[PATCH AUTOSEL 6.6 18/40] drm: vmwgfx_surface.c: copy user-array safely

Sasha Levin Tue, 07 Nov 2023 04:20:20 -0800

From: Philipp Stanner <[email protected]>

[ Upstream commit 06ab64a0d836ac430c5f94669710a78aa43942cb ]


Currently, there is no overflow-check with memdup_user().

Use the new function memdup_array_user() instead of memdup_user() for
duplicating the user-space array safely.

Suggested-by: David Airlie <[email protected]>
Signed-off-by: Philipp Stanner <[email protected]>
Reviewed-by: Kees Cook <[email protected]>
Reviewed-by: Zack Rusin <[email protected]>
Signed-off-by: Dave Airlie <[email protected]>
Link: 
https://patchwork.freedesktop.org/patch/msgid/[email protected]
Signed-off-by: Sasha Levin <[email protected]>
---
 drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c 
b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
index 3829be282ff00..17463aeeef28f 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
@@ -774,9 +774,9 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void 
*data,
               sizeof(metadata->mip_levels));
        metadata->num_sizes = num_sizes;
        metadata->sizes =
-               memdup_user((struct drm_vmw_size __user *)(unsigned long)
+               memdup_array_user((struct drm_vmw_size __user *)(unsigned long)
                            req->size_addr,
-                           sizeof(*metadata->sizes) * metadata->num_sizes);
+                           metadata->num_sizes, sizeof(*metadata->sizes));
        if (IS_ERR(metadata->sizes)) {
                ret = PTR_ERR(metadata->sizes);
                goto out_no_sizes;
-- 
2.42.0

[PATCH AUTOSEL 6.6 18/40] drm: vmwgfx_surface.c: copy user-array safely

Reply via email to