tty/vt: check allocation size in con_set_unimap()

The vmemdup_user() function has no 2-factor argument form. Use array_size()
to check for the overflow.

Signed-off-by: Denis Efremov <efremov@linux.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20200603102804.2110817-1-efremov@linux.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/tty/vt/consolemap.c b/drivers/tty/vt/consolemap.c
index c1be96b..5947b54 100644 (file)
--- a/drivers/tty/vt/consolemap.c
+++ b/drivers/tty/vt/consolemap.c
@@ -542,7 +542,7 @@ int con_set_unimap(struct vc_data *vc, ushort ct, struct unipair __user *list)
        if (!ct)
                return 0;
 
-       unilist = vmemdup_user(list, ct * sizeof(struct unipair));
+       unilist = vmemdup_user(list, array_size(sizeof(struct unipair), ct));
        if (IS_ERR(unilist))
                return PTR_ERR(unilist);