All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH][next] rapidio/rio_mport_cdev: Use array_size() helper in copy_{from,to}_user()
@ 2020-06-16 18:30 Gustavo A. R. Silva
  2020-06-16 18:39 ` Kees Cook
  2020-07-10 22:06 ` Gustavo A. R. Silva
  0 siblings, 2 replies; 3+ messages in thread
From: Gustavo A. R. Silva @ 2020-06-16 18:30 UTC (permalink / raw)
  To: Matt Porter, Alexandre Bounine
  Cc: linux-kernel, Gustavo A. R. Silva, Kees Cook

Use array_size() helper instead of the open-coded version in
copy_{from,to}_user(). These sorts of multiplication factors
need to be wrapped in array_size().

This issue was found with the help of Coccinelle and, audited
and fixed manually.

Addresses-KSPP-ID: https://github.com/KSPP/linux/issues/83
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
---
 drivers/rapidio/devices/rio_mport_cdev.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
index 451608e960a1..6943459f8ac2 100644
--- a/drivers/rapidio/devices/rio_mport_cdev.c
+++ b/drivers/rapidio/devices/rio_mport_cdev.c
@@ -981,7 +981,7 @@ static int rio_mport_transfer_ioctl(struct file *filp, void __user *arg)
 
 	if (unlikely(copy_from_user(transfer,
 				    (void __user *)(uintptr_t)transaction.block,
-				    transaction.count * sizeof(*transfer)))) {
+				    array_size(sizeof(*transfer), transaction.count)))) {
 		ret = -EFAULT;
 		goto out_free;
 	}
@@ -994,7 +994,7 @@ static int rio_mport_transfer_ioctl(struct file *filp, void __user *arg)
 
 	if (unlikely(copy_to_user((void __user *)(uintptr_t)transaction.block,
 				  transfer,
-				  transaction.count * sizeof(*transfer))))
+				  array_size(sizeof(*transfer), transaction.count))))
 		ret = -EFAULT;
 
 out_free:
-- 
2.27.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH][next] rapidio/rio_mport_cdev: Use array_size() helper in copy_{from,to}_user()
  2020-06-16 18:30 [PATCH][next] rapidio/rio_mport_cdev: Use array_size() helper in copy_{from,to}_user() Gustavo A. R. Silva
@ 2020-06-16 18:39 ` Kees Cook
  2020-07-10 22:06 ` Gustavo A. R. Silva
  1 sibling, 0 replies; 3+ messages in thread
From: Kees Cook @ 2020-06-16 18:39 UTC (permalink / raw)
  To: Gustavo A. R. Silva
  Cc: Matt Porter, Alexandre Bounine, linux-kernel, Gustavo A. R. Silva

On Tue, Jun 16, 2020 at 01:30:50PM -0500, Gustavo A. R. Silva wrote:
> Use array_size() helper instead of the open-coded version in
> copy_{from,to}_user(). These sorts of multiplication factors
> need to be wrapped in array_size().
> 
> This issue was found with the help of Coccinelle and, audited
> and fixed manually.
> 
> Addresses-KSPP-ID: https://github.com/KSPP/linux/issues/83
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>

Reviewed-by: Kees Cook <keescook@chromium.org>

-- 
Kees Cook

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH][next] rapidio/rio_mport_cdev: Use array_size() helper in copy_{from,to}_user()
  2020-06-16 18:30 [PATCH][next] rapidio/rio_mport_cdev: Use array_size() helper in copy_{from,to}_user() Gustavo A. R. Silva
  2020-06-16 18:39 ` Kees Cook
@ 2020-07-10 22:06 ` Gustavo A. R. Silva
  1 sibling, 0 replies; 3+ messages in thread
From: Gustavo A. R. Silva @ 2020-07-10 22:06 UTC (permalink / raw)
  To: Gustavo A. R. Silva, Matt Porter, Alexandre Bounine, Andrew Morton
  Cc: linux-kernel, Kees Cook

Hi all,

Friendly ping: who can take this, please?

Thanks
--
Gustavo

On 6/16/20 13:30, Gustavo A. R. Silva wrote:
> Use array_size() helper instead of the open-coded version in
> copy_{from,to}_user(). These sorts of multiplication factors
> need to be wrapped in array_size().
> 
> This issue was found with the help of Coccinelle and, audited
> and fixed manually.
> 
> Addresses-KSPP-ID: https://github.com/KSPP/linux/issues/83
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
> ---
>  drivers/rapidio/devices/rio_mport_cdev.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
> index 451608e960a1..6943459f8ac2 100644
> --- a/drivers/rapidio/devices/rio_mport_cdev.c
> +++ b/drivers/rapidio/devices/rio_mport_cdev.c
> @@ -981,7 +981,7 @@ static int rio_mport_transfer_ioctl(struct file *filp, void __user *arg)
>  
>  	if (unlikely(copy_from_user(transfer,
>  				    (void __user *)(uintptr_t)transaction.block,
> -				    transaction.count * sizeof(*transfer)))) {
> +				    array_size(sizeof(*transfer), transaction.count)))) {
>  		ret = -EFAULT;
>  		goto out_free;
>  	}
> @@ -994,7 +994,7 @@ static int rio_mport_transfer_ioctl(struct file *filp, void __user *arg)
>  
>  	if (unlikely(copy_to_user((void __user *)(uintptr_t)transaction.block,
>  				  transfer,
> -				  transaction.count * sizeof(*transfer))))
> +				  array_size(sizeof(*transfer), transaction.count))))
>  		ret = -EFAULT;
>  
>  out_free:
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-07-10 22:22 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-16 18:30 [PATCH][next] rapidio/rio_mport_cdev: Use array_size() helper in copy_{from,to}_user() Gustavo A. R. Silva
2020-06-16 18:39 ` Kees Cook
2020-07-10 22:06 ` Gustavo A. R. Silva

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.