Skip to content

Commit ca07765

Browse files
Philipp Stannerairlied
authored andcommitted
kernel: watch_queue: copy user-array safely
Currently, there is no overflow-check with memdup_user(). Use the new function memdup_array_user() instead of memdup_user() for duplicating the user-space array safely. Suggested-by: David Airlie <airlied@redhat.com> Signed-off-by: Philipp Stanner <pstanner@redhat.com> Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: Zack Rusin <zackr@vmware.com> Signed-off-by: Dave Airlie <airlied@redhat.com> Link: https://patchwork.freedesktop.org/patch/msgid/20230920123612.16914-5-pstanner@redhat.com
1 parent 569c8d8 commit ca07765

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

kernel/watch_queue.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -331,7 +331,7 @@ long watch_queue_set_filter(struct pipe_inode_info *pipe,
331331
filter.__reserved != 0)
332332
return -EINVAL;
333333

334-
tf = memdup_user(_filter->filters, filter.nr_filters * sizeof(*tf));
334+
tf = memdup_array_user(_filter->filters, filter.nr_filters, sizeof(*tf));
335335
if (IS_ERR(tf))
336336
return PTR_ERR(tf);
337337

0 commit comments

Comments
 (0)