[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20231102190848.51376-2-pstanner@redhat.com>
Date: Thu, 2 Nov 2023 20:08:49 +0100
From: Philipp Stanner <pstanner@...hat.com>
To: Ian Abbott <abbotti@....co.uk>,
H Hartley Sweeten <hsweeten@...ionengravers.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Philipp Stanner <pstanner@...hat.com>,
Ivan Orlov <ivan.orlov0322@...il.com>,
Benjamin Tissoires <benjamin.tissoires@...hat.com>
Cc: linux-kernel@...r.kernel.org, Dave Airlie <airlied@...hat.com>
Subject: [PATCH] drivers/comedi: copy userspace array safely
comedi_fops.c utilizes memdup_user() to copy a userspace array. This
does not check for an overflow.
Use the new wrapper memdup_array_user() to copy the array more safely.
Suggested-by: Dave Airlie <airlied@...hat.com>
Signed-off-by: Philipp Stanner <pstanner@...hat.com>
---
drivers/comedi/comedi_fops.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/comedi/comedi_fops.c b/drivers/comedi/comedi_fops.c
index 1548dea15df1..1b481731df96 100644
--- a/drivers/comedi/comedi_fops.c
+++ b/drivers/comedi/comedi_fops.c
@@ -1714,8 +1714,8 @@ static int __comedi_get_user_chanlist(struct comedi_device *dev,
lockdep_assert_held(&dev->mutex);
cmd->chanlist = NULL;
- chanlist = memdup_user(user_chanlist,
- cmd->chanlist_len * sizeof(unsigned int));
+ chanlist = memdup_array_user(user_chanlist,
+ cmd->chanlist_len, sizeof(unsigned int));
if (IS_ERR(chanlist))
return PTR_ERR(chanlist);
--
2.41.0
Powered by blists - more mailing lists