From patchwork Fri Sep  8 19:59:40 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Philipp Stanner <pstanner@redhat.com>
X-Patchwork-Id: 13377783
Return-Path: <dri-devel-bounces@lists.freedesktop.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 42BD8EEB56B
	for <dri-devel@archiver.kernel.org>; Fri,  8 Sep 2023 20:02:58 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 5DE8010E942;
	Fri,  8 Sep 2023 20:02:57 +0000 (UTC)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by gabe.freedesktop.org (Postfix) with ESMTPS id D787010E942
 for <dri-devel@lists.freedesktop.org>; Fri,  8 Sep 2023 20:02:54 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1694203374;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=4V6bm459ozDimu1heDZpH+ZMi6MrCIxlIoO52rIEKGg=;
 b=BQBkhuZ9PfiOe6bAp4ii50nJSvvprmCN0nxVwUHdHNj8vDjT1em2vA1MhJOwsedmCLrqtB
 hc7g5BoP2Ko9ERPWVqUT4NTzBU7oVdmr+/ZG2Qmu8reKmvuv1BfEc2vwoKKFHrtw1KLPsJ
 jeqaPkz2cxswM2VrR7b1AtrWytEL9yk=
Received: from mail-qt1-f200.google.com (mail-qt1-f200.google.com
 [209.85.160.200]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-244-E_gHtRQjPS-k06S2-S3B8Q-1; Fri, 08 Sep 2023 16:02:52 -0400
X-MC-Unique: E_gHtRQjPS-k06S2-S3B8Q-1
Received: by mail-qt1-f200.google.com with SMTP id
 d75a77b69052e-4059b5c3dd0so3340401cf.0
 for <dri-devel@lists.freedesktop.org>; Fri, 08 Sep 2023 13:02:52 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1694203372; x=1694808172;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=4V6bm459ozDimu1heDZpH+ZMi6MrCIxlIoO52rIEKGg=;
 b=hZw25tQfpeGeDsN+ZSZUVbYMuZ8pTpO68OX4xn/PG388xdegKDCxkUUDjS2FAWgb1z
 04fYj/XBUvncf/Xx4GHoOGPNZao7a5b8b0c93nMI+pzw6fFVfGzf67HHVfiVwZV1VJE7
 PbEYeLNmC6rLOHB8yR2ueamn7Pd1JFwWofFn3GRZ/EtcSQ8uHsB6UAc1vcJCIy4fFQZR
 WkA0/hvl9emBskG58tu0UAT0hycE71eIphMSwaHgxhK+BnN9kgxY8ecT3zL0jQtjgT4q
 fJSfJCx1S5wH5aFLottmaPILWDqGEouJKyZuB/M3Xkg3QXwvTpRe0AUZOv3nX12VFVDf
 k6jw==
X-Gm-Message-State: AOJu0YxdClDs3zOciIJfR01gBGPayKNGOG3tmzwT5xZYB8nFDgVBrzMj
 +t1xfya8KRfmk7mtjouTBgOM9JH4kBZ8ZdYcEdJO8F1bgPlE3YCre7DIOsCGa758xnSbETKYsTm
 qGq6oMlWQOCDXKqWXWHWk5p6n/8A7
X-Received: by 2002:a05:622a:1997:b0:40f:da40:88a with SMTP id
 u23-20020a05622a199700b0040fda40088amr3927389qtc.4.1694203372361;
 Fri, 08 Sep 2023 13:02:52 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IEUR/6fW5sKr+U41wFGsfMKmuUv8vxb4fBBYTs7l3DnJhhPgBBiRmpLahG272yCMwIEUruJgg==
X-Received: by 2002:a05:622a:1997:b0:40f:da40:88a with SMTP id
 u23-20020a05622a199700b0040fda40088amr3927365qtc.4.1694203372058;
 Fri, 08 Sep 2023 13:02:52 -0700 (PDT)
Received: from fedorinator.redhat.com
 ([2001:9e8:32da:e500:513e:fbe9:e455:ae67])
 by smtp.gmail.com with ESMTPSA id
 x19-20020ac85393000000b0041511b21a7csm262984qtp.40.2023.09.08.13.02.48
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 08 Sep 2023 13:02:51 -0700 (PDT)
From: Philipp Stanner <pstanner@redhat.com>
To: Kees Cook <keescook@chromium.org>, Andy Shevchenko <andy@kernel.org>,
 Eric Biederman <ebiederm@xmission.com>,
 Christian Brauner <brauner@kernel.org>, David Disseldorp <ddiss@suse.de>,
 Luis Chamberlain <mcgrof@kernel.org>, Siddh Raman Pant <code@siddh.me>,
 Nick Alcock <nick.alcock@oracle.com>,
 Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
 Maxime Ripard <mripard@kernel.org>,
 Thomas Zimmermann <tzimmermann@suse.de>, David Airlie <airlied@gmail.com>,
 Daniel Vetter <daniel@ffwll.ch>, Zack Rusin <zackr@vmware.com>
Subject: [PATCH v2 1/5] string.h: add array-wrappers for (v)memdup_user()
Date: Fri,  8 Sep 2023 21:59:40 +0200
Message-ID: 
 <93001a9f3f101be0f374080090f9c32df73ca773.1694202430.git.pstanner@redhat.com>
X-Mailer: git-send-email 2.41.0
In-Reply-To: <cover.1694202430.git.pstanner@redhat.com>
References: <cover.1694202430.git.pstanner@redhat.com>
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
 <dri-devel.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Cc: Philipp Stanner <pstanner@redhat.com>, kexec@lists.infradead.org,
 linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
 VMware Graphics Reviewers <linux-graphics-maintainer@vmware.com>,
 linux-hardening@vger.kernel.org, David Airlie <airlied@redhat.com>
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

