projects
/
platform
/
kernel
/
linux-rpi.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
4fc857c
)
kernel: watch_queue: copy user-array safely
author
Philipp Stanner
<pstanner@redhat.com>
Wed, 20 Sep 2023 12:36:11 +0000
(14:36 +0200)
committer
Greg Kroah-Hartman
<gregkh@linuxfoundation.org>
Tue, 28 Nov 2023 17:19:40 +0000
(17:19 +0000)
[ Upstream commit
ca0776571d3163bd03b3e8c9e3da936abfaecbf6
]
Currently, there is no overflow-check with memdup_user().
Use the new function memdup_array_user() instead of memdup_user() for
duplicating the user-space array safely.
Suggested-by: David Airlie <airlied@redhat.com>
Signed-off-by: Philipp Stanner <pstanner@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Zack Rusin <zackr@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link:
https://patchwork.freedesktop.org/patch/msgid/20230920123612.16914-5-pstanner@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
kernel/watch_queue.c
patch
|
blob
|
history
diff --git
a/kernel/watch_queue.c
b/kernel/watch_queue.c
index
d0b6b39
..
778b405
100644
(file)
--- a/
kernel/watch_queue.c
+++ b/
kernel/watch_queue.c
@@
-331,7
+331,7
@@
long watch_queue_set_filter(struct pipe_inode_info *pipe,
filter.__reserved != 0)
return -EINVAL;
- tf = memdup_
user(_filter->filters, filter.nr_filters *
sizeof(*tf));
+ tf = memdup_
array_user(_filter->filters, filter.nr_filters,
sizeof(*tf));
if (IS_ERR(tf))
return PTR_ERR(tf);