[S390] zcrypt: add sanity check before copy_from_user()
It's not obvious that copy_from_user() is called with a sane length parameter here. Even though it currently seems to be correct better add a check to prevent stack corruption / exploits. Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
This commit is contained in:
parent
94e587f61e
commit
0648f5659e
|
@ -393,10 +393,12 @@ static long zcrypt_rsa_crt(struct ica_rsa_modexpo_crt *crt)
|
|||
* u_mult_inv > 128 bytes.
|
||||
*/
|
||||
if (copied == 0) {
|
||||
int len;
|
||||
unsigned int len;
|
||||
spin_unlock_bh(&zcrypt_device_lock);
|
||||
/* len is max 256 / 2 - 120 = 8 */
|
||||
len = crt->inputdatalength / 2 - 120;
|
||||
if (len > sizeof(z1))
|
||||
return -EFAULT;
|
||||
z1 = z2 = z3 = 0;
|
||||
if (copy_from_user(&z1, crt->np_prime, len) ||
|
||||
copy_from_user(&z2, crt->bp_key, len) ||
|
||||
|
|
Loading…
Reference in New Issue