drivers/media/dvb-core: copy user arrays safely

Message ID	20231102191633.52592-2-pstanner@redhat.com
State	Accepted
Commit	102fb77c2deb0df3683ef8ff7a6f4cf91dc456e2
Headers	show Return-Path: <linux-media-owner@vger.kernel.org> From: Philipp Stanner <pstanner@redhat.com> To: Mauro Carvalho Chehab <mchehab@kernel.org>, Robert Schlabbach <robert_s@gmx.net>, Takashi Iwai <tiwai@suse.de>, Hyunwoo Kim <imv4bel@gmail.com>, Lin Ma <linma@zju.edu.cn>, Chen Zhongjin <chenzhongjin@huawei.com> Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, Philipp Stanner <pstanner@redhat.com>, Dave Airlie <airlied@redhat.com> Subject: [PATCH] drivers/media/dvb-core: copy user arrays safely Date: Thu, 2 Nov 2023 20:16:34 +0100 Message-ID: <20231102191633.52592-2-pstanner@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	drivers/media/dvb-core: copy user arrays safely \| expand drivers/media/dvb-core: copy user arrays safely

Message ID

20231102191633.52592-2-pstanner@redhat.com

State

Accepted

Commit

102fb77c2deb0df3683ef8ff7a6f4cf91dc456e2

Headers

From: Philipp Stanner <pstanner@redhat.com>
To: Mauro Carvalho Chehab <mchehab@kernel.org>,
        Robert Schlabbach <robert_s@gmx.net>,
        Takashi Iwai <tiwai@suse.de>, Hyunwoo Kim <imv4bel@gmail.com>,
        Lin Ma <linma@zju.edu.cn>,
        Chen Zhongjin <chenzhongjin@huawei.com>
Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org,
        Philipp Stanner <pstanner@redhat.com>,
        Dave Airlie <airlied@redhat.com>
Subject: [PATCH] drivers/media/dvb-core: copy user arrays safely
Date: Thu,  2 Nov 2023 20:16:34 +0100
Message-ID: <20231102191633.52592-2-pstanner@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

drivers/media/dvb-core: copy user arrays safely | expand

Commit Message

Philipp Stanner Nov. 2, 2023, 7:16 p.m. UTC

At several positions in dvb_frontend.c, memdup_user() is utilized to
copy userspace arrays. This is done without overflow checks.

Use the new wrapper memdup_array_user() to copy the arrays more safely.

Suggested-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Philipp Stanner <pstanner@redhat.com>
---
 drivers/media/dvb-core/dvb_frontend.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c
index 9293b058ab99..93d3378a0df4 100644
--- a/drivers/media/dvb-core/dvb_frontend.c
+++ b/drivers/media/dvb-core/dvb_frontend.c
@@ -2168,7 +2168,8 @@  static int dvb_frontend_handle_compat_ioctl(struct file *file, unsigned int cmd,
 		if (!tvps->num || (tvps->num > DTV_IOCTL_MAX_MSGS))
 			return -EINVAL;
 
-		tvp = memdup_user(compat_ptr(tvps->props), tvps->num * sizeof(*tvp));
+		tvp = memdup_array_user(compat_ptr(tvps->props),
+					tvps->num, sizeof(*tvp));
 		if (IS_ERR(tvp))
 			return PTR_ERR(tvp);
 
@@ -2199,7 +2200,8 @@  static int dvb_frontend_handle_compat_ioctl(struct file *file, unsigned int cmd,
 		if (!tvps->num || (tvps->num > DTV_IOCTL_MAX_MSGS))
 			return -EINVAL;
 
-		tvp = memdup_user(compat_ptr(tvps->props), tvps->num * sizeof(*tvp));
+		tvp = memdup_array_user(compat_ptr(tvps->props),
+					tvps->num, sizeof(*tvp));
 		if (IS_ERR(tvp))
 			return PTR_ERR(tvp);
 
@@ -2379,7 +2381,8 @@  static int dvb_get_property(struct dvb_frontend *fe, struct file *file,
 	if (!tvps->num || tvps->num > DTV_IOCTL_MAX_MSGS)
 		return -EINVAL;
 
-	tvp = memdup_user((void __user *)tvps->props, tvps->num * sizeof(*tvp));
+	tvp = memdup_array_user((void __user *)tvps->props,
+				tvps->num, sizeof(*tvp));
 	if (IS_ERR(tvp))
 		return PTR_ERR(tvp);
 
@@ -2457,7 +2460,8 @@  static int dvb_frontend_handle_ioctl(struct file *file,
 		if (!tvps->num || (tvps->num > DTV_IOCTL_MAX_MSGS))
 			return -EINVAL;
 
-		tvp = memdup_user((void __user *)tvps->props, tvps->num * sizeof(*tvp));
+		tvp = memdup_array_user((void __user *)tvps->props,
+					tvps->num, sizeof(*tvp));
 		if (IS_ERR(tvp))
 			return PTR_ERR(tvp);

drivers/media/dvb-core: copy user arrays safely

Commit Message

Patch