Re: [PATCH] drivers/fpga: copy userspace array safely

From: Xu Yilun
Date: Tue Nov 14 2023 - 02:24:37 EST

Next message: Dmitry Vyukov: "Re: [RFC PATCH] kasan: Record and report more information"
Previous message: Herve Codina: "Re: [PATCH v2 1/1] driver core: Keep the supplier fwnode consistent with the device"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Nov 02, 2023 at 07:49:09PM +0100, Philipp Stanner wrote:
> dfl.c utilizes memdup_user() and array_size() to copy a userspace array.
> Currently, this does not check for an overflow.

array_size() actually checks for overflow, so please re-write the changelog.

Thanks,
Yilun

>
> Use the new wrapper memdup_array_user() to copy the array more safely.
>
> Suggested-by: Dave Airlie <airlied@xxxxxxxxxx>
> Signed-off-by: Philipp Stanner <pstanner@xxxxxxxxxx>
> ---
> Linus recently merged this new wrapper for Kernel v6.7
> ---
> drivers/fpga/dfl.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/fpga/dfl.c b/drivers/fpga/dfl.c
> index dd7a783d53b5..e69b9f1f2a50 100644
> --- a/drivers/fpga/dfl.c
> +++ b/drivers/fpga/dfl.c
> @@ -2008,8 +2008,8 @@ long dfl_feature_ioctl_set_irq(struct platform_device *pdev,
> (hdr.start + hdr.count < hdr.start))
> return -EINVAL;
>
> - fds = memdup_user((void __user *)(arg + sizeof(hdr)),
> - array_size(hdr.count, sizeof(s32)));
> + fds = memdup_array_user((void __user *)(arg + sizeof(hdr)),
> + hdr.count, sizeof(s32));
> if (IS_ERR(fds))
> return PTR_ERR(fds);
>
> --
> 2.41.0
>

Next message: Dmitry Vyukov: "Re: [RFC PATCH] kasan: Record and report more information"
Previous message: Herve Codina: "Re: [PATCH v2 1/1] driver core: Keep the supplier fwnode consistent with the device"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]