[PATCH] fs/nilfs2: copy userspace-array safely

From: Philipp Stanner
Date: Thu Nov 02 2023 - 14:39:07 EST

Next message: Maxim Levitsky: "Re: [PATCH v6 19/25] KVM: VMX: Emulate read and write to CET MSRs"
Previous message: pr-tracker-bot: "Re: [GIT PULL] ksmbd server fixes"
Next in thread: Ryusuke Konishi: "Re: [PATCH] fs/nilfs2: copy userspace-array safely"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

ioctl.c utilizes memdup_user() to copy a userspace array. This is done
without an overflow-check.

Use the new wrapper memdup_array_user() to copy the array more safely.

Suggested-by: Dave Airlie <airlied@xxxxxxxxxx>
Signed-off-by: Philipp Stanner <pstanner@xxxxxxxxxx>
---
Linus recently merged this new wrapper for Kernel v6.7
---
fs/nilfs2/ioctl.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
index 40ffade49f38..6a9dceebb18d 100644
--- a/fs/nilfs2/ioctl.c
+++ b/fs/nilfs2/ioctl.c
@@ -877,11 +877,11 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp,

/*
* argv[4] points to segment numbers this ioctl cleans. We
- * use kmalloc() for its buffer because memory used for the
- * segment numbers is enough small.
+ * use kmalloc() for its buffer because the memory used for the
+ * segment numbers is small enough.
*/
- kbufs[4] = memdup_user((void __user *)(unsigned long)argv[4].v_base,
- nsegs * sizeof(__u64));
+ kbufs[4] = memdup_array_user((void __user *)(unsigned long)argv[4].v_base,
+ nsegs, sizeof(__u64));
if (IS_ERR(kbufs[4])) {
ret = PTR_ERR(kbufs[4]);
goto out;
--
2.41.0

Next message: Maxim Levitsky: "Re: [PATCH v6 19/25] KVM: VMX: Emulate read and write to CET MSRs"
Previous message: pr-tracker-bot: "Re: [GIT PULL] ksmbd server fixes"
Next in thread: Ryusuke Konishi: "Re: [PATCH] fs/nilfs2: copy userspace-array safely"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]