diff options
| author | Philipp Stanner <pstanner@redhat.com> | 2023-09-20 14:36:11 +0200 |
|---|---|---|
| committer | Dave Airlie <airlied@redhat.com> | 2023-10-09 16:59:48 +1000 |
| commit | ca0776571d3163bd03b3e8c9e3da936abfaecbf6 (patch) | |
| tree | e9badd886152b006c499a64c601b31743802e4c3 | |
| parent | 569c8d82f95eb5993c84fb61a649a9c4ddd208b3 (diff) | |
| download | lwn-ca0776571d3163bd03b3e8c9e3da936abfaecbf6.tar.gz lwn-ca0776571d3163bd03b3e8c9e3da936abfaecbf6.zip | |
kernel: watch_queue: copy user-array safely
Currently, there is no overflow-check with memdup_user().
Use the new function memdup_array_user() instead of memdup_user() for
duplicating the user-space array safely.
Suggested-by: David Airlie <airlied@redhat.com>
Signed-off-by: Philipp Stanner <pstanner@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Zack Rusin <zackr@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20230920123612.16914-5-pstanner@redhat.com
| -rw-r--r-- | kernel/watch_queue.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/kernel/watch_queue.c b/kernel/watch_queue.c index d0b6b390ee42..778b4056700f 100644 --- a/kernel/watch_queue.c +++ b/kernel/watch_queue.c @@ -331,7 +331,7 @@ long watch_queue_set_filter(struct pipe_inode_info *pipe, filter.__reserved != 0) return -EINVAL; - tf = memdup_user(_filter->filters, filter.nr_filters * sizeof(*tf)); + tf = memdup_array_user(_filter->filters, filter.nr_filters, sizeof(*tf)); if (IS_ERR(tf)) return PTR_ERR(tf); |