Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp659557pxv; Thu, 15 Jul 2021 12:44:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzBG+fBc9U5fl2S8s0lrZsIjzgsYXaaYcnpphbUrosup1wV4zvKQqqmzRKXmg1M4At8Lsg2 X-Received: by 2002:a5e:d80e:: with SMTP id l14mr4420968iok.79.1626378270861; Thu, 15 Jul 2021 12:44:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626378270; cv=none; d=google.com; s=arc-20160816; b=Rsm64sx3ktRhxLzJMpPrFWMdvxUAJKyVhUqG2JRvOmctHfRHKiihHVr6TmzGMPfRu9 tzoZszYgXXG60pDX69qhl8G0jT/UuMMUN2mBw8SpG5GWtyt0vnJx6nuAzL84vbBk3q/Y p2iavL1e5dI5q0MXPMnC2P72CIwyUbdOpy1/PPuKanMcNsBX1bvfRqn+VS9d3+/a+0ry SX94NqJlW/23FBR8t7DwVOMyP64n0CFwyrxNnRXsQw0DkEqC2ZdBR/03IqJ2Ui20uIwC 4Ejsvu2PBoEqXqBEj5FCiz/MrdY8pwOtn6QMOIMh4VfHkBNB2V9kiVWU6rhpymp78I5v lDog== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=8Gsx+M1svubphYegKiBvqnI8T5LOuiZn5v7eWiN4PvM=; b=L1saZPbRV0E3Eo5JVCW/b3GdY+Pym6E7rgdlh2IgXAFFznmDJaITMYjSorFu/kjAgQ oo0DNXKK71aRA13puNvs9pa7hI82dz2NtSw+Le5Cbh9VygDkQlTS2NEAIgQw4edC77Ki Wb8JlZxR7djttUDgNPP1FqW8OEQg87kVdfvXiXEMnIke+v2dqqRqirn7N6o2R+XWb6qF Va3fr1Vsb9BkZbUgqF2ws1m/ePs8+KGdLQujD9a5kJRtlHxSqhOcrAv2zBaA3kdtU7nr 5fTowCowngz2mTozjHIolBM1cK2RMvA9dSheWqXY0O7xdsx0vZrn9msj9MrlraXYACht 50Cw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="lhkm/AU8"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m7si6898493ilq.114.2021.07.15.12.44.18; Thu, 15 Jul 2021 12:44:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="lhkm/AU8"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344302AbhGOTo3 (ORCPT + 99 others); Thu, 15 Jul 2021 15:44:29 -0400 Received: from mail.kernel.org ([198.145.29.99]:51194 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243764AbhGOTMv (ORCPT ); Thu, 15 Jul 2021 15:12:51 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id D8528613ED; Thu, 15 Jul 2021 19:09:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1626376164; bh=9oZV2sweLG7QNjxJq5lidgr3AufUJfafWyGDoLTwjao=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=lhkm/AU8K40GYLqnvXe7qNae0qFqH6QZ1V1VSxOf/fMK8fNtFFD73bw8w2F8ao3UR NmBpXepI3ZotNqua4VESiDyI75N0byerFEWL9/v2ti35fuY/Lp7aRkAH4ocehML4rQ wL6Co3/PgIABJeD+hZAYEmIc+Y/Qj2ePS1Ey48Is= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sean Young , Daniel Borkmann , Sasha Levin Subject: [PATCH 5.13 153/266] media, bpf: Do not copy more entries than user space requested Date: Thu, 15 Jul 2021 20:38:28 +0200 Message-Id: <20210715182640.194869366@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210715182613.933608881@linuxfoundation.org> References: <20210715182613.933608881@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sean Young [ Upstream commit 647d446d66e493d23ca1047fa8492b0269674530 ] The syscall bpf(BPF_PROG_QUERY, &attr) should use the prog_cnt field to see how many entries user space provided and return ENOSPC if there are more programs than that. Before this patch, this is not checked and ENOSPC is never returned. Note that one lirc device is limited to 64 bpf programs, and user space I'm aware of -- ir-keytable -- always gives enough space for 64 entries already. However, we should not copy program ids than are requested. Signed-off-by: Sean Young Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20210623213754.632-1-sean@mess.org Signed-off-by: Sasha Levin --- drivers/media/rc/bpf-lirc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/media/rc/bpf-lirc.c b/drivers/media/rc/bpf-lirc.c index 3fe3edd80876..afae0afe3f81 100644 --- a/drivers/media/rc/bpf-lirc.c +++ b/drivers/media/rc/bpf-lirc.c @@ -326,7 +326,8 @@ int lirc_prog_query(const union bpf_attr *attr, union bpf_attr __user *uattr) } if (attr->query.prog_cnt != 0 && prog_ids && cnt) - ret = bpf_prog_array_copy_to_user(progs, prog_ids, cnt); + ret = bpf_prog_array_copy_to_user(progs, prog_ids, + attr->query.prog_cnt); unlock: mutex_unlock(&ir_raw_handler_lock); -- 2.30.2