Received: by 2002:a05:7412:8521:b0:e2:908c:2ebd with SMTP id t33csp44157rdf; Thu, 2 Nov 2023 13:15:52 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGb4e62uzsiRjg3h5eO/sthbpjJlpSxqSS5VcRWXLIWQktPLEVjNJBcvmVO9WMYCqQJqRBo X-Received: by 2002:a17:902:c40a:b0:1c6:30d1:7214 with SMTP id k10-20020a170902c40a00b001c630d17214mr20749336plk.55.1698956151664; Thu, 02 Nov 2023 13:15:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698956151; cv=none; d=google.com; s=arc-20160816; b=Ys8qrYDeGNccYnnUqUptr0yv3vnLvGSLt2UOF6AOD/zg1CLRiYOrRFQU4+LZG3VTep OvFxxCLUbV2W5F9qK3WIIXO73Vin7+XEYszLmTCepaGtwMyx96kEzLcphPc/EE3YrVOi uMIc23MIEdc+ZKjfFzHn5crTYjbMSo1nQtkzlvveRhVnV3P/sK4gPr2ZMsoA03951rKE PY67nZeZUAXwHoaqz+z26AHg6XvfVMgG8Dd6LwdDWbHn+hqut9TU0YJr80LdQRbLaY6p WdS/9XBOQtzgKb55fCC1+FE3e65tgrGEi61p1DRl5LhW610qw5JK9EtRrbNA4WAbwJct KNhA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=x0Ufl3kJR9XTsSlPW8zcy4F+KQbvSb7QulGvGNZDl20=; fh=9GZ/6bRYKAYsTv2FCw0DQ7QtG0JsA9f+dG3tHMsHGiE=; b=nkj21ZdW6/eO9fGgKZeLGZj81/u29/9atHaLZUwDYQ2PLnF1rXa9FHXrMNjGhr1gpK BmdG4nFWbDfm3ZgTkkR/bIN3EInlQtFPTB5ZXjNkH4K+Kbz28EowajdPmaQUICsZCnTC RgIc9zBb1pNQ3pl6x6eziyccq4W7GpbrDBkKhjPjmXfARBEpY7gSupNIFeJG0WshMYVk iMbnSAL0/3DpyJF7RAW3IFsPttgVHB24bL9eadzedl/Vl66d4WTZRQRNTIEPXjZMOlIV QBbgvdQFdhaOKiULP8wpiZ0MbE6lnGQsG7MN31VST0izOQ7c1HbyX/ef8U2wM2kjjpZO 3kVQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.org.uk header.s=zeniv-20220401 header.b=hsnTqt6l; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zeniv.linux.org.uk Return-Path: Received: from groat.vger.email (groat.vger.email. [2620:137:e000::3:5]) by mx.google.com with ESMTPS id 34-20020a630c62000000b005a9fde46f98si221224pgm.52.2023.11.02.13.15.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Nov 2023 13:15:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) client-ip=2620:137:e000::3:5; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.org.uk header.s=zeniv-20220401 header.b=hsnTqt6l; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zeniv.linux.org.uk Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id 26AEC8108BFF; Thu, 2 Nov 2023 13:15:08 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229810AbjKBUOo (ORCPT + 99 others); Thu, 2 Nov 2023 16:14:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37614 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229459AbjKBUOn (ORCPT ); Thu, 2 Nov 2023 16:14:43 -0400 Received: from zeniv.linux.org.uk (zeniv.linux.org.uk [IPv6:2a03:a000:7:0:5054:ff:fe1c:15ff]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BE59B186; Thu, 2 Nov 2023 13:14:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=linux.org.uk; s=zeniv-20220401; h=Sender:In-Reply-To:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=x0Ufl3kJR9XTsSlPW8zcy4F+KQbvSb7QulGvGNZDl20=; b=hsnTqt6l5FBhErsMbFP3V4TOwo vIBBukr6dGYVafu3aQDwViROBtMTHDhpE3MHnpIJu62yqGAulAxh+601vevOFRWLFG8e0JrNF4oYS ofcAQupRAkB9xIkW31UitG/SV6382cNEJa9UFg1T7HaxPuzpv6y7/AKUNP1d74z0urG58dyB4X1Xw x4BGZWDY4hNpX2KLeCmdc4i+Tlwxdb+rH2IVkhKI07y8Upwj5GhK4jojqY3EGTddjujaJkXqnV+Gh CC+OFPe9c/jbyu5NLCOvuGFR2HoMYuRYpPt/8ldt1/uT4IdaER1ZcF/6evXO+NTz87efPGA5uDh40 b4HYz/3Q==; Received: from viro by zeniv.linux.org.uk with local (Exim 4.96 #2 (Red Hat Linux)) id 1qye5A-009wCW-1o; Thu, 02 Nov 2023 20:14:24 +0000 Date: Thu, 2 Nov 2023 20:14:24 +0000 From: Al Viro To: Philipp Stanner Cc: Greg Kroah-Hartman , Jiri Slaby , Andrew Morton , Kefeng Wang , Tony Luck , Ard Biesheuvel , linux-kernel@vger.kernel.org, linux-serial@vger.kernel.org, Dave Airlie Subject: Re: [PATCH] drivers/tty/vt: copy userspace arrays safely Message-ID: <20231102201424.GL1957730@ZenIV> References: <20231102192134.53301-2-pstanner@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20231102192134.53301-2-pstanner@redhat.com> Sender: Al Viro X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Thu, 02 Nov 2023 13:15:08 -0700 (PDT) On Thu, Nov 02, 2023 at 08:21:35PM +0100, Philipp Stanner wrote: > The functions (v)memdup_user() are utilized to copy userspace arrays. > This is done without overflow checks. > > Use the new wrappers memdup_array_user() and vmemdup_array_user() to > copy the arrays more safely. > @@ -644,7 +644,7 @@ int con_set_unimap(struct vc_data *vc, ushort ct, struct unipair __user *list) > if (!ct) > return 0; > - unilist = vmemdup_user(list, array_size(sizeof(*unilist), ct)); > + unilist = vmemdup_array_user(list, ct, sizeof(*unilist)); > if (IS_ERR(unilist)) > return PTR_ERR(unilist); a 16bit value times sizeof(something). > diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c > index 1fe6107b539b..802ceb0a5e4c 100644 > --- a/drivers/tty/vt/keyboard.c > +++ b/drivers/tty/vt/keyboard.c > @@ -1773,8 +1773,8 @@ int vt_do_diacrit(unsigned int cmd, void __user *udp, int perm) ... and here we have if (ct >= MAX_DIACR) return -EINVAL; directly upstream, so it's even better - a value below 256 times sizeof(something) > if (ct) { > > - dia = memdup_user(a->kbdiacr, > - sizeof(struct kbdiacr) * ct); > + dia = memdup_array_user(a->kbdiacr, > + ct, sizeof(struct kbdiacr)); > if (IS_ERR(dia)) > return PTR_ERR(dia); > > @@ -1811,8 +1811,8 @@ int vt_do_diacrit(unsigned int cmd, void __user *udp, int perm) > return -EINVAL; Ditto. > if (ct) { > - buf = memdup_user(a->kbdiacruc, > - ct * sizeof(struct kbdiacruc)); > + buf = memdup_array_user(a->kbdiacruc, > + ct, sizeof(struct kbdiacruc));