提交 0648f565 编写于 作者: H Heiko Carstens 提交者: Martin Schwidefsky

[S390] zcrypt: add sanity check before copy_from_user()

It's not obvious that copy_from_user() is called with a sane length
parameter here. Even though it currently seems to be correct better
add a check to prevent stack corruption / exploits.
Signed-off-by: NHeiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: NMartin Schwidefsky <schwidefsky@de.ibm.com>
上级 94e587f6
...@@ -393,10 +393,12 @@ static long zcrypt_rsa_crt(struct ica_rsa_modexpo_crt *crt) ...@@ -393,10 +393,12 @@ static long zcrypt_rsa_crt(struct ica_rsa_modexpo_crt *crt)
* u_mult_inv > 128 bytes. * u_mult_inv > 128 bytes.
*/ */
if (copied == 0) { if (copied == 0) {
int len; unsigned int len;
spin_unlock_bh(&zcrypt_device_lock); spin_unlock_bh(&zcrypt_device_lock);
/* len is max 256 / 2 - 120 = 8 */ /* len is max 256 / 2 - 120 = 8 */
len = crt->inputdatalength / 2 - 120; len = crt->inputdatalength / 2 - 120;
if (len > sizeof(z1))
return -EFAULT;
z1 = z2 = z3 = 0; z1 = z2 = z3 = 0;
if (copy_from_user(&z1, crt->np_prime, len) || if (copy_from_user(&z1, crt->np_prime, len) ||
copy_from_user(&z2, crt->bp_key, len) || copy_from_user(&z2, crt->bp_key, len) ||
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册