[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-fpga
Subject:    Re: [PATCH] drivers/fpga: copy userspace array safely
From:       Xu Yilun <yilun.xu () linux ! intel ! com>
Date:       2023-11-14 7:22:47
Message-ID: ZVMgR4Z71l7ZsllC () yilunxu-OptiPlex-7050
[Download RAW message or body]

On Thu, Nov 02, 2023 at 07:49:09PM +0100, Philipp Stanner wrote:
> dfl.c utilizes memdup_user() and array_size() to copy a userspace array.
> Currently, this does not check for an overflow.

array_size() actually checks for overflow, so please re-write the changelog.

Thanks,
Yilun

> 
> Use the new wrapper memdup_array_user() to copy the array more safely.
> 
> Suggested-by: Dave Airlie <airlied@redhat.com>
> Signed-off-by: Philipp Stanner <pstanner@redhat.com>
> ---
> Linus recently merged this new wrapper for Kernel v6.7
> ---
>  drivers/fpga/dfl.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/fpga/dfl.c b/drivers/fpga/dfl.c
> index dd7a783d53b5..e69b9f1f2a50 100644
> --- a/drivers/fpga/dfl.c
> +++ b/drivers/fpga/dfl.c
> @@ -2008,8 +2008,8 @@ long dfl_feature_ioctl_set_irq(struct platform_device *pdev,
>  	    (hdr.start + hdr.count < hdr.start))
>  		return -EINVAL;
>  
> -	fds = memdup_user((void __user *)(arg + sizeof(hdr)),
> -			  array_size(hdr.count, sizeof(s32)));
> +	fds = memdup_array_user((void __user *)(arg + sizeof(hdr)),
> +				hdr.count, sizeof(s32));
>  	if (IS_ERR(fds))
>  		return PTR_ERR(fds);
>  
> -- 
> 2.41.0
> 

[prev in list] [next in list] [prev in thread] [next in thread]