kernel: watch_queue: copy user-array safely

[ Upstream commit ca0776571d3163bd03b3e8c9e3da936abfaecbf6 ] Currently, there is no overflow-check with memdup_user(). Use the new function memdup_array_user() instead of memdup_user() for duplicating the user-space array safely. Suggested-by: David Airlie <airlied@redhat.com> Signed-off-by: Philipp Stanner <pstanner@redhat.com> Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: Zack Rusin <zackr@vmware.com> Signed-off-by: Dave Airlie <airlied@redhat.com> Link: https://patchwork.freedesktop.org/patch/msgid/20230920123612.16914-5-pstanner@redhat.com Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Philipp Stanner <pstanner@redhat.com> 2023-09-20 14:36:11 +0200
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-11-28 17:14:45 +0000
commit: c7acf02df1673a4ea7d6401ac4bc773ffe6a88f6 (patch)
tree: f9f85ddca1d7c6f12e864941e49986f87dd37147
parent: b0ed017a2b9735753eb95798d9f60176480424ca (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/kernel/watch_queue.c b/kernel/watch_queue.c
index d0b6b390ee42..778b4056700f 100644
--- a/kernel/watch_queue.c
+++ b/kernel/watch_queue.c
@@ -331,7 +331,7 @@ long watch_queue_set_filter(struct pipe_inode_info *pipe,
 	    filter.__reserved != 0)
 		return -EINVAL;
 
-	tf = memdup_user(_filter->filters, filter.nr_filters * sizeof(*tf));
+	tf = memdup_array_user(_filter->filters, filter.nr_filters, sizeof(*tf));
 	if (IS_ERR(tf))
 		return PTR_ERR(tf);
author	Philipp Stanner <pstanner@redhat.com>	2023-09-20 14:36:11 +0200
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2023-11-28 17:14:45 +0000
commit	c7acf02df1673a4ea7d6401ac4bc773ffe6a88f6 (patch)
tree	f9f85ddca1d7c6f12e864941e49986f87dd37147
parent	b0ed017a2b9735753eb95798d9f60176480424ca (diff)