Currently, user array duplications are sometimes done without an
overflow check. Sometimes the checks are done manually; sometimes the
array size is calculated with array_size() and sometimes by calculating
n * size directly in code.

Introduce wrappers for arrays for memdup_user() and vmemdup_user() to
provide a standardized and safe way for duplicating user arrays.

This is both for new code as well as replacing usage of (v)memdup_user()
in existing code that uses, e.g., n * size to calculate array sizes.

Suggested-by: David Airlie <airlied@redhat.com>
Signed-off-by: Philipp Stanner <pstanner@redhat.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
---
 include/linux/string.h | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/include/linux/string.h b/include/linux/string.h
index dbfc66400050..8c9fc76c7154 100644
--- a/include/linux/string.h
+++ b/include/linux/string.h
@@ -5,7 +5,9 @@
 #include <linux/compiler.h>	/* for inline */
 #include <linux/types.h>	/* for size_t */
 #include <linux/stddef.h>	/* for NULL */
+#include <linux/err.h>		/* for ERR_PTR() */
 #include <linux/errno.h>	/* for E2BIG */
+#include <linux/overflow.h>	/* for check_mul_overflow() */
 #include <linux/stdarg.h>
 #include <uapi/linux/string.h>
 
@@ -14,6 +16,44 @@ extern void *memdup_user(const void __user *, size_t);
 extern void *vmemdup_user(const void __user *, size_t);
 extern void *memdup_user_nul(const void __user *, size_t);
 
+/**
+ * memdup_array_user - duplicate array from user space
+ * @src: source address in user space
+ * @n: number of array members to copy
+ * @size: size of one array member
+ *
+ * Return: an ERR_PTR() on failure. Result is physically
+ * contiguous, to be freed by kfree().
+ */
+static inline void *memdup_array_user(const void __user *src, size_t n, size_t size)
+{
+	size_t nbytes;
+
+	if (unlikely(check_mul_overflow(n, size, &nbytes)))
+		return ERR_PTR(-EOVERFLOW);
+
+	return memdup_user(src, nbytes);
+}
+
+/**
+ * vmemdup_array_user - duplicate array from user space
+ * @src: source address in user space
+ * @n: number of array members to copy
+ * @size: size of one array member
+ *
+ * Return: an ERR_PTR() on failure. Result may be not
+ * physically contiguous. Use kvfree() to free.
+ */
+static inline void *vmemdup_array_user(const void __user *src, size_t n, size_t size)
+{
+	size_t nbytes;
+
+	if (unlikely(check_mul_overflow(n, size, &nbytes)))
+		return ERR_PTR(-EOVERFLOW);
+
+	return vmemdup_user(src, nbytes);
+}
+
 /*
  * Include machine specific inline routines
  */

