| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20231102183751.47413-1-pstanner@redhat.com>
Date: Thu, 2 Nov 2023 19:37:51 +0100
From: Philipp Stanner <pstanner@...hat.com>
To: Ryusuke Konishi <konishi.ryusuke@...il.com>
Cc: linux-nilfs@...r.kernel.org, linux-kernel@...r.kernel.org,
Philipp Stanner <pstanner@...hat.com>,
Dave Airlie <airlied@...hat.com>
Subject: [PATCH] fs/nilfs2: copy userspace-array safely
ioctl.c utilizes memdup_user() to copy a userspace array. This is done
without an overflow-check.
Use the new wrapper memdup_array_user() to copy the array more safely.
Suggested-by: Dave Airlie <airlied@...hat.com>
Signed-off-by: Philipp Stanner <pstanner@...hat.com>
---
Linus recently merged this new wrapper for Kernel v6.7
---
fs/nilfs2/ioctl.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
index 40ffade49f38..6a9dceebb18d 100644
--- a/fs/nilfs2/ioctl.c
+++ b/fs/nilfs2/ioctl.c
@@ -877,11 +877,11 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp,
/*
* argv[4] points to segment numbers this ioctl cleans. We
- * use kmalloc() for its buffer because memory used for the
- * segment numbers is enough small.
+ * use kmalloc() for its buffer because the memory used for the
+ * segment numbers is small enough.
*/
- kbufs[4] = memdup_user((void __user *)(unsigned long)argv[4].v_base,
- nsegs * sizeof(__u64));
+ kbufs[4] = memdup_array_user((void __user *)(unsigned long)argv[4].v_base,
+ nsegs, sizeof(__u64));
if (IS_ERR(kbufs[4])) {
ret = PTR_ERR(kbufs[4]);
goto out;
--
2.41.0
Powered by blists - more mailing lists