from_user(&kvp, uvp, sizeof(kvp)))
                return -EFAULT;
 
+       if (kvp.protkey.len > sizeof(kvp.protkey.protkey)) {
+               PKEY_DBF_ERR("%s protkey length %u exceeds protkey buffer size\n",
+                            __func__, kvp.protkey.len);
+               memzero_explicit(&kvp, sizeof(kvp));
+               return -EINVAL;
+       }
+
        keytype = pkey_aes_bitsize_to_keytype(8 * kvp.protkey.len);
        if (!keytype) {
                PKEY_DBF_ERR("%s unknown/unsupported protkey length %u\n",