raspi/linux
1
0
Fork 1
mirror of https://github.com/raspberrypi/linux.git synced 2025-12-06 01:49:46 +00:00
Code Issues Projects Releases Wiki Activity

kernel: watch_queue: copy user-array safely

Browse Source 
[ Upstream commit ca0776571d ]

Currently, there is no overflow-check with memdup_user().

Use the new function memdup_array_user() instead of memdup_user() for
duplicating the user-space array safely.

Suggested-by: David Airlie <airlied@redhat.com>
Signed-off-by: Philipp Stanner <pstanner@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Zack Rusin <zackr@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20230920123612.16914-5-pstanner@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Philipp Stanner
2023-09-20 14:36:11 +02:00
committed by Greg Kroah-Hartman
parent 4fc857cc5c
commit 0f403ebad9
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
kernel/watch_queue.c
View File

@@ -331,7 +331,7 @@ long watch_queue_set_filter(struct pipe_inode_info *pipe,
filter.__reserved != 0) filter.__reserved != 0)
return -EINVAL; return -EINVAL;
tf = memdup_user(_filter->filters, filter.nr_filters * sizeof(*tf)); tf = memdup_array_user(_filter->filters, filter.nr_filters, sizeof(*tf));
if (IS_ERR(tf)) if (IS_ERR(tf))
return PTR_ERR(tf); return PTR_ERR(tf);