Received: by 2002:a05:7412:8521:b0:e2:908c:2ebd with SMTP id t33csp44157rdf;
        Thu, 2 Nov 2023 13:15:52 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IGb4e62uzsiRjg3h5eO/sthbpjJlpSxqSS5VcRWXLIWQktPLEVjNJBcvmVO9WMYCqQJqRBo
X-Received: by 2002:a17:902:c40a:b0:1c6:30d1:7214 with SMTP id k10-20020a170902c40a00b001c630d17214mr20749336plk.55.1698956151664;
        Thu, 02 Nov 2023 13:15:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1698956151; cv=none;
        d=google.com; s=arc-20160816;
        b=Ys8qrYDeGNccYnnUqUptr0yv3vnLvGSLt2UOF6AOD/zg1CLRiYOrRFQU4+LZG3VTep
         OvFxxCLUbV2W5F9qK3WIIXO73Vin7+XEYszLmTCepaGtwMyx96kEzLcphPc/EE3YrVOi
         uMIc23MIEdc+ZKjfFzHn5crTYjbMSo1nQtkzlvveRhVnV3P/sK4gPr2ZMsoA03951rKE
         PY67nZeZUAXwHoaqz+z26AHg6XvfVMgG8Dd6LwdDWbHn+hqut9TU0YJr80LdQRbLaY6p
         WdS/9XBOQtzgKb55fCC1+FE3e65tgrGEi61p1DRl5LhW610qw5JK9EtRrbNA4WAbwJct
         KNhA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date
         :dkim-signature;
        bh=x0Ufl3kJR9XTsSlPW8zcy4F+KQbvSb7QulGvGNZDl20=;
        fh=9GZ/6bRYKAYsTv2FCw0DQ7QtG0JsA9f+dG3tHMsHGiE=;
        b=nkj21ZdW6/eO9fGgKZeLGZj81/u29/9atHaLZUwDYQ2PLnF1rXa9FHXrMNjGhr1gpK
         BmdG4nFWbDfm3ZgTkkR/bIN3EInlQtFPTB5ZXjNkH4K+Kbz28EowajdPmaQUICsZCnTC
         RgIc9zBb1pNQ3pl6x6eziyccq4W7GpbrDBkKhjPjmXfARBEpY7gSupNIFeJG0WshMYVk
         iMbnSAL0/3DpyJF7RAW3IFsPttgVHB24bL9eadzedl/Vl66d4WTZRQRNTIEPXjZMOlIV
         QBbgvdQFdhaOKiULP8wpiZ0MbE6lnGQsG7MN31VST0izOQ7c1HbyX/ef8U2wM2kjjpZO
         3kVQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linux.org.uk header.s=zeniv-20220401 header.b=hsnTqt6l;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zeniv.linux.org.uk
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from groat.vger.email (groat.vger.email. [2620:137:e000::3:5])
        by mx.google.com with ESMTPS id 34-20020a630c62000000b005a9fde46f98si221224pgm.52.2023.11.02.13.15.51
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 02 Nov 2023 13:15:51 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) client-ip=2620:137:e000::3:5;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linux.org.uk header.s=zeniv-20220401 header.b=hsnTqt6l;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zeniv.linux.org.uk
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by groat.vger.email (Postfix) with ESMTP id 26AEC8108BFF;
	Thu,  2 Nov 2023 13:15:08 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229810AbjKBUOo (ORCPT <rfc822;gvb.lkml@gmail.com> + 99 others);
        Thu, 2 Nov 2023 16:14:44 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37614 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229459AbjKBUOn (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 2 Nov 2023 16:14:43 -0400
Received: from zeniv.linux.org.uk (zeniv.linux.org.uk [IPv6:2a03:a000:7:0:5054:ff:fe1c:15ff])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BE59B186;
        Thu,  2 Nov 2023 13:14:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=linux.org.uk; s=zeniv-20220401; h=Sender:In-Reply-To:Content-Type:
        MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To:
        Content-Transfer-Encoding:Content-ID:Content-Description;
        bh=x0Ufl3kJR9XTsSlPW8zcy4F+KQbvSb7QulGvGNZDl20=; b=hsnTqt6l5FBhErsMbFP3V4TOwo
        vIBBukr6dGYVafu3aQDwViROBtMTHDhpE3MHnpIJu62yqGAulAxh+601vevOFRWLFG8e0JrNF4oYS
        ofcAQupRAkB9xIkW31UitG/SV6382cNEJa9UFg1T7HaxPuzpv6y7/AKUNP1d74z0urG58dyB4X1Xw
        x4BGZWDY4hNpX2KLeCmdc4i+Tlwxdb+rH2IVkhKI07y8Upwj5GhK4jojqY3EGTddjujaJkXqnV+Gh
        CC+OFPe9c/jbyu5NLCOvuGFR2HoMYuRYpPt/8ldt1/uT4IdaER1ZcF/6evXO+NTz87efPGA5uDh40
        b4HYz/3Q==;
Received: from viro by zeniv.linux.org.uk with local (Exim 4.96 #2 (Red Hat Linux))
        id 1qye5A-009wCW-1o;
        Thu, 02 Nov 2023 20:14:24 +0000
Date:   Thu, 2 Nov 2023 20:14:24 +0000
From:   Al Viro <viro@zeniv.linux.org.uk>
To:     Philipp Stanner <pstanner@redhat.com>
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Jiri Slaby <jirislaby@kernel.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Kefeng Wang <wangkefeng.wang@huawei.com>,
        Tony Luck <tony.luck@intel.com>,
        Ard Biesheuvel <ardb@kernel.org>, linux-kernel@vger.kernel.org,
        linux-serial@vger.kernel.org, Dave Airlie <airlied@redhat.com>
Subject: Re: [PATCH] drivers/tty/vt: copy userspace arrays safely
Message-ID: <20231102201424.GL1957730@ZenIV>
References: <20231102192134.53301-2-pstanner@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20231102192134.53301-2-pstanner@redhat.com>
Sender: Al Viro <viro@ftp.linux.org.uk>
X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,
	SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Thu, 02 Nov 2023 13:15:08 -0700 (PDT)