From patchwork Fri Sep  8 19:59:41 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Philipp Stanner <pstanner@redhat.com>
X-Patchwork-Id: 13377784
Return-Path: <dri-devel-bounces@lists.freedesktop.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id A4C8DEEB569
	for <dri-devel@archiver.kernel.org>; Fri,  8 Sep 2023 20:03:07 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 2146410E944;
	Fri,  8 Sep 2023 20:03:07 +0000 (UTC)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by gabe.freedesktop.org (Postfix) with ESMTPS id 0B45410E944
 for <dri-devel@lists.freedesktop.org>; Fri,  8 Sep 2023 20:03:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1694203385;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=qJlM81Ad0uqQunhdFKofh1JwhP2kaFm8hxSxz8OfTMk=;
 b=bzizTypi9G7KWH9+PtT265OdytWC2oMLvDmw/JF+v8zLtKgzPnt08nWgNQnUu/Gr1R3yd0
 L3ylLkMq8CQN7RApJ8t2ny5mifzEXa2uK67ibPgBjHnX5XDnApTl7XCd5M+s/TD2xkXKrX
 q1amT77gWvHci9kD+vDtBtAzr62wh5M=
Received: from mail-qv1-f70.google.com (mail-qv1-f70.google.com
 [209.85.219.70]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-668-puUsQEHjPAWD2VVnTzCGcQ-1; Fri, 08 Sep 2023 16:03:02 -0400
X-MC-Unique: puUsQEHjPAWD2VVnTzCGcQ-1
Received: by mail-qv1-f70.google.com with SMTP id
 6a1803df08f44-637948b24bdso5999006d6.1
 for <dri-devel@lists.freedesktop.org>; Fri, 08 Sep 2023 13:03:02 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1694203382; x=1694808182;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=qJlM81Ad0uqQunhdFKofh1JwhP2kaFm8hxSxz8OfTMk=;
 b=o8A+Iqrxt2u2mHWl0EEZwhXe0Ywgoyj28+VCVukflgQ9BFSgBbjPirGfFIrmFs1RAV
 JohyCTRLttKKYyvyQufJ9dr0/itxjDJOQa6eVfb2Q0Hn0EQrRKRb/pJ/hJX6Df/temZY
 Z8UjtK09GETm4grZUFuc+qKfvHccWzruPYrvuyxPPx5iWnhhT2v6/pjy1fLMiPNZQDbD
 jAs0JJahGsm8DM3nVlJuEOkP+BKcDd9EJPlmKdT6JfgYmD/d8S+wv0dWbp/9qryMyyG8
 /aTasUI9g1gKitBPr0u2GUtdRNpK729Y+EVmmd08AjAHwJ3MkcLpA+DEQbVhWFBb6Q8I
 YUIg==
X-Gm-Message-State: AOJu0YxajzqC30UY5KkX/CJP5+8alz4x1Xj8g1RIjtwAw91X2Povpno5
 mUnt780QmdOVmETC8TRk/QMMZtXlI/pABMUUvlMASpOCGdlTbPMiDSzleTjQtoY7RZmMOobVt5c
 xALe0D1TM6FMy47wJ2PZ0YovG9sAD
X-Received: by 2002:a05:6214:234b:b0:649:5f43:245c with SMTP id
 hu11-20020a056214234b00b006495f43245cmr3403714qvb.4.1694203382304;
 Fri, 08 Sep 2023 13:03:02 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IGkpjEpC3M4jl16uIjnS3PMQJTudw+DmAKJXO1LGuAkwNI/2h/IQUepIX3UGSH4cUrAf1SALA==
X-Received: by 2002:a05:6214:234b:b0:649:5f43:245c with SMTP id
 hu11-20020a056214234b00b006495f43245cmr3403702qvb.4.1694203382095;
 Fri, 08 Sep 2023 13:03:02 -0700 (PDT)
Received: from fedorinator.redhat.com
 ([2001:9e8:32da:e500:513e:fbe9:e455:ae67])
 by smtp.gmail.com with ESMTPSA id
 r19-20020a0ccc13000000b0064f523836fdsm959242qvk.123.2023.09.08.13.02.59
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 08 Sep 2023 13:03:01 -0700 (PDT)
From: Philipp Stanner <pstanner@redhat.com>
To: Kees Cook <keescook@chromium.org>, Andy Shevchenko <andy@kernel.org>,
 Eric Biederman <ebiederm@xmission.com>,
 Christian Brauner <brauner@kernel.org>, David Disseldorp <ddiss@suse.de>,
 Luis Chamberlain <mcgrof@kernel.org>, Siddh Raman Pant <code@siddh.me>,
 Nick Alcock <nick.alcock@oracle.com>,
 Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
 Maxime Ripard <mripard@kernel.org>,
 Thomas Zimmermann <tzimmermann@suse.de>, David Airlie <airlied@gmail.com>,
 Daniel Vetter <daniel@ffwll.ch>, Zack Rusin <zackr@vmware.com>
Subject: [PATCH v2 2/5] kernel: kexec: copy user-array safely
Date: Fri,  8 Sep 2023 21:59:41 +0200
Message-ID: 
 <31313a8a1dd1baf9dd3c21fbe8dd46b9e111f20c.1694202430.git.pstanner@redhat.com>
X-Mailer: git-send-email 2.41.0
In-Reply-To: <cover.1694202430.git.pstanner@redhat.com>
References: <cover.1694202430.git.pstanner@redhat.com>
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
 <dri-devel.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Cc: Philipp Stanner <pstanner@redhat.com>, kexec@lists.infradead.org,
 linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
 VMware Graphics Reviewers <linux-graphics-maintainer@vmware.com>,
 linux-hardening@vger.kernel.org, David Airlie <airlied@redhat.com>
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

