s390 fixes for 6.5-rc3

- Fix per vma lock fault handling: add missing !(fault & VM_FAULT_ERROR) check to fault handler to prevent error handling for return values that don't indicate an error - Use kfree_sensitive() instead of kfree() in paes crypto code to clear memory that may contain keys before freeing it - Fix reply buffer size calculation for CCA replies in zcrypt device driver -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEECMNfWEw3SLnmiLkZIg7DeRspbsIFAmS7+SgACgkQIg7DeRsp bsJhUhAAi+4wp6ptSwwG4YMgX8i7nmC8uQz2cTI/KOcaBmYzXTqTjx71pi6+myFo 2/rJZPOwBlndAKI3I9NvofUMnCAX6XeYCpBs27GLIXWoZqyCIXd2KGr7HjWO2/Qw d30o6UNnjndiNsMPCsWQ0C6L7bEmuZE0BbZ4qQNyUzCB7oEHydgJhfXtnmPkeVt2 5DX9oKvnz8flxL8ei3ouysO13DYMNVOZcWaytKfwUoaME0ivvzZc6Xa0KksMhbNh 5ayB3MqrtKb3RUyt+EM92JOyxA5M9wCdFU00J4IKboTTNhq2tNe/CntzuCugFGbh lNoi570EKDuXLgg3L80o3ek3wg+rwmrkbY2AVnDAlK/eFU/fekiQatf9qsaaDzI/ t4KALAGCcnEIw7oYzbOoQOG8+zguVkg2YCjnfaWH8ZUqfDtAvwyXgM2v39RyXvE3 YLgtZTr+X7m6iDRIg2L3REPCaSPTj9sf40gWmZbniao9aQAg6le3kLmQ5wQyO0zu Rlp13HzvS2e56nwpp97JqvwluayDPnKcXyUwU4tESMmdvQTmlf4/mgGqo5dJLSp3 Uhedh/b/ODYxUsqS/W1b+kX09+i/WOzNCLJaVohiKYF8mJNlF5iEi7MrCyfxg4cD MgUEeH/j0k6fYUu/J6Rbob0hiqmEjoL00x4qQoTjW5bMxncnhIc= =WgxK -----END PGP SIGNATURE----- Merge tag 's390-6.5-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux Pull s390 fixes from Heiko Carstens: - Fix per vma lock fault handling: add missing !(fault & VM_FAULT_ERROR) check to fault handler to prevent error handling for return values that don't indicate an error - Use kfree_sensitive() instead of kfree() in paes crypto code to clear memory that may contain keys before freeing it - Fix reply buffer size calculation for CCA replies in zcrypt device driver * tag 's390-6.5-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: s390/zcrypt: fix reply buffer calculations for CCA replies s390/crypto: use kfree_sensitive() instead of kfree() s390/mm: fix per vma lock fault handling
2023-07-22 11:24:03 -07:00 · 2023-07-22 11:24:03 -07:00 · 295e1388de
commit 295e1388de
parent f036d67c02 4cfca532dd
3 changed files with 26 additions and 11 deletions
--- a/arch/s390/crypto/paes_s390.c
+++ b/arch/s390/crypto/paes_s390.c
@ -103,7 +103,7 @@ static inline void _free_kb_keybuf(struct key_blob *kb)
 {
 	if (kb->key && kb->key != kb->keybuf
 	    && kb->keylen > sizeof(kb->keybuf)) {
-		kfree(kb->key);
+		kfree_sensitive(kb->key);
 		kb->key = NULL;
 	}
 }
--- a/arch/s390/mm/fault.c
+++ b/arch/s390/mm/fault.c
@ -421,6 +421,8 @@ static inline vm_fault_t do_exception(struct pt_regs *regs, int access)
 	vma_end_read(vma);
 	if (!(fault & VM_FAULT_RETRY)) {
 		count_vm_vma_lock_event(VMA_LOCK_SUCCESS);
+		if (likely(!(fault & VM_FAULT_ERROR)))
+			fault = 0;
 		goto out;
 	}
 	count_vm_vma_lock_event(VMA_LOCK_RETRY);
--- a/drivers/s390/crypto/zcrypt_msgtype6.c
+++ b/drivers/s390/crypto/zcrypt_msgtype6.c
@ -1101,23 +1101,36 @@ static long zcrypt_msgtype6_send_cprb(bool userspace, struct zcrypt_queue *zq,
 				      struct ica_xcRB *xcrb,
 				      struct ap_message *ap_msg)
 {
-	int rc;
 	struct response_type *rtype = ap_msg->private;
 	struct {
 		struct type6_hdr hdr;
 		struct CPRBX cprbx;
 		/* ... more data blocks ... */
 	} __packed * msg = ap_msg->msg;
+	unsigned int max_payload_size;
+	int rc, delta;

-	/*
-	 * Set the queue's reply buffer length minus 128 byte padding
-	 * as reply limit for the card firmware.
-	 */
-	msg->hdr.fromcardlen1 = min_t(unsigned int, msg->hdr.fromcardlen1,
-				      zq->reply.bufsize - 128);
-	if (msg->hdr.fromcardlen2)
-		msg->hdr.fromcardlen2 =
-			zq->reply.bufsize - msg->hdr.fromcardlen1 - 128;
+	/* calculate maximum payload for this card and msg type */
+	max_payload_size = zq->reply.bufsize - sizeof(struct type86_fmt2_msg);
+
+	/* limit each of the two from fields to the maximum payload size */
+	msg->hdr.fromcardlen1 = min(msg->hdr.fromcardlen1, max_payload_size);
+	msg->hdr.fromcardlen2 = min(msg->hdr.fromcardlen2, max_payload_size);
+
+	/* calculate delta if the sum of both exceeds max payload size */
+	delta = msg->hdr.fromcardlen1 + msg->hdr.fromcardlen2
+		- max_payload_size;
+	if (delta > 0) {
+		/*
+		 * Sum exceeds maximum payload size, prune fromcardlen1
+		 * (always trust fromcardlen2)
+		 */
+		if (delta > msg->hdr.fromcardlen1) {
+			rc = -EINVAL;
+			goto out;
+		}
+		msg->hdr.fromcardlen1 -= delta;
+	}

 	init_completion(&rtype->work);
 	rc = ap_queue_message(zq->queue, ap_msg);