Commit d9af03fb authored by Holger Dengler's avatar Holger Dengler Committed by Li Huafei
Browse files

s390/pkey: Wipe copies of clear-key structures on failure 

mainline inclusion
from mainline-v6.10-rc1
commit d65d76a44ffe74c73298ada25b0f578680576073
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAH6LY
CVE: CVE-2024-42156

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d65d76a44ffe74c73298ada25b0f578680576073



--------------------------------

Wipe all sensitive data from stack for all IOCTLs, which convert a
clear-key into a protected- or secure-key.

Reviewed-by: default avatarHarald Freudenberger <freude@linux.ibm.com>
Reviewed-by: default avatarIngo Franzki <ifranzki@linux.ibm.com>
Acked-by: default avatarHeiko Carstens <hca@linux.ibm.com>
Signed-off-by: default avatarHolger Dengler <dengler@linux.ibm.com>
Signed-off-by: default avatarAlexander Gordeev <agordeev@linux.ibm.com>
Conflicts:
	drivers/s390/crypto/pkey_api.c
[ Resolved context conflict due to commit 6d749b4e0208 ("s390/pkey:
introduce dynamic debugging for pkey")  not backport. ]
Signed-off-by: default avatarLi Huafei <lihuafei1@huawei.com>
parent a7d192e0

drivers/s390/crypto/pkey_api.c

+11 −9
Original line number Diff line number Diff line
@@ -1151,10 +1151,8 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, 
		rc = cca_clr2seckey(kcs.cardnr, kcs.domain, kcs.keytype,

				    kcs.clrkey.clrkey, kcs.seckey.seckey);

		DEBUG_DBG("%s cca_clr2seckey()=%d\n", __func__, rc);

		if (rc)

			break;

		if (copy_to_user(ucs, &kcs, sizeof(kcs)))

			rc = -EFAULT;

		if (!rc && copy_to_user(ucs, &kcs, sizeof(kcs)))

			return -EFAULT;

		memzero_explicit(&kcs, sizeof(kcs));

		break;

	}
@@ -1182,10 +1180,8 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, 
		rc = pkey_clr2protkey(kcp.keytype,

				      &kcp.clrkey, &kcp.protkey);

		DEBUG_DBG("%s pkey_clr2protkey()=%d\n", __func__, rc);

		if (rc)

			break;

		if (copy_to_user(ucp, &kcp, sizeof(kcp)))

			rc = -EFAULT;

		if (!rc && copy_to_user(ucp, &kcp, sizeof(kcp)))

			return -EFAULT;

		memzero_explicit(&kcp, sizeof(kcp));

		break;

	}
@@ -1325,11 +1321,14 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, 
		if (copy_from_user(&kcs, ucs, sizeof(kcs)))

			return -EFAULT;

		apqns = _copy_apqns_from_user(kcs.apqns, kcs.apqn_entries);

		if (IS_ERR(apqns))

		if (IS_ERR(apqns)) {

			memzero_explicit(&kcs, sizeof(kcs));

			return PTR_ERR(apqns);

		}

		kkey = kmalloc(klen, GFP_KERNEL);

		if (!kkey) {

			kfree(apqns);

			memzero_explicit(&kcs, sizeof(kcs));

			return -ENOMEM;

		}

		rc = pkey_clr2seckey2(apqns, kcs.apqn_entries,
@@ -1339,15 +1338,18 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, 
		kfree(apqns);

		if (rc) {

			kfree_sensitive(kkey);

			memzero_explicit(&kcs, sizeof(kcs));

			break;

		}

		if (kcs.key) {

			if (kcs.keylen < klen) {

				kfree_sensitive(kkey);

				memzero_explicit(&kcs, sizeof(kcs));

				return -EINVAL;

			}

			if (copy_to_user(kcs.key, kkey, klen)) {

				kfree_sensitive(kkey);

				memzero_explicit(&kcs, sizeof(kcs));

				return -EFAULT;

			}

		}