aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHeiko Carstens <heiko.carstens@de.ibm.com>2010-01-13 14:44:43 -0500
committerMartin Schwidefsky <sky@mschwide.boeblingen.de.ibm.com>2010-01-13 14:44:46 -0500
commit0648f5659e2d51659bd8f42ff30f456775c3c12d (patch)
tree1af4ccaa13998e773ff06969a8039ecc35e76785
parent94e587f61ef5da3b4da40289cdb7e9a62d455313 (diff)
[S390] zcrypt: add sanity check before copy_from_user()
It's not obvious that copy_from_user() is called with a sane length parameter here. Even though it currently seems to be correct better add a check to prevent stack corruption / exploits. Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
-rw-r--r--drivers/s390/crypto/zcrypt_api.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/s390/crypto/zcrypt_api.c b/drivers/s390/crypto/zcrypt_api.c
index 0d4d18bdd45c..c68be24e27d9 100644
--- a/drivers/s390/crypto/zcrypt_api.c
+++ b/drivers/s390/crypto/zcrypt_api.c
@@ -393,10 +393,12 @@ static long zcrypt_rsa_crt(struct ica_rsa_modexpo_crt *crt)
393 * u_mult_inv > 128 bytes. 393 * u_mult_inv > 128 bytes.
394 */ 394 */
395 if (copied == 0) { 395 if (copied == 0) {
396 int len; 396 unsigned int len;
397 spin_unlock_bh(&zcrypt_device_lock); 397 spin_unlock_bh(&zcrypt_device_lock);
398 /* len is max 256 / 2 - 120 = 8 */ 398 /* len is max 256 / 2 - 120 = 8 */
399 len = crt->inputdatalength / 2 - 120; 399 len = crt->inputdatalength / 2 - 120;
400 if (len > sizeof(z1))
401 return -EFAULT;
400 z1 = z2 = z3 = 0; 402 z1 = z2 = z3 = 0;
401 if (copy_from_user(&z1, crt->np_prime, len) || 403 if (copy_from_user(&z1, crt->np_prime, len) ||
402 copy_from_user(&z2, crt->bp_key, len) || 404 copy_from_user(&z2, crt->bp_key, len) ||