* [PATCH] sound/isa/wavefront: copy userspace array safely
@ 2023-11-02 19:03 Philipp Stanner
2023-11-03 13:58 ` Takashi Iwai
0 siblings, 1 reply; 3+ messages in thread
From: Philipp Stanner @ 2023-11-02 19:03 UTC (permalink / raw)
To: Jaroslav Kysela, Takashi Iwai
Cc: alsa-devel, linux-kernel, Philipp Stanner, Dave Airlie
wavefront_fx.c utilizes memdup_user() to copy a userspace array. This
does not check for an overflow.
Use the new wrapper memdup_array_user() to copy the array more safely.
Suggested-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Philipp Stanner <pstanner@redhat.com>
---
sound/isa/wavefront/wavefront_fx.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/sound/isa/wavefront/wavefront_fx.c b/sound/isa/wavefront/wavefront_fx.c
index 3c21324b2a0e..0273b7dfaf12 100644
--- a/sound/isa/wavefront/wavefront_fx.c
+++ b/sound/isa/wavefront/wavefront_fx.c
@@ -191,9 +191,9 @@ snd_wavefront_fx_ioctl (struct snd_hwdep *sdev, struct file *file,
"> 512 bytes to FX\n");
return -EIO;
}
- page_data = memdup_user((unsigned char __user *)
- r.data[3],
- r.data[2] * sizeof(short));
+ page_data = memdup_array_user((unsigned char __user *)
+ r.data[3],
+ r.data[2], sizeof(short));
if (IS_ERR(page_data))
return PTR_ERR(page_data);
pd = page_data;
--
2.41.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] sound/isa/wavefront: copy userspace array safely
2023-11-02 19:03 [PATCH] sound/isa/wavefront: copy userspace array safely Philipp Stanner
@ 2023-11-03 13:58 ` Takashi Iwai
2023-11-03 14:04 ` Takashi Iwai
0 siblings, 1 reply; 3+ messages in thread
From: Takashi Iwai @ 2023-11-03 13:58 UTC (permalink / raw)
To: Philipp Stanner
Cc: Jaroslav Kysela, Takashi Iwai, alsa-devel, linux-kernel,
Dave Airlie
On Thu, 02 Nov 2023 20:03:10 +0100,
Philipp Stanner wrote:
>
> wavefront_fx.c utilizes memdup_user() to copy a userspace array. This
> does not check for an overflow.
There is a check above the memdup_user() call; it's at most 512
bytes.
> Use the new wrapper memdup_array_user() to copy the array more safely.
>
> Suggested-by: Dave Airlie <airlied@redhat.com>
> Signed-off-by: Philipp Stanner <pstanner@redhat.com>
Although the check is already present, it's still better to use the
new helper, so I applied the patch now.
thanks,
Takashi
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] sound/isa/wavefront: copy userspace array safely
2023-11-03 13:58 ` Takashi Iwai
@ 2023-11-03 14:04 ` Takashi Iwai
0 siblings, 0 replies; 3+ messages in thread
From: Takashi Iwai @ 2023-11-03 14:04 UTC (permalink / raw)
To: Philipp Stanner
Cc: Jaroslav Kysela, Takashi Iwai, alsa-devel, linux-kernel,
Dave Airlie
On Fri, 03 Nov 2023 14:58:22 +0100,
Takashi Iwai wrote:
>
> On Thu, 02 Nov 2023 20:03:10 +0100,
> Philipp Stanner wrote:
> >
> > wavefront_fx.c utilizes memdup_user() to copy a userspace array. This
> > does not check for an overflow.
>
> There is a check above the memdup_user() call; it's at most 512
> bytes.
>
> > Use the new wrapper memdup_array_user() to copy the array more safely.
> >
> > Suggested-by: Dave Airlie <airlied@redhat.com>
> > Signed-off-by: Philipp Stanner <pstanner@redhat.com>
>
> Although the check is already present, it's still better to use the
> new helper, so I applied the patch now.
... and the helper is available only on Linus tree for now, so I
postpone after 6.7-rc1 release, so that we can have a solid base.
Takashi
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-11-03 14:05 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-11-02 19:03 [PATCH] sound/isa/wavefront: copy userspace array safely Philipp Stanner
2023-11-03 13:58 ` Takashi Iwai
2023-11-03 14:04 ` Takashi Iwai
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox