From: Heiko Carstens Date: Wed, 13 Jan 2010 19:44:43 +0000 (+0100) Subject: [S390] zcrypt: add sanity check before copy_from_user() X-Git-Tag: v3.12-rc1~11571^2~1 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=0648f5659e2d51659bd8f42ff30f456775c3c12d;p=kernel%2Fkernel-generic.git [S390] zcrypt: add sanity check before copy_from_user() It's not obvious that copy_from_user() is called with a sane length parameter here. Even though it currently seems to be correct better add a check to prevent stack corruption / exploits. Signed-off-by: Heiko Carstens Signed-off-by: Martin Schwidefsky --- diff --git a/drivers/s390/crypto/zcrypt_api.c b/drivers/s390/crypto/zcrypt_api.c index 0d4d18b..c68be24 100644 --- a/drivers/s390/crypto/zcrypt_api.c +++ b/drivers/s390/crypto/zcrypt_api.c @@ -393,10 +393,12 @@ static long zcrypt_rsa_crt(struct ica_rsa_modexpo_crt *crt) * u_mult_inv > 128 bytes. */ if (copied == 0) { - int len; + unsigned int len; spin_unlock_bh(&zcrypt_device_lock); /* len is max 256 / 2 - 120 = 8 */ len = crt->inputdatalength / 2 - 120; + if (len > sizeof(z1)) + return -EFAULT; z1 = z2 = z3 = 0; if (copy_from_user(&z1, crt->np_prime, len) || copy_from_user(&z2, crt->bp_key, len) ||