From 1b22e4b502f37db14e59971a890add14bbc8153a Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Fri, 12 Jun 2026 18:14:04 -0500 Subject: [PATCH] fix F-4409: Integer Overflow in PKCS1 Sign Length Check Allows Heap Buffer Overflow --- linuxkm/lkcapi_rsa_glue.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/linuxkm/lkcapi_rsa_glue.c b/linuxkm/lkcapi_rsa_glue.c index c209113fa4..b90c42429b 100644 --- a/linuxkm/lkcapi_rsa_glue.c +++ b/linuxkm/lkcapi_rsa_glue.c @@ -1128,7 +1128,7 @@ static int km_pkcs1pad_sign(struct akcipher_request *req) goto pkcs1pad_sign_out; } - if (req->src_len + hash_enc_len + RSA_MIN_PAD_SZ > ctx->key_len) { + if ((word64)req->src_len + (word64)hash_enc_len + RSA_MIN_PAD_SZ > ctx->key_len) { err = -EOVERFLOW; goto pkcs1pad_sign_out; } @@ -1378,7 +1378,7 @@ static int km_pkcs1_sign(struct crypto_sig *tfm, goto pkcs1_sign_out; } - if (slen + hash_enc_len + RSA_MIN_PAD_SZ > ctx->key_len) { + if ((word64)slen + (word64)hash_enc_len + RSA_MIN_PAD_SZ > ctx->key_len) { err = -EOVERFLOW; goto pkcs1_sign_out; } @@ -1708,7 +1708,7 @@ static int km_pkcs1pad_enc(struct akcipher_request *req) goto pkcs1_enc_out; } - if (req->src_len + RSA_MIN_PAD_SZ > ctx->key_len) { + if ((word64)req->src_len + RSA_MIN_PAD_SZ > ctx->key_len) { err = -EOVERFLOW; goto pkcs1_enc_out; }