1. Patchew
  2. linux
  3. View series

[PATCH] drivers/fpga: copy userspace array safely

Philipp Stanner posted 1 patch 2 years, 1 month ago 
drivers/fpga/dfl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
[PATCH] drivers/fpga: copy userspace array safely
Posted by Philipp Stanner 2 years, 1 month ago 
dfl.c utilizes memdup_user() and array_size() to copy a userspace array.
Currently, this does not check for an overflow.

Use the new wrapper memdup_array_user() to copy the array more safely.

Suggested-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Philipp Stanner <pstanner@redhat.com>
---
Linus recently merged this new wrapper for Kernel v6.7
---
 drivers/fpga/dfl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/fpga/dfl.c b/drivers/fpga/dfl.c
index dd7a783d53b5..e69b9f1f2a50 100644
--- a/drivers/fpga/dfl.c
+++ b/drivers/fpga/dfl.c
@@ -2008,8 +2008,8 @@ long dfl_feature_ioctl_set_irq(struct platform_device *pdev,
 	    (hdr.start + hdr.count < hdr.start))
 		return -EINVAL;
 
-	fds = memdup_user((void __user *)(arg + sizeof(hdr)),
-			  array_size(hdr.count, sizeof(s32)));
+	fds = memdup_array_user((void __user *)(arg + sizeof(hdr)),
+				hdr.count, sizeof(s32));
 	if (IS_ERR(fds))
 		return PTR_ERR(fds);
 
-- 
2.41.0
Re: [PATCH] drivers/fpga: copy userspace array safely
Posted by Xu Yilun 2 years, 1 month ago 
On Thu, Nov 02, 2023 at 07:49:09PM +0100, Philipp Stanner wrote:
> dfl.c utilizes memdup_user() and array_size() to copy a userspace array.
> Currently, this does not check for an overflow.

array_size() actually checks for overflow, so please re-write the changelog.

Thanks,
Yilun

> 
> Use the new wrapper memdup_array_user() to copy the array more safely.
> 
> Suggested-by: Dave Airlie <airlied@redhat.com>
> Signed-off-by: Philipp Stanner <pstanner@redhat.com>
> ---
> Linus recently merged this new wrapper for Kernel v6.7
> ---
>  drivers/fpga/dfl.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/fpga/dfl.c b/drivers/fpga/dfl.c
> index dd7a783d53b5..e69b9f1f2a50 100644
> --- a/drivers/fpga/dfl.c
> +++ b/drivers/fpga/dfl.c
> @@ -2008,8 +2008,8 @@ long dfl_feature_ioctl_set_irq(struct platform_device *pdev,
>  	    (hdr.start + hdr.count < hdr.start))
>  		return -EINVAL;
>  
> -	fds = memdup_user((void __user *)(arg + sizeof(hdr)),
> -			  array_size(hdr.count, sizeof(s32)));
> +	fds = memdup_array_user((void __user *)(arg + sizeof(hdr)),
> +				hdr.count, sizeof(s32));
>  	if (IS_ERR(fds))
>  		return PTR_ERR(fds);
>  
> -- 
> 2.41.0
>

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.