Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp708861pxv; Thu, 15 Jul 2021 14:05:30 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw6OoKGdXcXwW9hwlXIrnMkf1LcG4WFACuuz9VsmCo6DZOTPJu8SvghDvNRd3RenuIH6gKc X-Received: by 2002:a17:906:490c:: with SMTP id b12mr7767081ejq.7.1626383130247; Thu, 15 Jul 2021 14:05:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626383130; cv=none; d=google.com; s=arc-20160816; b=D8eXym0sSI7Fi8z43wYdG+UTWA1STDAUn8pmieakTA51U0SGMQWHEX8MHfp8I2lpT7 bJVEpykrslWqB1bbFQQakzsTAksl16w/ZYshkPfsg0C06VHw6FoFWLDG5FXFCSPk2c8j tF7q/LRFwngPw6YqycmQ9o198DlLHYkv/Bv13jZUcTbNgXJCnvJ4eOfQxy2LK6H0vXTm z491NvxJadtOeCcS8pvPwVB66fybVSJH1gDuLhLxDe7/YhErepFXpzuMQzrOeFSEgWNQ 7u3Qa/WT6uq/tqIu+xoA69eMsod5STIZEJYIUpLOzBB56ZUwMaw+5d9XXppkIyqfJ9Ta /cPQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=8Gsx+M1svubphYegKiBvqnI8T5LOuiZn5v7eWiN4PvM=; b=z5wWtITrKJ5G+zsq4lr5YEdVx3zg3btfZu/bUjbc7ouamNoFWqqJ+0cZqWML2yAjz/ yRucliY30Y5rvU9F35RRVY1GVQ/qMcMlMO6Dqu6MNkxkPTB9UxImWbqle/cXRPQlMAC5 IZUXCvXEcZZrIbjCHocFMVkB13ASPB1OAagTUjGli/i04LtRSvcX2KARq0INRXgp6gZ4 nsEwPwiD8cdIyLRAw4oFtf45cLBkhn5BdpqWVZdVxlKNEYNm3UAC+2MP3UQLcsKIgdo4 hSlfOrb+EAxKCMBnMKt8jgHPPCkOlt4AxGkrC/taEvv1RPXSrbsCFG3DHqsAclVAIbDY 7H3w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=LTF6kqcP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b13si9122969eju.468.2021.07.15.14.05.07; Thu, 15 Jul 2021 14:05:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=LTF6kqcP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244221AbhGOTQO (ORCPT + 99 others); Thu, 15 Jul 2021 15:16:14 -0400 Received: from mail.kernel.org ([198.145.29.99]:38430 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242937AbhGOTC1 (ORCPT ); Thu, 15 Jul 2021 15:02:27 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 99ABE613DA; Thu, 15 Jul 2021 18:58:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1626375539; bh=9oZV2sweLG7QNjxJq5lidgr3AufUJfafWyGDoLTwjao=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LTF6kqcP85/9BTI16Ypnd1KfNeUuRlE+1+WQbf6ps5cVRct0Q6mQsQm67r6g05ogC bWUAanPGvC986TH9gYyQdfLJwCZy/oEugiGYWaXeaaouGMixG9CjtfsTMD33SoTypQ yUqUiTqoK3Rl1HBK1cmow9c/hLx7Onpr/u0LsDl4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sean Young , Daniel Borkmann , Sasha Levin Subject: [PATCH 5.12 131/242] media, bpf: Do not copy more entries than user space requested Date: Thu, 15 Jul 2021 20:38:13 +0200 Message-Id: <20210715182616.090328656@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210715182551.731989182@linuxfoundation.org> References: <20210715182551.731989182@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sean Young [ Upstream commit 647d446d66e493d23ca1047fa8492b0269674530 ] The syscall bpf(BPF_PROG_QUERY, &attr) should use the prog_cnt field to see how many entries user space provided and return ENOSPC if there are more programs than that. Before this patch, this is not checked and ENOSPC is never returned. Note that one lirc device is limited to 64 bpf programs, and user space I'm aware of -- ir-keytable -- always gives enough space for 64 entries already. However, we should not copy program ids than are requested. Signed-off-by: Sean Young Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20210623213754.632-1-sean@mess.org Signed-off-by: Sasha Levin --- drivers/media/rc/bpf-lirc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/media/rc/bpf-lirc.c b/drivers/media/rc/bpf-lirc.c index 3fe3edd80876..afae0afe3f81 100644 --- a/drivers/media/rc/bpf-lirc.c +++ b/drivers/media/rc/bpf-lirc.c @@ -326,7 +326,8 @@ int lirc_prog_query(const union bpf_attr *attr, union bpf_attr __user *uattr) } if (attr->query.prog_cnt != 0 && prog_ids && cnt) - ret = bpf_prog_array_copy_to_user(progs, prog_ids, cnt); + ret = bpf_prog_array_copy_to_user(progs, prog_ids, + attr->query.prog_cnt); unlock: mutex_unlock(&ir_raw_handler_lock); -- 2.30.2