Received: by 2002:a05:7412:8521:b0:e2:908c:2ebd with SMTP id t33csp41423rdf;
        Thu, 2 Nov 2023 13:11:14 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IFVOmAXyRhWrtm6F5ARYavcVXWHhVvPeilWPyE/VydNwP9YyNxSNr1tKfWFSorFm3SrahxD
X-Received: by 2002:a17:90a:f0c9:b0:280:cc88:2a46 with SMTP id fa9-20020a17090af0c900b00280cc882a46mr4864139pjb.4.1698955873831;
        Thu, 02 Nov 2023 13:11:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1698955873; cv=none;
        d=google.com; s=arc-20160816;
        b=I6cQ4lKE7pmFjcjuIP0TcTKDcRVjlEPjtaVXtCHBwWduXzq5asDvj7IDcVmO47F9ro
         U8dRIrFifC8cn/YvVYTnK5KOCh19qxw+Qqt5xhdn19pkEp03I0LJewcjb1lVuVpoK+RH
         JxqQ2nP/AdGHzUqncT5bboONYOaXrA6ekU6FA8TFEOQbxSRbI7rRNYtSRDkduWseVnwB
         KJTTXY3UEL2mdSyPb8sUSl9uTQ0bhkcML1pd21WPyJgkvZqY/4Xg3F2WmPIYvga2976L
         9IYV5+sgt4hDmi7yopqDngqIh5m+fknQcDtR4h28tGalB/Oi48ZGBXL+7b7to6c6hlZf
         Jb8A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date
         :dkim-signature;
        bh=q2W1VCZdvfcA1TvVxXUd1wwMlA+b5wW2gVN59Ibyspc=;
        fh=3DkfWbZF7O9mTujX+uddNVVmJhjTAGXjKU1HsngAIr4=;
        b=r6y2QEGpAIK8zn1uUlJKPoG9Gq0f8whhjpxgS917vNPfmUlMrLcBcO3VTiqYDPk7Dv
         gqkLzr1SZo9r7lZuNsP7a9ZkU5AmeAjZS5SFcZHw0zbArJ2UgMIbzhhXGs1n8s0EXQcM
         tYd2xlSqTI4FcZWrbTRGQIO+UTSlRv2LNQKiWs2ybiktAGJWeDyibx2VDrgP+jglR0dI
         wMwOFuVZFcyPteRfUxmN5lRkkxQZQEq5kTtzkuUNV9Ws17Ew9KX9rwhFo8rzGxnYbir/
         Uqb8jnyegZ3jEm5MUWxFSGT2ugf28Aeu4MjEqs4zWoST6DcD5zbZxKnakWMUe85Y7+uv
         KHqA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linux.org.uk header.s=zeniv-20220401 header.b=aHT35T9I;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zeniv.linux.org.uk
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lipwig.vger.email (lipwig.vger.email. [23.128.96.33])
        by mx.google.com with ESMTPS id bo13-20020a17090b090d00b0028074aabfecsi353119pjb.128.2023.11.02.13.11.13
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 02 Nov 2023 13:11:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) client-ip=23.128.96.33;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linux.org.uk header.s=zeniv-20220401 header.b=aHT35T9I;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zeniv.linux.org.uk
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by lipwig.vger.email (Postfix) with ESMTP id 49CBD808D692;
	Thu,  2 Nov 2023 13:10:54 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1377416AbjKBUKD (ORCPT <rfc822;gvb.lkml@gmail.com> + 99 others);
        Thu, 2 Nov 2023 16:10:03 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35714 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1377411AbjKBUKC (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 2 Nov 2023 16:10:02 -0400
Received: from zeniv.linux.org.uk (zeniv.linux.org.uk [IPv6:2a03:a000:7:0:5054:ff:fe1c:15ff])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 58511134;
        Thu,  2 Nov 2023 13:09:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=linux.org.uk; s=zeniv-20220401; h=Sender:In-Reply-To:Content-Type:
        MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To:
        Content-Transfer-Encoding:Content-ID:Content-Description;
        bh=q2W1VCZdvfcA1TvVxXUd1wwMlA+b5wW2gVN59Ibyspc=; b=aHT35T9Ietusi+0XZYIXiBINUJ
        eAUi5eDPtSXy7tipUD14EmKIbdFtl5ZIe07MLB8laIK8XFiYommLBXXMFg6ZajQ2Ae6J+iUm2/tk9
        Jmwz/B/hiRzkfMxfUKwAVllzR0uDXOnJFoBQ9kKfKuil/VIcrasJe60saPARy9Qa75jUaLJ7GPjDu
        bIR41JKecfeLxkC+omQzMMfqER2bqSNWArHV181kHuYA/Wr1qwZeLLXQqBOA9J4jM1BivqGu5OCcN
        sB7I1paSx5pZYa0JUl1WNMDch2jdmJk2d4kCCm1JjxyB0RNSLmZYLIUSVX2NXIcgz2erurPEuut8l
        PnftacoA==;
Received: from viro by zeniv.linux.org.uk with local (Exim 4.96 #2 (Red Hat Linux))
        id 1qye0d-009w63-1T;
        Thu, 02 Nov 2023 20:09:43 +0000
Date:   Thu, 2 Nov 2023 20:09:43 +0000
From:   Al Viro <viro@zeniv.linux.org.uk>
To:     Philipp Stanner <pstanner@redhat.com>
Cc:     "David S. Miller" <davem@davemloft.net>,
        Eric Dumazet <edumazet@google.com>,
        Jakub Kicinski <kuba@kernel.org>,
        Paolo Abeni <pabeni@redhat.com>,
        Stanislav Fomichev <sdf@google.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Benjamin Tissoires <benjamin.tissoires@redhat.com>,
        linux-ppp@vger.kernel.org, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, Dave Airlie <airlied@redhat.com>
Subject: Re: [PATCH] drivers/net/ppp: copy userspace array safely
Message-ID: <20231102200943.GK1957730@ZenIV>
References: <20231102191914.52957-2-pstanner@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20231102191914.52957-2-pstanner@redhat.com>
Sender: Al Viro <viro@ftp.linux.org.uk>
X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,
	SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Thu, 02 Nov 2023 13:10:54 -0700 (PDT)

On Thu, Nov 02, 2023 at 08:19:15PM +0100, Philipp Stanner wrote:
> In ppp_generic.c memdup_user() is utilized to copy a userspace array.
> This is done without an overflow check.
> 
> Use the new wrapper memdup_array_user() to copy the array more safely.

>  	fprog.len = uprog->len;
> -	fprog.filter = memdup_user(uprog->filter,
> -				   uprog->len * sizeof(struct sock_filter));
> +	fprog.filter = memdup_array_user(uprog->filter,
> +					 uprog->len, sizeof(struct sock_filter));

Far be it from me to discourage security theat^Whardening, but

struct sock_fprog {     /* Required for SO_ATTACH_FILTER. */
        unsigned short          len;    /* Number of filter blocks */
	struct sock_filter __user *filter;
};

struct sock_filter {    /* Filter block */
        __u16   code;   /* Actual filter code */
        __u8    jt;     /* Jump true */
        __u8    jf;     /* Jump false */
        __u32   k;      /* Generic multiuse field */
};

so you might want to mention that overflow in question would have to be
in multiplying an untrusted 16bit value by 8...