Currently, there is no overflow-check with memdup_user().

Use the new function memdup_array_user() instead of memdup_user() for
duplicating the user-space array safely.

Suggested-by: David Airlie <airlied@redhat.com>
Signed-off-by: Philipp Stanner <pstanner@redhat.com>
Acked-by: Baoquan He <bhe@redhat.com>
---
 kernel/kexec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/kexec.c b/kernel/kexec.c
index 107f355eac10..8f35a5a42af8 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -247,7 +247,7 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
 		((flags & KEXEC_ARCH_MASK) != KEXEC_ARCH_DEFAULT))
 		return -EINVAL;
 
-	ksegments = memdup_user(segments, nr_segments * sizeof(ksegments[0]));
+	ksegments = memdup_array_user(segments, nr_segments, sizeof(ksegments[0]));
 	if (IS_ERR(ksegments))
 		return PTR_ERR(ksegments);
 

From patchwork Fri Sep  8 19:59:42 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Philipp Stanner <pstanner@redhat.com>
X-Patchwork-Id: 13377785
Return-Path: <dri-devel-bounces@lists.freedesktop.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 0C6E2EEB566
	for <dri-devel@archiver.kernel.org>; Fri,  8 Sep 2023 20:03:19 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 3BFFF10E945;
	Fri,  8 Sep 2023 20:03:18 +0000 (UTC)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
 by gabe.freedesktop.org (Postfix) with ESMTPS id 25F0A10E945
 for <dri-devel@lists.freedesktop.org>; Fri,  8 Sep 2023 20:03:16 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1694203395;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=R2kuY7QrN77OjYcmiIgmsp8RgTy5tijHIGRui0VqTUY=;
 b=YHGKXckgsjque6xCaA5yfWv/1EXAAMjhBHSOfCTfmLo2r55M/nu/lI935Pcx1UcoCjvUeK
 18AaheRGeRyN4FYAyVr7FAzhUOXWPiKYgTwEby63dqMWGO2psxkKFg7crGEUDjNHo7OlvZ
 71VgVJex/qwmbkgj2jSuUtFwJJMXAMM=
Received: from mail-qk1-f198.google.com (mail-qk1-f198.google.com
 [209.85.222.198]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-633-4TUAXoLwP1KnfLPh-D6ubA-1; Fri, 08 Sep 2023 16:03:12 -0400
X-MC-Unique: 4TUAXoLwP1KnfLPh-D6ubA-1
Received: by mail-qk1-f198.google.com with SMTP id
 af79cd13be357-76f191e26f5so58809485a.0
 for <dri-devel@lists.freedesktop.org>; Fri, 08 Sep 2023 13:03:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1694203391; x=1694808191;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=R2kuY7QrN77OjYcmiIgmsp8RgTy5tijHIGRui0VqTUY=;
 b=c8C15lx2udjGTcXkVDab+Gw9XKnS5FFMD01hh3VBr0cVAhmlX1MVy25xh2skkwIaxz
 rmXPRB41a2H/Nq5f4m29LwKKXxXkRMxX/gjC+sqMPZcMMH/Zl3bDlpTJsuGNer4JdbCh
 K8hrOjGfMXidobRiB/zli9LcXfAWymAIafiZWxwU76ZTYU64TmX1PA2DuSYJbAOWAmLw
 5Urlp7g//bn2aOX3RzWK5OmVAFbwVtN0h26AoDhsBZvsKl88WRBhYIeTFkHT+lGYqjOb
 RQfvhnv5SUnknmH3t9J53QHeyskgCSnEUa/L84PfVtQ9wywfj0CW/R5wiBEYIQUN8BH5
 RkQw==
X-Gm-Message-State: AOJu0Yxr2l87LP/XvTudKLa4uTVIThbTxTI8YZL955te9P5riIVkHZww
 0OJhg6+anfVQvSB2G1WTTGuuNkGsYg+XtrXyuF/Bysffc/aVBJpmjiIFWNVY7R6zljCjKQVTGn9
 sBJ7CXHL5wE9i6qaDkQuaZD0j0+J5
