Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp631170pxv; Thu, 15 Jul 2021 12:00:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwaQGPflCBnSBXtUZDg4EbTAAbUGLrkQSesHTNkVjjGqAXEVX4ZZvN4AdyFeIdESdzLgZvq X-Received: by 2002:a17:907:628d:: with SMTP id nd13mr7072860ejc.299.1626375636078; Thu, 15 Jul 2021 12:00:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626375636; cv=none; d=google.com; s=arc-20160816; b=DGm8xJ1gUSyUiu+I0Rh0taZQL8PvIYrhljvSLHJQCcEqfluENlx48RZBxoGqn3JtQV 2Uu4DJkY9Ad57lW4M9rDJ2tK7tBvvtPMjnBpzp1YtAkyZRHP0yTQ+tl0Syx7l3wbQTfu PVlJ0XW96AWLjd8lASKraCLVEgDEH/cOOd76T2kmfDtcNTuDekBynKgmMiPJQoiVWnD9 643jt8bsgudUh+O7H1GjZjadCI74NsZqOr+j3yEf6WVitUnUwVJx8nCTiP35jfGxT0ys gWnFPUk8dN/jrcr1WDzVlMJFDk3PExuybAvHPsn9kPRq9Y46Q1bTVXjLgbhXBJRo23Ld jJKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=8Gsx+M1svubphYegKiBvqnI8T5LOuiZn5v7eWiN4PvM=; b=oH/MbSDsiDzZCxm0lncPJAv9/qu6rrLoP4eiRjQzQ1PaTm54wQ/mXVGQByiVJX1i7c J69tg/tjni6+MmbpjgF21RY160W46UGX5UJBGuU8mowNeXybkcMgA1MtAXk/jy5NZ7J+ YCrfqTxjk1m9YfT+VhC9fgA99JAwyEF0yX9Zp6G0xwxi/UR9W3gi5fuJv4PvQz+YiZIF vIUJzlVznwYdDGvojwUJjym5mvHSWFd9s1/DrvgKDSE7S8dBV1tN+8rAy8pSI6Cux6p0 tFINmiBXcRKOM/D9cPFTEiv2aizH0b4+3zT/oFlWRaioO59ii6/uNkMS4sPadz9vBOx0 7DFQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=tKyJ+n19; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v1si8387623edx.481.2021.07.15.12.00.13; Thu, 15 Jul 2021 12:00:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=tKyJ+n19; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242369AbhGOS7i (ORCPT + 99 others); Thu, 15 Jul 2021 14:59:38 -0400 Received: from mail.kernel.org ([198.145.29.99]:56532 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239159AbhGOSwn (ORCPT ); Thu, 15 Jul 2021 14:52:43 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 88BA6613D1; Thu, 15 Jul 2021 18:49:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1626374990; bh=9oZV2sweLG7QNjxJq5lidgr3AufUJfafWyGDoLTwjao=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=tKyJ+n19YfzubNDrYBbWsNWRQ7baEAmU8PDAkbLYUJQB94LoZLM7W1eNVQDNY6uhU aZhV7B8FG2J2JzWvtKqI7K8IJJRy/P/LEmDO5W3NmVbjA8Adw7PcuWBQSYXZSjUQ6t kecD00KCwcw54O4K+rVeae8ElVIrVdtYZmNqOGu0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sean Young , Daniel Borkmann , Sasha Levin Subject: [PATCH 5.10 113/215] media, bpf: Do not copy more entries than user space requested Date: Thu, 15 Jul 2021 20:38:05 +0200 Message-Id: <20210715182619.516039030@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210715182558.381078833@linuxfoundation.org> References: <20210715182558.381078833@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sean Young [ Upstream commit 647d446d66e493d23ca1047fa8492b0269674530 ] The syscall bpf(BPF_PROG_QUERY, &attr) should use the prog_cnt field to see how many entries user space provided and return ENOSPC if there are more programs than that. Before this patch, this is not checked and ENOSPC is never returned. Note that one lirc device is limited to 64 bpf programs, and user space I'm aware of -- ir-keytable -- always gives enough space for 64 entries already. However, we should not copy program ids than are requested. Signed-off-by: Sean Young Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20210623213754.632-1-sean@mess.org Signed-off-by: Sasha Levin --- drivers/media/rc/bpf-lirc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/media/rc/bpf-lirc.c b/drivers/media/rc/bpf-lirc.c index 3fe3edd80876..afae0afe3f81 100644 --- a/drivers/media/rc/bpf-lirc.c +++ b/drivers/media/rc/bpf-lirc.c @@ -326,7 +326,8 @@ int lirc_prog_query(const union bpf_attr *attr, union bpf_attr __user *uattr) } if (attr->query.prog_cnt != 0 && prog_ids && cnt) - ret = bpf_prog_array_copy_to_user(progs, prog_ids, cnt); + ret = bpf_prog_array_copy_to_user(progs, prog_ids, + attr->query.prog_cnt); unlock: mutex_unlock(&ir_raw_handler_lock); -- 2.30.2