linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH][next] rapidio/rio_mport_cdev: Use array_size() helper in copy_{from,to}_user()
@ 2020-06-16 18:30 Gustavo A. R. Silva
  2020-06-16 18:39 ` Kees Cook
  2020-07-10 22:06 ` Gustavo A. R. Silva
  0 siblings, 2 replies; 3+ messages in thread
From: Gustavo A. R. Silva @ 2020-06-16 18:30 UTC (permalink / raw)
  To: Matt Porter, Alexandre Bounine
  Cc: linux-kernel, Gustavo A. R. Silva, Kees Cook

Use array_size() helper instead of the open-coded version in
copy_{from,to}_user(). These sorts of multiplication factors
need to be wrapped in array_size().

This issue was found with the help of Coccinelle and, audited
and fixed manually.

Addresses-KSPP-ID: https://github.com/KSPP/linux/issues/83
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
---
 drivers/rapidio/devices/rio_mport_cdev.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
index 451608e960a1..6943459f8ac2 100644
--- a/drivers/rapidio/devices/rio_mport_cdev.c
+++ b/drivers/rapidio/devices/rio_mport_cdev.c
@@ -981,7 +981,7 @@ static int rio_mport_transfer_ioctl(struct file *filp, void __user *arg)
 
 	if (unlikely(copy_from_user(transfer,
 				    (void __user *)(uintptr_t)transaction.block,
-				    transaction.count * sizeof(*transfer)))) {
+				    array_size(sizeof(*transfer), transaction.count)))) {
 		ret = -EFAULT;
 		goto out_free;
 	}
@@ -994,7 +994,7 @@ static int rio_mport_transfer_ioctl(struct file *filp, void __user *arg)
 
 	if (unlikely(copy_to_user((void __user *)(uintptr_t)transaction.block,
 				  transfer,
-				  transaction.count * sizeof(*transfer))))
+				  array_size(sizeof(*transfer), transaction.count))))
 		ret = -EFAULT;
 
 out_free:
-- 
2.27.0


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH][next] rapidio/rio_mport_cdev: Use array_size() helper in copy_{from,to}_user()
  2020-06-16 18:30 [PATCH][next] rapidio/rio_mport_cdev: Use array_size() helper in copy_{from,to}_user() Gustavo A. R. Silva
@ 2020-06-16 18:39 ` Kees Cook
  2020-07-10 22:06 ` Gustavo A. R. Silva
  1 sibling, 0 replies; 3+ messages in thread
From: Kees Cook @ 2020-06-16 18:39 UTC (permalink / raw)
  To: Gustavo A. R. Silva
  Cc: Matt Porter, Alexandre Bounine, linux-kernel, Gustavo A. R. Silva

On Tue, Jun 16, 2020 at 01:30:50PM -0500, Gustavo A. R. Silva wrote:
> Use array_size() helper instead of the open-coded version in
> copy_{from,to}_user(). These sorts of multiplication factors
> need to be wrapped in array_size().
> 
> This issue was found with the help of Coccinelle and, audited
> and fixed manually.
> 
> Addresses-KSPP-ID: https://github.com/KSPP/linux/issues/83
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>

Reviewed-by: Kees Cook <keescook@chromium.org>

-- 
Kees Cook

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH][next] rapidio/rio_mport_cdev: Use array_size() helper in copy_{from,to}_user()
  2020-06-16 18:30 [PATCH][next] rapidio/rio_mport_cdev: Use array_size() helper in copy_{from,to}_user() Gustavo A. R. Silva
  2020-06-16 18:39 ` Kees Cook
@ 2020-07-10 22:06 ` Gustavo A. R. Silva
  1 sibling, 0 replies; 3+ messages in thread
From: Gustavo A. R. Silva @ 2020-07-10 22:06 UTC (permalink / raw)
  To: Gustavo A. R. Silva, Matt Porter, Alexandre Bounine, Andrew Morton
  Cc: linux-kernel, Kees Cook

Hi all,

Friendly ping: who can take this, please?

Thanks
--
Gustavo

On 6/16/20 13:30, Gustavo A. R. Silva wrote:
> Use array_size() helper instead of the open-coded version in
> copy_{from,to}_user(). These sorts of multiplication factors
> need to be wrapped in array_size().
> 
> This issue was found with the help of Coccinelle and, audited
> and fixed manually.
> 
> Addresses-KSPP-ID: https://github.com/KSPP/linux/issues/83
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
> ---
>  drivers/rapidio/devices/rio_mport_cdev.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
> index 451608e960a1..6943459f8ac2 100644
> --- a/drivers/rapidio/devices/rio_mport_cdev.c
> +++ b/drivers/rapidio/devices/rio_mport_cdev.c
> @@ -981,7 +981,7 @@ static int rio_mport_transfer_ioctl(struct file *filp, void __user *arg)
>  
>  	if (unlikely(copy_from_user(transfer,
>  				    (void __user *)(uintptr_t)transaction.block,
> -				    transaction.count * sizeof(*transfer)))) {
> +				    array_size(sizeof(*transfer), transaction.count)))) {
>  		ret = -EFAULT;
>  		goto out_free;
>  	}
> @@ -994,7 +994,7 @@ static int rio_mport_transfer_ioctl(struct file *filp, void __user *arg)
>  
>  	if (unlikely(copy_to_user((void __user *)(uintptr_t)transaction.block,
>  				  transfer,
> -				  transaction.count * sizeof(*transfer))))
> +				  array_size(sizeof(*transfer), transaction.count))))
>  		ret = -EFAULT;
>  
>  out_free:
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2020-07-10 22:22 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-16 18:30 [PATCH][next] rapidio/rio_mport_cdev: Use array_size() helper in copy_{from,to}_user() Gustavo A. R. Silva
2020-06-16 18:39 ` Kees Cook
2020-07-10 22:06 ` Gustavo A. R. Silva

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).