X-Received: by 2002:a05:620a:46a6:b0:75b:23a1:69ee with SMTP id
 bq38-20020a05620a46a600b0075b23a169eemr3480482qkb.5.1694203391483;
 Fri, 08 Sep 2023 13:03:11 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IGuCpViWH7IrGzpUqlTBi1h+iY/5ABj5ubmz/i5MJtwSQDaqOps3aQUe1r5isWfpnPKjPasBg==
X-Received: by 2002:a05:620a:46a6:b0:75b:23a1:69ee with SMTP id
 bq38-20020a05620a46a600b0075b23a169eemr3480460qkb.5.1694203391259;
 Fri, 08 Sep 2023 13:03:11 -0700 (PDT)
Received: from fedorinator.redhat.com
 ([2001:9e8:32da:e500:513e:fbe9:e455:ae67])
 by smtp.gmail.com with ESMTPSA id
 c17-20020ae9e211000000b0076f15f2918fsm825920qkc.63.2023.09.08.13.03.07
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 08 Sep 2023 13:03:10 -0700 (PDT)
From: Philipp Stanner <pstanner@redhat.com>
To: Kees Cook <keescook@chromium.org>, Andy Shevchenko <andy@kernel.org>,
 Eric Biederman <ebiederm@xmission.com>,
 Christian Brauner <brauner@kernel.org>, David Disseldorp <ddiss@suse.de>,
 Luis Chamberlain <mcgrof@kernel.org>, Siddh Raman Pant <code@siddh.me>,
 Nick Alcock <nick.alcock@oracle.com>,
 Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
 Maxime Ripard <mripard@kernel.org>,
 Thomas Zimmermann <tzimmermann@suse.de>, David Airlie <airlied@gmail.com>,
 Daniel Vetter <daniel@ffwll.ch>, Zack Rusin <zackr@vmware.com>
Subject: [PATCH v2 3/5] kernel: watch_queue: copy user-array safely
Date: Fri,  8 Sep 2023 21:59:42 +0200
Message-ID: 
 <b333514f0be426385b5215b47d24062b4f551584.1694202430.git.pstanner@redhat.com>
X-Mailer: git-send-email 2.41.0
In-Reply-To: <cover.1694202430.git.pstanner@redhat.com>
References: <cover.1694202430.git.pstanner@redhat.com>
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
 <dri-devel.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Cc: Philipp Stanner <pstanner@redhat.com>, kexec@lists.infradead.org,
 linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
 VMware Graphics Reviewers <linux-graphics-maintainer@vmware.com>,
 linux-hardening@vger.kernel.org, David Airlie <airlied@redhat.com>
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

Currently, there is no overflow-check with memdup_user().

Use the new function memdup_array_user() instead of memdup_user() for
duplicating the user-space array safely.

Suggested-by: David Airlie <airlied@redhat.com>
Signed-off-by: Philipp Stanner <pstanner@redhat.com>
---
 kernel/watch_queue.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/watch_queue.c b/kernel/watch_queue.c
index d0b6b390ee42..778b4056700f 100644
--- a/kernel/watch_queue.c
+++ b/kernel/watch_queue.c
@@ -331,7 +331,7 @@ long watch_queue_set_filter(struct pipe_inode_info *pipe,
 	    filter.__reserved != 0)
 		return -EINVAL;
 
-	tf = memdup_user(_filter->filters, filter.nr_filters * sizeof(*tf));
+	tf = memdup_array_user(_filter->filters, filter.nr_filters, sizeof(*tf));
 	if (IS_ERR(tf))
 		return PTR_ERR(tf);
 

