Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0648f565 authored by Heiko Carstens's avatar Heiko Carstens Committed by Martin Schwidefsky
Browse files

[S390] zcrypt: add sanity check before copy_from_user() 



It's not obvious that copy_from_user() is called with a sane length
parameter here. Even though it currently seems to be correct better
add a check to prevent stack corruption / exploits.

Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
parent 94e587f6

drivers/s390/crypto/zcrypt_api.c

+3 −1
Original line number Diff line number Diff line
@@ -393,10 +393,12 @@ static long zcrypt_rsa_crt(struct ica_rsa_modexpo_crt *crt) 
			 * u_mult_inv > 128 bytes.

			 */

			if (copied == 0) {

				int len;

				unsigned int len;

				spin_unlock_bh(&zcrypt_device_lock);

				/* len is max 256 / 2 - 120 = 8 */

				len = crt->inputdatalength / 2 - 120;

				if (len > sizeof(z1))

					return -EFAULT;

				z1 = z2 = z3 = 0;

				if (copy_from_user(&z1, crt->np_prime, len) ||

				    copy_from_user(&z2, crt->bp_key, len) ||