diff options
| author | Heiko Carstens <heiko.carstens@de.ibm.com> | 2010-01-13 14:44:43 -0500 |
|---|---|---|
| committer | Martin Schwidefsky <sky@mschwide.boeblingen.de.ibm.com> | 2010-01-13 14:44:46 -0500 |
| commit | 0648f5659e2d51659bd8f42ff30f456775c3c12d (patch) | |
| tree | 1af4ccaa13998e773ff06969a8039ecc35e76785 /drivers/s390/crypto | |
| parent | 94e587f61ef5da3b4da40289cdb7e9a62d455313 (diff) | |
[S390] zcrypt: add sanity check before copy_from_user()
It's not obvious that copy_from_user() is called with a sane length
parameter here. Even though it currently seems to be correct better
add a check to prevent stack corruption / exploits.
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Diffstat (limited to 'drivers/s390/crypto')
| -rw-r--r-- | drivers/s390/crypto/zcrypt_api.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/s390/crypto/zcrypt_api.c b/drivers/s390/crypto/zcrypt_api.c index 0d4d18bdd45c..c68be24e27d9 100644 --- a/drivers/s390/crypto/zcrypt_api.c +++ b/drivers/s390/crypto/zcrypt_api.c | |||
| @@ -393,10 +393,12 @@ static long zcrypt_rsa_crt(struct ica_rsa_modexpo_crt *crt) | |||
| 393 | * u_mult_inv > 128 bytes. | 393 | * u_mult_inv > 128 bytes. |
| 394 | */ | 394 | */ |
| 395 | if (copied == 0) { | 395 | if (copied == 0) { |
| 396 | int len; | 396 | unsigned int len; |
| 397 | spin_unlock_bh(&zcrypt_device_lock); | 397 | spin_unlock_bh(&zcrypt_device_lock); |
| 398 | /* len is max 256 / 2 - 120 = 8 */ | 398 | /* len is max 256 / 2 - 120 = 8 */ |
| 399 | len = crt->inputdatalength / 2 - 120; | 399 | len = crt->inputdatalength / 2 - 120; |
| 400 | if (len > sizeof(z1)) | ||
| 401 | return -EFAULT; | ||
| 400 | z1 = z2 = z3 = 0; | 402 | z1 = z2 = z3 = 0; |
| 401 | if (copy_from_user(&z1, crt->np_prime, len) || | 403 | if (copy_from_user(&z1, crt->np_prime, len) || |
| 402 | copy_from_user(&z2, crt->bp_key, len) || | 404 | copy_from_user(&z2, crt->bp_key, len) || |