From patchwork Fri Sep  8 19:59:43 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Philipp Stanner <pstanner@redhat.com>
X-Patchwork-Id: 13377786
Return-Path: <dri-devel-bounces@lists.freedesktop.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 35169EEB566
	for <dri-devel@archiver.kernel.org>; Fri,  8 Sep 2023 20:03:28 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 7D2CD10E946;
	Fri,  8 Sep 2023 20:03:27 +0000 (UTC)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by gabe.freedesktop.org (Postfix) with ESMTPS id A05CE10E947
 for <dri-devel@lists.freedesktop.org>; Fri,  8 Sep 2023 20:03:24 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1694203403;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=UOJpuwbwTVfs+j95sEE93OpkqtbclA96WzipEC/nM14=;
 b=R+yOEnSITKUZUNN7395GesmLmjRdJINa1km3D2joVyjCrFz5Hd9MSd55Gv0AP5Er+Dgc/p
 7TLg1LgLwBam4Ujjiml4Hp8iNkBMw+3LcNIbZRXvpR0i4fhvPHVkUshbu1tV828U1XFspg
 JBZZ2nBq14lxt1cdz52kHIZJb00ctRU=
Received: from mail-qt1-f199.google.com (mail-qt1-f199.google.com
 [209.85.160.199]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-678-T-RhxqjQNYe8NJNr21WZuw-1; Fri, 08 Sep 2023 16:03:20 -0400
X-MC-Unique: T-RhxqjQNYe8NJNr21WZuw-1
Received: by mail-qt1-f199.google.com with SMTP id
 d75a77b69052e-4122119722eso4981661cf.0
 for <dri-devel@lists.freedesktop.org>; Fri, 08 Sep 2023 13:03:19 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1694203399; x=1694808199;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=UOJpuwbwTVfs+j95sEE93OpkqtbclA96WzipEC/nM14=;
 b=seUMqLmAXjfl20s2ImJBOaaq8jijTaAb84mKsb5cL/lNYFoaki2aZ6wPYqBfVxKvAl
 xS3hPMeDtp5Hz/8DhhMv0K1yHCDeBf0lnNy/kYB48+lwzmzmsl4onGC6Y53Axalf8Ljd
 bKi+69LcHWbWyoqtjRdHs6YHkP0ipL66MVhXN8r6Cr6maRv8+qyfbnuR4njLsSPM29md
 P58ofCc6Mx4RjsbPKPCefMyKsnCDCi1qIuuz/+gwckuWQQ9jzZ+01y8TOIa0eoGO7j1n
 xSWvt3mkI0H+bpu2nee5Cu0+xEccYWh9q3l89QWDVVVoPxyTUUG8kJdZgITFH2sD2O/p
 3xLg==
X-Gm-Message-State: AOJu0YzaMZsrVHP1llprRms0CbYqhIKREqGGnRvqqtjo2VuOmUboPKCg
 1kDNPRMf1mRewzvizQ+aqZ3ZklqC4ojj/j7ssrhw9aUhyJ8oMhFsKZTA3UDY7yc4703mpVHspdM
 5v9KDe2ur1DiqEPldml+W+aL4550h
X-Received: by 2002:ac8:7e94:0:b0:412:12e8:8538 with SMTP id
 w20-20020ac87e94000000b0041212e88538mr3683936qtj.1.1694203399535;
 Fri, 08 Sep 2023 13:03:19 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IHAKN1YnAkZtTcGtA674mV4f8NT9irZONaAKXTHG61Fqfz6xPH+/e15CARdB3FRUjLa10PQWg==
X-Received: by 2002:ac8:7e94:0:b0:412:12e8:8538 with SMTP id
 w20-20020ac87e94000000b0041212e88538mr3683913qtj.1.1694203399274;
 Fri, 08 Sep 2023 13:03:19 -0700 (PDT)
Received: from fedorinator.redhat.com
 ([2001:9e8:32da:e500:513e:fbe9:e455:ae67])
 by smtp.gmail.com with ESMTPSA id
 bb37-20020a05622a1b2500b004116b082feesm843284qtb.75.2023.09.08.13.03.16
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 08 Sep 2023 13:03:19 -0700 (PDT)
From: Philipp Stanner <pstanner@redhat.com>
To: Kees Cook <keescook@chromium.org>, Andy Shevchenko <andy@kernel.org>,
 Eric Biederman <ebiederm@xmission.com>,
 Christian Brauner <brauner@kernel.org>, David Disseldorp <ddiss@suse.de>,
 Luis Chamberlain <mcgrof@kernel.org>, Siddh Raman Pant <code@siddh.me>,
 Nick Alcock <nick.alcock@oracle.com>,
 Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
 Maxime Ripard <mripard@kernel.org>,
 Thomas Zimmermann <tzimmermann@suse.de>, David Airlie <airlied@gmail.com>,
 Daniel Vetter <daniel@ffwll.ch>, Zack Rusin <zackr@vmware.com>
Subject: [PATCH v2 4/5] drm_lease.c: copy user-array safely
Date: Fri,  8 Sep 2023 21:59:43 +0200
Message-ID: 
 <bca4966d616f417267ba02f66ff9891fceffd7f0.1694202430.git.pstanner@redhat.com>
X-Mailer: git-send-email 2.41.0
In-Reply-To: <cover.1694202430.git.pstanner@redhat.com>
References: <cover.1694202430.git.pstanner@redhat.com>
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
 <dri-devel.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Cc: Philipp Stanner <pstanner@redhat.com>, kexec@lists.infradead.org,
 linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
 VMware Graphics Reviewers <linux-graphics-maintainer@vmware.com>,
 linux-hardening@vger.kernel.org, David Airlie <airlied@redhat.com>
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

