Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp621626pxv;
        Thu, 15 Jul 2021 11:45:55 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzE9jmXKt5Yplj020U6tJpQ4VWAodh4Cbt434henrChk8ea38ufnF+w5JlsgmyIEL7X3/jq
X-Received: by 2002:a05:6638:2656:: with SMTP id n22mr5158752jat.64.1626374755709;
        Thu, 15 Jul 2021 11:45:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1626374755; cv=none;
        d=google.com; s=arc-20160816;
        b=wUN7WJ+XsO0YLvcTdoQXOcNy7oH71i6ReUpmQg8oKSmIOPA9QbEhtMB+BuBnE/IpLq
         lPCnh8+jhMmGJrwNufD+d4lyXfbzX5k1X82mp7xtIkh9IKjrefcPVk6pT2e06k001YGY
         Ew9UPcCsOEQ39fa8AzUxfZklxrTgVyndKDl2YCdpqofSKcScOKomUcnp0ACoQ64wbTUM
         q1dKkhah7WmzPgneV/UKxuCQckFJNwsaNeosR+2atvEqxZ4aFlE1IQ34zmk9Jc/Co20P
         /Ydm6el3rRZ10D+jVahTKoPWnOspgK4qbAo/MtrHikQaqhw6DUqgXq+vdS47tNQzW0HQ
         2gaw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=dh5fvxtasYRxuKWv+sIXGfw5Tr/cbY4uxDF52E76wNM=;
        b=N6L5l6VxWHPeoHNBJf9iLHm14c1SZ9B7yBCZjELwSuKdgrS48Fk2KMS1NOZrx/0l5n
         NsLSdtmV51rqhbW+kUBZRKB01NwSpo/X2l0kyctfiyE/XUh58q/C7Mb0gT51LFsD/zFo
         eo6r9DTDS9FhkZ2+MZITyTrCwJD92gWlTJyhfVgTm9GSsyAJx0p9Rf9GO6R/qFS1gfOD
         NMpox8ghwphEfaQB2m61oJLgS00LKfy2GyYif1CmGwqOtyBPxVm5ytlf+m1I8sftk0H4
         LPQt+OCcm3mH6mogoJJHF4YdLJ47jiPCyKHO3OB7ZX1dwU9btsq8Nd79tXuLnaVdf/tv
         GdTg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=rX6dRGDH;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id u4si8065711ilq.51.2021.07.15.11.45.43;
        Thu, 15 Jul 2021 11:45:55 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=rX6dRGDH;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S238221AbhGOSqj (ORCPT <rfc822;manishshakya.nd@gmail.com>
        + 99 others); Thu, 15 Jul 2021 14:46:39 -0400
Received: from mail.kernel.org ([198.145.29.99]:47000 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S237518AbhGOSqA (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 15 Jul 2021 14:46:00 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 9D258613CA;
        Thu, 15 Jul 2021 18:43:06 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1626374587;
        bh=5+gQWr/yUf/ad/b9w3djbtGAt44Gg7Xp0cfmZQse++Y=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=rX6dRGDHuLHcFTyKZSppSSHIuSDVOpLu+ZRTISRLdhu0KhtBksCgCMTInhq07snpC
         ty/efvBsMNJBHtfAlZnumW+3QHQ2DckQRaSZtxcYv2AYSsNPIggIvCafBvjXHtJIjk
         E+caDh2dYb/9qxVrCO9jTUBlXYAGBbqFQ3a8FPN8=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Sean Young <sean@mess.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 061/122] media, bpf: Do not copy more entries than user space requested
Date:   Thu, 15 Jul 2021 20:38:28 +0200
Message-Id: <20210715182505.782707516@linuxfoundation.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20210715182448.393443551@linuxfoundation.org>
References: <20210715182448.393443551@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Sean Young <sean@mess.org>

[ Upstream commit 647d446d66e493d23ca1047fa8492b0269674530 ]

The syscall bpf(BPF_PROG_QUERY, &attr) should use the prog_cnt field to
see how many entries user space provided and return ENOSPC if there are
more programs than that. Before this patch, this is not checked and
ENOSPC is never returned.

Note that one lirc device is limited to 64 bpf programs, and user space
I'm aware of -- ir-keytable -- always gives enough space for 64 entries
already. However, we should not copy program ids than are requested.

Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20210623213754.632-1-sean@mess.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/rc/bpf-lirc.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/media/rc/bpf-lirc.c b/drivers/media/rc/bpf-lirc.c
index 0a0ce620e4a2..d5f839fdcde7 100644
--- a/drivers/media/rc/bpf-lirc.c
+++ b/drivers/media/rc/bpf-lirc.c
@@ -329,7 +329,8 @@ int lirc_prog_query(const union bpf_attr *attr, union bpf_attr __user *uattr)
 	}
 
 	if (attr->query.prog_cnt != 0 && prog_ids && cnt)
-		ret = bpf_prog_array_copy_to_user(progs, prog_ids, cnt);
+		ret = bpf_prog_array_copy_to_user(progs, prog_ids,
+						  attr->query.prog_cnt);
 
 unlock:
 	mutex_unlock(&ir_raw_handler_lock);
-- 
2.30.2