[S390] zcrypt: add sanity check before copy_from_user()
Heiko Carstens [Wed, 13 Jan 2010 19:44:43 +0000 (20:44 +0100)]
It's not obvious that copy_from_user() is called with a sane length
parameter here. Even though it currently seems to be correct better
add a check to prevent stack corruption / exploits.

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>

drivers/s390/crypto/zcrypt_api.c

index 0d4d18b..c68be24 100644 (file)
@@ -393,10 +393,12 @@ static long zcrypt_rsa_crt(struct ica_rsa_modexpo_crt *crt)
                         * u_mult_inv > 128 bytes.
                         */
                        if (copied == 0) {
-                               int len;
+                               unsigned int len;
                                spin_unlock_bh(&zcrypt_device_lock);
                                /* len is max 256 / 2 - 120 = 8 */
                                len = crt->inputdatalength / 2 - 120;
+                               if (len > sizeof(z1))
+                                       return -EFAULT;
                                z1 = z2 = z3 = 0;
                                if (copy_from_user(&z1, crt->np_prime, len) ||
                                    copy_from_user(&z2, crt->bp_key, len) ||