Currently, there is no overflow-check with memdup_user().

Use the new function memdup_array_user() instead of memdup_user() for
duplicating the user-space array safely.

Suggested-by: David Airlie <airlied@redhat.com>
Signed-off-by: Philipp Stanner <pstanner@redhat.com>
---
 drivers/gpu/drm/drm_lease.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/drm_lease.c b/drivers/gpu/drm/drm_lease.c
index 150fe1555068..94375c6a5425 100644
--- a/drivers/gpu/drm/drm_lease.c
+++ b/drivers/gpu/drm/drm_lease.c
@@ -510,8 +510,8 @@ int drm_mode_create_lease_ioctl(struct drm_device *dev,
 	/* Handle leased objects, if any */
 	idr_init(&leases);
 	if (object_count != 0) {
-		object_ids = memdup_user(u64_to_user_ptr(cl->object_ids),
-					 array_size(object_count, sizeof(__u32)));
+		object_ids = memdup_array_user(u64_to_user_ptr(cl->object_ids),
+					       object_count, sizeof(__u32));
 		if (IS_ERR(object_ids)) {
 			ret = PTR_ERR(object_ids);
 			idr_destroy(&leases);

From patchwork Fri Sep  8 19:59:44 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Philipp Stanner <pstanner@redhat.com>
X-Patchwork-Id: 13377787
Return-Path: <dri-devel-bounces@lists.freedesktop.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id A90BBEEB566
	for <dri-devel@archiver.kernel.org>; Fri,  8 Sep 2023 20:03:33 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 0E4E310E947;
	Fri,  8 Sep 2023 20:03:33 +0000 (UTC)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
 by gabe.freedesktop.org (Postfix) with ESMTPS id C8D4510E947
 for <dri-devel@lists.freedesktop.org>; Fri,  8 Sep 2023 20:03:30 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1694203410;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=w7XXAxDLUmZdx81fESQwCFLbPlVQDp3wBmzbmeWO24M=;
 b=ftcERXHCY+QrbOYXa3UvtoK2vTipaVq01e0K0xdNUNW8KK/AAeRc3wHqoCcuAo7dGgKXUL
 vFApQQg9sN62otjm3/GHTTQe6Gbz/82Rug7PuqMaDeiKAAvhei61jrmFFjjPIWcIKLQExH
 SMPyccHved15Hc9NatSSPMhE6Zg+aks=
Received: from mail-oo1-f69.google.com (mail-oo1-f69.google.com
 [209.85.161.69]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-611-OqYXXQ_YOFOwwp6wHCTs1g-1; Fri, 08 Sep 2023 16:03:28 -0400
X-MC-Unique: OqYXXQ_YOFOwwp6wHCTs1g-1
Received: by mail-oo1-f69.google.com with SMTP id
 006d021491bc7-5711c85f02bso414315eaf.0
 for <dri-devel@lists.freedesktop.org>; Fri, 08 Sep 2023 13:03:28 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1694203408; x=1694808208;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=w7XXAxDLUmZdx81fESQwCFLbPlVQDp3wBmzbmeWO24M=;
 b=vrUmuEmxxcZ7VtZomm5Z6P8SoAxDSVtoHYRqauGYXPrBTgMtHohBaCVzLCiT5cIkw7
 FpUbETP0C4m4AdaNI6MlVLiO7EQ0jMlFY+C5ZRqtHZFibqWlQ3l8Do+UGy4CwVHs8h4Z
 nS5Bb6tsfipt8Jzn1IHe+e0D5jQzz4yzkLkyW0yCpvlWhkCcWtrAm2H8VjmdhYnLC9Tu
 TDm0nIF19vnvh/Dt0LD1XcNTckGKVWEOPR3QApQu8V6DtpUSzwmAKMnKCT5pCrAz8nd6
 Ua3INO5mZaBCtxCPGHZ3PbARhFtYBU7Kw7PRiuEERUL2zmO+ED6F0c8XSBvydJtm1zKD
 pYdg==
X-Gm-Message-State: AOJu0YxGHP0VfZC4tgWMt0COLEXM/29YEbM9huOkcu3jt/D/bGnxzC6T
 Vlb+QZgTS/cdShN0bNMD/u0K93HwMioQioIV5bIpaeTH6oXqRdu63r+Zg+YL2zL8RhnfZtNayZW
 weh/oLoq3yCL8W0syeEEPW005po/p
