[S390] zcrypt: add sanity check before copy_from_user() It's not obvious that copy_from_user() is called with a sane length parameter here. Even though it currently seems to be correct better add a check to prevent stack corruption / exploits. Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>

commit: 0648f5659e2d51659bd8f42ff30f456775c3c12d [log] [tgz]
author: Heiko Carstens <heiko.carstens@de.ibm.com> Wed Jan 13 20:44:43 2010 +0100
committer: Martin Schwidefsky <sky@mschwide.boeblingen.de.ibm.com> Wed Jan 13 20:44:46 2010 +0100
tree: 1af4ccaa13998e773ff06969a8039ecc35e76785
parent: 94e587f61ef5da3b4da40289cdb7e9a62d455313 [diff]
diff --git a/drivers/s390/crypto/zcrypt_api.c b/drivers/s390/crypto/zcrypt_api.c
index 0d4d18b..c68be24 100644
--- a/drivers/s390/crypto/zcrypt_api.c
+++ b/drivers/s390/crypto/zcrypt_api.c

@@ -393,10 +393,12 @@
 			 * u_mult_inv > 128 bytes.
 			 */
 			if (copied == 0) {
-				int len;
+				unsigned int len;
 				spin_unlock_bh(&zcrypt_device_lock);
 				/* len is max 256 / 2 - 120 = 8 */
 				len = crt->inputdatalength / 2 - 120;
+				if (len > sizeof(z1))
+					return -EFAULT;
 				z1 = z2 = z3 = 0;
 				if (copy_from_user(&z1, crt->np_prime, len) ||
 				    copy_from_user(&z2, crt->bp_key, len) ||
commit	0648f5659e2d51659bd8f42ff30f456775c3c12d	[log] [tgz]
author	Heiko Carstens <heiko.carstens@de.ibm.com>	Wed Jan 13 20:44:43 2010 +0100
committer	Martin Schwidefsky <sky@mschwide.boeblingen.de.ibm.com>	Wed Jan 13 20:44:46 2010 +0100
tree	1af4ccaa13998e773ff06969a8039ecc35e76785
parent	94e587f61ef5da3b4da40289cdb7e9a62d455313 [diff]