* [PATCH][next] rapidio/rio_mport_cdev: Use array_size() helper in copy_{from,to}_user()
@ 2020-06-16 18:30 Gustavo A. R. Silva
2020-06-16 18:39 ` Kees Cook
2020-07-10 22:06 ` Gustavo A. R. Silva
0 siblings, 2 replies; 3+ messages in thread
From: Gustavo A. R. Silva @ 2020-06-16 18:30 UTC (permalink / raw)
To: Matt Porter, Alexandre Bounine
Cc: linux-kernel, Gustavo A. R. Silva, Kees Cook
Use array_size() helper instead of the open-coded version in
copy_{from,to}_user(). These sorts of multiplication factors
need to be wrapped in array_size().
This issue was found with the help of Coccinelle and, audited
and fixed manually.
Addresses-KSPP-ID: https://github.com/KSPP/linux/issues/83
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
---
drivers/rapidio/devices/rio_mport_cdev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
index 451608e960a1..6943459f8ac2 100644
--- a/drivers/rapidio/devices/rio_mport_cdev.c
+++ b/drivers/rapidio/devices/rio_mport_cdev.c
@@ -981,7 +981,7 @@ static int rio_mport_transfer_ioctl(struct file *filp, void __user *arg)
if (unlikely(copy_from_user(transfer,
(void __user *)(uintptr_t)transaction.block,
- transaction.count * sizeof(*transfer)))) {
+ array_size(sizeof(*transfer), transaction.count)))) {
ret = -EFAULT;
goto out_free;
}
@@ -994,7 +994,7 @@ static int rio_mport_transfer_ioctl(struct file *filp, void __user *arg)
if (unlikely(copy_to_user((void __user *)(uintptr_t)transaction.block,
transfer,
- transaction.count * sizeof(*transfer))))
+ array_size(sizeof(*transfer), transaction.count))))
ret = -EFAULT;
out_free:
--
2.27.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH][next] rapidio/rio_mport_cdev: Use array_size() helper in copy_{from,to}_user()
2020-06-16 18:30 [PATCH][next] rapidio/rio_mport_cdev: Use array_size() helper in copy_{from,to}_user() Gustavo A. R. Silva
@ 2020-06-16 18:39 ` Kees Cook
2020-07-10 22:06 ` Gustavo A. R. Silva
1 sibling, 0 replies; 3+ messages in thread
From: Kees Cook @ 2020-06-16 18:39 UTC (permalink / raw)
To: Gustavo A. R. Silva
Cc: Matt Porter, Alexandre Bounine, linux-kernel, Gustavo A. R. Silva
On Tue, Jun 16, 2020 at 01:30:50PM -0500, Gustavo A. R. Silva wrote:
> Use array_size() helper instead of the open-coded version in
> copy_{from,to}_user(). These sorts of multiplication factors
> need to be wrapped in array_size().
>
> This issue was found with the help of Coccinelle and, audited
> and fixed manually.
>
> Addresses-KSPP-ID: https://github.com/KSPP/linux/issues/83
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
--
Kees Cook
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH][next] rapidio/rio_mport_cdev: Use array_size() helper in copy_{from,to}_user()
2020-06-16 18:30 [PATCH][next] rapidio/rio_mport_cdev: Use array_size() helper in copy_{from,to}_user() Gustavo A. R. Silva
2020-06-16 18:39 ` Kees Cook
@ 2020-07-10 22:06 ` Gustavo A. R. Silva
1 sibling, 0 replies; 3+ messages in thread
From: Gustavo A. R. Silva @ 2020-07-10 22:06 UTC (permalink / raw)
To: Gustavo A. R. Silva, Matt Porter, Alexandre Bounine, Andrew Morton
Cc: linux-kernel, Kees Cook
Hi all,
Friendly ping: who can take this, please?
Thanks
--
Gustavo
On 6/16/20 13:30, Gustavo A. R. Silva wrote:
> Use array_size() helper instead of the open-coded version in
> copy_{from,to}_user(). These sorts of multiplication factors
> need to be wrapped in array_size().
>
> This issue was found with the help of Coccinelle and, audited
> and fixed manually.
>
> Addresses-KSPP-ID: https://github.com/KSPP/linux/issues/83
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
> ---
> drivers/rapidio/devices/rio_mport_cdev.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
> index 451608e960a1..6943459f8ac2 100644
> --- a/drivers/rapidio/devices/rio_mport_cdev.c
> +++ b/drivers/rapidio/devices/rio_mport_cdev.c
> @@ -981,7 +981,7 @@ static int rio_mport_transfer_ioctl(struct file *filp, void __user *arg)
>
> if (unlikely(copy_from_user(transfer,
> (void __user *)(uintptr_t)transaction.block,
> - transaction.count * sizeof(*transfer)))) {
> + array_size(sizeof(*transfer), transaction.count)))) {
> ret = -EFAULT;
> goto out_free;
> }
> @@ -994,7 +994,7 @@ static int rio_mport_transfer_ioctl(struct file *filp, void __user *arg)
>
> if (unlikely(copy_to_user((void __user *)(uintptr_t)transaction.block,
> transfer,
> - transaction.count * sizeof(*transfer))))
> + array_size(sizeof(*transfer), transaction.count))))
> ret = -EFAULT;
>
> out_free:
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-07-10 22:22 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-16 18:30 [PATCH][next] rapidio/rio_mport_cdev: Use array_size() helper in copy_{from,to}_user() Gustavo A. R. Silva
2020-06-16 18:39 ` Kees Cook
2020-07-10 22:06 ` Gustavo A. R. Silva
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).