diff options
| -rw-r--r-- | queue-5.10/s390-pkey-prevent-overflow-in-size-calculation-for-memdup_user.patch | 47 | ||||
| -rw-r--r-- | queue-5.10/series | 1 |
2 files changed, 0 insertions, 48 deletions
diff --git a/queue-5.10/s390-pkey-prevent-overflow-in-size-calculation-for-memdup_user.patch b/queue-5.10/s390-pkey-prevent-overflow-in-size-calculation-for-memdup_user.patch deleted file mode 100644 index 69f6e8bed9..0000000000 --- a/queue-5.10/s390-pkey-prevent-overflow-in-size-calculation-for-memdup_user.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 7360ee47599af91a1d5f4e74d635d9408a54e489 Mon Sep 17 00:00:00 2001 -From: Fedor Pchelkin <pchelkin@ispras.ru> -Date: Wed, 11 Jun 2025 22:20:10 +0300 -Subject: s390/pkey: Prevent overflow in size calculation for memdup_user() - -From: Fedor Pchelkin <pchelkin@ispras.ru> - -commit 7360ee47599af91a1d5f4e74d635d9408a54e489 upstream. - -Number of apqn target list entries contained in 'nr_apqns' variable is -determined by userspace via an ioctl call so the result of the product in -calculation of size passed to memdup_user() may overflow. - -In this case the actual size of the allocated area and the value -describing it won't be in sync leading to various types of unpredictable -behaviour later. - -Use a proper memdup_array_user() helper which returns an error if an -overflow is detected. Note that it is different from when nr_apqns is -initially zero - that case is considered valid and should be handled in -subsequent pkey_handler implementations. - -Found by Linux Verification Center (linuxtesting.org). - -Fixes: f2bbc96e7cfa ("s390/pkey: add CCA AES cipher key support") -Cc: stable@vger.kernel.org -Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru> -Reviewed-by: Holger Dengler <dengler@linux.ibm.com> -Reviewed-by: Heiko Carstens <hca@linux.ibm.com> -Link: https://lore.kernel.org/r/20250611192011.206057-1-pchelkin@ispras.ru -Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - drivers/s390/crypto/pkey_api.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/s390/crypto/pkey_api.c -+++ b/drivers/s390/crypto/pkey_api.c -@@ -1119,7 +1119,7 @@ static void *_copy_apqns_from_user(void - if (!uapqns || nr_apqns == 0) - return NULL; - -- return memdup_user(uapqns, nr_apqns * sizeof(struct pkey_apqn)); -+ return memdup_array_user(uapqns, nr_apqns, sizeof(struct pkey_apqn)); - } - - static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, diff --git a/queue-5.10/series b/queue-5.10/series index 248b2e46c3..499a7a0528 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -50,7 +50,6 @@ pci-cadence-ep-correct-pba-offset-in-.set_msix-callb.patch net_sched-sch_sfq-reject-invalid-perturb-period.patch i2c-tiny-usb-disable-zero-length-read-messages.patch i2c-robotfuzz-osif-disable-zero-length-read-messages.patch -s390-pkey-prevent-overflow-in-size-calculation-for-memdup_user.patch atm-clip-prevent-null-deref-in-clip_push.patch alsa-usb-audio-fix-out-of-bounds-read-in-snd_usb_get.patch attach_recursive_mnt-do-not-lock-the-covering-tree-w.patch |