s390/archrandom: add parameter check for s390_arch_random_generate

[ Upstream commit 28096067686c5a5cbd4c35b079749bd805df5010 ] A review of the code showed, that this function which is exposed within the whole kernel should do a parameter check for the amount of bytes requested. If this requested bytes is too high an unsigned int overflow could happen causing this function to try to memcpy a really big memory chunk. This is not a security issue as there are only two invocations of this function from arch/s390/include/asm/archrandom.h and both are not exposed to userland. Reported-by: Sven Schnelle <svens@linux.ibm.com> Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Heiko Carstens <hca@linux.ibm.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Harald Freudenberger <freude@linux.ibm.com> 2021-04-20 08:23:12 +0200
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-05-11 14:04:13 +0200
commit: a65181cfd953ac73e07fbeb2b06214e9ac9b5061 (patch)
tree: c7e043924603d9f9ed7a8971b310568ce795038c /arch
parent: ef00a39e2c7809969bb978e6c7032c8fade333e3 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/arch/s390/crypto/arch_random.c b/arch/s390/crypto/arch_random.c
index dd95cdbd22ce..4cbb4b6d85a8 100644
--- a/arch/s390/crypto/arch_random.c
+++ b/arch/s390/crypto/arch_random.c
@@ -53,6 +53,10 @@ static DECLARE_DELAYED_WORK(arch_rng_work, arch_rng_refill_buffer);
 
 bool s390_arch_random_generate(u8 *buf, unsigned int nbytes)
 {
+	/* max hunk is ARCH_RNG_BUF_SIZE */
+	if (nbytes > ARCH_RNG_BUF_SIZE)
+		return false;
+
 	/* lock rng buffer */
 	if (!spin_trylock(&arch_rng_lock))
 		return false;
author	Harald Freudenberger <freude@linux.ibm.com>	2021-04-20 08:23:12 +0200
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-05-11 14:04:13 +0200
commit	a65181cfd953ac73e07fbeb2b06214e9ac9b5061 (patch)
tree	c7e043924603d9f9ed7a8971b310568ce795038c /arch
parent	ef00a39e2c7809969bb978e6c7032c8fade333e3 (diff)