On Thu, Nov 02, 2023 at 08:21:35PM +0100, Philipp Stanner wrote:
> The functions (v)memdup_user() are utilized to copy userspace arrays.
> This is done without overflow checks.
> 
> Use the new wrappers memdup_array_user() and vmemdup_array_user() to
> copy the arrays more safely.

> @@ -644,7 +644,7 @@ int con_set_unimap(struct vc_data *vc, ushort ct, struct unipair __user *list)
>  	if (!ct)
>  		return 0;

> -	unilist = vmemdup_user(list, array_size(sizeof(*unilist), ct));
> +	unilist = vmemdup_array_user(list, ct, sizeof(*unilist));
>  	if (IS_ERR(unilist))
>  		return PTR_ERR(unilist);

a 16bit value times sizeof(something).
  
> diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c
> index 1fe6107b539b..802ceb0a5e4c 100644
> --- a/drivers/tty/vt/keyboard.c
> +++ b/drivers/tty/vt/keyboard.c
> @@ -1773,8 +1773,8 @@ int vt_do_diacrit(unsigned int cmd, void __user *udp, int perm)

... and here we have
                if (ct >= MAX_DIACR)
			return -EINVAL;

directly upstream, so it's even better - a value below 256 times sizeof(something)

>  		if (ct) {
>  
> -			dia = memdup_user(a->kbdiacr,
> -					sizeof(struct kbdiacr) * ct);
> +			dia = memdup_array_user(a->kbdiacr,
> +						ct, sizeof(struct kbdiacr));
>  			if (IS_ERR(dia))
>  				return PTR_ERR(dia);
>  
> @@ -1811,8 +1811,8 @@ int vt_do_diacrit(unsigned int cmd, void __user *udp, int perm)
>  			return -EINVAL;

Ditto.

>  		if (ct) {
> -			buf = memdup_user(a->kbdiacruc,
> -					  ct * sizeof(struct kbdiacruc));
> +			buf = memdup_array_user(a->kbdiacruc,
> +						ct, sizeof(struct kbdiacruc));