drm: vmwgfx_surface.c: copy user-array safely

[ Upstream commit 06ab64a0d836ac430c5f94669710a78aa43942cb ]

Currently, there is no overflow-check with memdup_user().

Use the new function memdup_array_user() instead of memdup_user() for
duplicating the user-space array safely.

Suggested-by: David Airlie <airlied@redhat.com>
Signed-off-by: Philipp Stanner <pstanner@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Zack Rusin <zackr@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20230920123612.16914-7-pstanner@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
index 3829be2..17463ae 100644 (file)
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
@@ -774,9 +774,9 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
               sizeof(metadata->mip_levels));
        metadata->num_sizes = num_sizes;
        metadata->sizes =
-               memdup_user((struct drm_vmw_size __user *)(unsigned long)
+               memdup_array_user((struct drm_vmw_size __user *)(unsigned long)
                            req->size_addr,
-                           sizeof(*metadata->sizes) * metadata->num_sizes);
+                           metadata->num_sizes, sizeof(*metadata->sizes));
        if (IS_ERR(metadata->sizes)) {
                ret = PTR_ERR(metadata->sizes);
                goto out_no_sizes;