[S390] zcrypt: add sanity check before copy_from_user()
authorHeiko Carstens <heiko.carstens@de.ibm.com>
Wed, 13 Jan 2010 19:44:43 +0000 (20:44 +0100)
committerMartin Schwidefsky <sky@mschwide.boeblingen.de.ibm.com>
Wed, 13 Jan 2010 19:44:46 +0000 (20:44 +0100)
It's not obvious that copy_from_user() is called with a sane length
parameter here. Even though it currently seems to be correct better
add a check to prevent stack corruption / exploits.

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
drivers/s390/crypto/zcrypt_api.c

index 0d4d18bdd45ca26ab685fa112eb752be5a3ded5f..c68be24e27d97cab0d2f80482fd5c9c51be0c60f 100644 (file)
@@ -393,10 +393,12 @@ static long zcrypt_rsa_crt(struct ica_rsa_modexpo_crt *crt)
                         * u_mult_inv > 128 bytes.
                         */
                        if (copied == 0) {
-                               int len;
+                               unsigned int len;
                                spin_unlock_bh(&zcrypt_device_lock);
                                /* len is max 256 / 2 - 120 = 8 */
                                len = crt->inputdatalength / 2 - 120;
+                               if (len > sizeof(z1))
+                                       return -EFAULT;
                                z1 = z2 = z3 = 0;
                                if (copy_from_user(&z1, crt->np_prime, len) ||
                                    copy_from_user(&z2, crt->bp_key, len) ||