Skip to content

Commit

Permalink
s390/archrandom: add parameter check for s390_arch_random_generate
Browse files Browse the repository at this point in the history 
A review of the code showed, that this function which is exposed
within the whole kernel should do a parameter check for the
amount of bytes requested. If this requested bytes is too high
an unsigned int overflow could happen causing this function to
try to memcpy a really big memory chunk.

This is not a security issue as there are only two invocations
of this function from arch/s390/include/asm/archrandom.h and both
are not exposed to userland.

Reported-by: Sven Schnelle <svens@linux.ibm.com>
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
  • Loading branch information
@hfreude @hcahca
hfreude authored and hcahca committed Apr 21, 2021
1 parent 70fac80 commit 2809606
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions arch/s390/crypto/arch_random.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,10 @@ static DECLARE_DELAYED_WORK(arch_rng_work, arch_rng_refill_buffer);

bool s390_arch_random_generate(u8 *buf, unsigned int nbytes)
{
/* max hunk is ARCH_RNG_BUF_SIZE */
if (nbytes > ARCH_RNG_BUF_SIZE)
return false;

/* lock rng buffer */
if (!spin_trylock(&arch_rng_lock))
return false;
Expand Down

0 comments on commit 2809606

Please sign in to comment.