Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp4578695pxv; Tue, 6 Jul 2021 04:31:21 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxbneHU139UhLRiXIsjtmU9gZNCqJZU8g32uoL13C/tH0HJbK9se19pOoZGaa5nmBJ/dBWh X-Received: by 2002:a05:6402:1d56:: with SMTP id dz22mr22817705edb.376.1625571081221; Tue, 06 Jul 2021 04:31:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625571081; cv=none; d=google.com; s=arc-20160816; b=Jdu3P4BIyZdM4WLLo+8+VgwoTXuDncGQvYMzw14fQDUI+eWUMv5d5xHPDDGHYMTWuJ byLAWPKhBpoFRA0Du8fiTd0wgcgZCfxgt7Bna2vYTWmDWnS2LJzD/7EWANz96HnkPe+1 mqTOQzRR1M1bUHxRkysnBddGUtwjywSnE93zxaXq4UgMVYGsMzR22nOl0d0o5RCxfdFG biep8Hth+39SZapf3wzApav8YB5J6ArzWYtOvW3KamjUNhsEYyYwJNLNMv3nqhe2lUWV 82wsEnQQmVETMdQgU0CbeM/sU+T//T38V3c565kacFKxSVt5TdvDdpn3VnhGqim8KnsN /mzQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=8Gsx+M1svubphYegKiBvqnI8T5LOuiZn5v7eWiN4PvM=; b=rpyqehqU5ysq5PH2pZIPigT/jl0Ao+Ete3xFqV6KT8N6UTq12y+vkY9+f9RRzjxkNv 7Uf9W4dpmgImMhdPvxX8YUrxzsE8z+uU9E9yj5ssLmj81ZTHvgs1UgNk3K7D+mzmXJsf R8Bazp0EPIbSGeP3FonpSWDR+m+6OYiVHSSem8dntcKPWAdBV1TIq8ILURDMntHBvAVD 1XxxA2lDG+ws+jyduM1EByET/y7Dnj0hS7nJYaPK+zyi5lXeo5VvBOIA3LyXkew5wLyE IXPsVR7IWfIOad/vi5dlqURYD0hpeyBS62LoEzqcOy99j4sy0bCg79khgngfA/yHAtV+ 3qpA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=DQqPS8W+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dd20si2275810ejc.425.2021.07.06.04.30.56; Tue, 06 Jul 2021 04:31:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=DQqPS8W+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233130AbhGFLcm (ORCPT + 99 others); Tue, 6 Jul 2021 07:32:42 -0400 Received: from mail.kernel.org ([198.145.29.99]:54674 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232968AbhGFLWT (ORCPT ); Tue, 6 Jul 2021 07:22:19 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id DEB3461CCF; Tue, 6 Jul 2021 11:17:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1625570272; bh=9oZV2sweLG7QNjxJq5lidgr3AufUJfafWyGDoLTwjao=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=DQqPS8W+Jd7nHe7k1BuMziAnV5Ys9SxcLxb/1XmZIRqDEvUZvcLzlgUxaHTsggrux DDOXUIuDWv0jrNIWhirDfFSfPo58HDfRytzceZylLy3F/gUnj9dafm5qNoZnMgQ5gb 2+pnrqscWtIZvHkZjhStySkhNLdEUTxlo1Fws4suCKuFXBDv6pQnVX/cKHqy929+dy 1osbaf6KPBoVKYm7VYzVzHNCbJRqWzxT65PHZKT9Ciax3Jrauqmlp/ZOEMNF0WqfkD GEm0U81vwTE7MTt8Xv88WCnY3AnmJPJPiUKZT0zy+11YW9nNbquvTIoLCmxukCx5Hx caM7U1jUdxJYg== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Sean Young , Daniel Borkmann , Sasha Levin , linux-media@vger.kernel.org, netdev@vger.kernel.org, bpf@vger.kernel.org Subject: [PATCH AUTOSEL 5.13 166/189] media, bpf: Do not copy more entries than user space requested Date: Tue, 6 Jul 2021 07:13:46 -0400 Message-Id: <20210706111409.2058071-166-sashal@kernel.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210706111409.2058071-1-sashal@kernel.org> References: <20210706111409.2058071-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sean Young [ Upstream commit 647d446d66e493d23ca1047fa8492b0269674530 ] The syscall bpf(BPF_PROG_QUERY, &attr) should use the prog_cnt field to see how many entries user space provided and return ENOSPC if there are more programs than that. Before this patch, this is not checked and ENOSPC is never returned. Note that one lirc device is limited to 64 bpf programs, and user space I'm aware of -- ir-keytable -- always gives enough space for 64 entries already. However, we should not copy program ids than are requested. Signed-off-by: Sean Young Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20210623213754.632-1-sean@mess.org Signed-off-by: Sasha Levin --- drivers/media/rc/bpf-lirc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/media/rc/bpf-lirc.c b/drivers/media/rc/bpf-lirc.c index 3fe3edd80876..afae0afe3f81 100644 --- a/drivers/media/rc/bpf-lirc.c +++ b/drivers/media/rc/bpf-lirc.c @@ -326,7 +326,8 @@ int lirc_prog_query(const union bpf_attr *attr, union bpf_attr __user *uattr) } if (attr->query.prog_cnt != 0 && prog_ids && cnt) - ret = bpf_prog_array_copy_to_user(progs, prog_ids, cnt); + ret = bpf_prog_array_copy_to_user(progs, prog_ids, + attr->query.prog_cnt); unlock: mutex_unlock(&ir_raw_handler_lock); -- 2.30.2