X-Received: by 2002:a05:6358:e9c:b0:134:c407:681f with SMTP id
 28-20020a0563580e9c00b00134c407681fmr2557593rwg.1.1694203408130;
 Fri, 08 Sep 2023 13:03:28 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IE4gCAzKUix7oIOcBNdjPHJEb7aCyOwwUAu2PzcC43CT3hwK4BjknICUG8MLI4Ii5zItWgaJg==
X-Received: by 2002:a05:6358:e9c:b0:134:c407:681f with SMTP id
 28-20020a0563580e9c00b00134c407681fmr2557556rwg.1.1694203407699;
 Fri, 08 Sep 2023 13:03:27 -0700 (PDT)
Received: from fedorinator.redhat.com
 ([2001:9e8:32da:e500:513e:fbe9:e455:ae67])
 by smtp.gmail.com with ESMTPSA id
 x29-20020a0cb21d000000b0064f53943626sm971150qvd.89.2023.09.08.13.03.24
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 08 Sep 2023 13:03:27 -0700 (PDT)
From: Philipp Stanner <pstanner@redhat.com>
To: Kees Cook <keescook@chromium.org>, Andy Shevchenko <andy@kernel.org>,
 Eric Biederman <ebiederm@xmission.com>,
 Christian Brauner <brauner@kernel.org>, David Disseldorp <ddiss@suse.de>,
 Luis Chamberlain <mcgrof@kernel.org>, Siddh Raman Pant <code@siddh.me>,
 Nick Alcock <nick.alcock@oracle.com>,
 Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
 Maxime Ripard <mripard@kernel.org>,
 Thomas Zimmermann <tzimmermann@suse.de>, David Airlie <airlied@gmail.com>,
 Daniel Vetter <daniel@ffwll.ch>, Zack Rusin <zackr@vmware.com>
Subject: [PATCH v2 5/5] drm: vmgfx_surface.c: copy user-array safely
Date: Fri,  8 Sep 2023 21:59:44 +0200
Message-ID: 
 <3d2b36a2cf7bbff1b036f474eb805e19be3c57f5.1694202430.git.pstanner@redhat.com>
X-Mailer: git-send-email 2.41.0
In-Reply-To: <cover.1694202430.git.pstanner@redhat.com>
References: <cover.1694202430.git.pstanner@redhat.com>
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
 <dri-devel.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Cc: Philipp Stanner <pstanner@redhat.com>, kexec@lists.infradead.org,
 linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
 VMware Graphics Reviewers <linux-graphics-maintainer@vmware.com>,
 linux-hardening@vger.kernel.org, David Airlie <airlied@redhat.com>
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

Currently, there is no overflow-check with memdup_user().

Use the new function memdup_array_user() instead of memdup_user() for
duplicating the user-space array safely.

Suggested-by: David Airlie <airlied@redhat.com>
Signed-off-by: Philipp Stanner <pstanner@redhat.com>
---
 drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
index 5db403ee8261..9be185b094cb 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
@@ -777,9 +777,9 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
 	       sizeof(metadata->mip_levels));
 	metadata->num_sizes = num_sizes;
 	metadata->sizes =
-		memdup_user((struct drm_vmw_size __user *)(unsigned long)
+		memdup_array_user((struct drm_vmw_size __user *)(unsigned long)
 			    req->size_addr,
-			    sizeof(*metadata->sizes) * metadata->num_sizes);
+			    metadata->num_sizes, sizeof(*metadata->sizes));
 	if (IS_ERR(metadata->sizes)) {
 		ret = PTR_ERR(metadata->sizes);
 		goto out_no_sizes;