[PATCH AUTOSEL 6.1 07/25] string.h: add array-wrappers for (v)memdup_user()

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Philipp Stanner <pstanner@redhat.com>,
	David Airlie <airlied@redhat.com>,
	Andy Shevchenko <andy.shevchenko@gmail.com>,
	Kees Cook <keescook@chromium.org>, Zack Rusin <zackr@vmware.com>,
	Sasha Levin <sashal@kernel.org>,
	linux-hardening@vger.kernel.org
Subject: [PATCH AUTOSEL 6.1 07/25] string.h: add array-wrappers for (v)memdup_user()
Date: Tue,  7 Nov 2023 07:26:46 -0500	[thread overview]
Message-ID: <20231107122745.3761613-7-sashal@kernel.org> (raw)
In-Reply-To: <20231107122745.3761613-1-sashal@kernel.org>

From: Philipp Stanner <pstanner@redhat.com>

[ Upstream commit 313ebe47d75558511aa1237b6e35c663b5c0ec6f ]

Currently, user array duplications are sometimes done without an
overflow check. Sometimes the checks are done manually; sometimes the
array size is calculated with array_size() and sometimes by calculating
n * size directly in code.

Introduce wrappers for arrays for memdup_user() and vmemdup_user() to
provide a standardized and safe way for duplicating user arrays.

This is both for new code as well as replacing usage of (v)memdup_user()
in existing code that uses, e.g., n * size to calculate array sizes.

Suggested-by: David Airlie <airlied@redhat.com>
Signed-off-by: Philipp Stanner <pstanner@redhat.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Zack Rusin <zackr@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20230920123612.16914-3-pstanner@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/linux/string.h | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/include/linux/string.h b/include/linux/string.h
index cf7607b321027..b1c944a6dbe61 100644
--- a/include/linux/string.h
+++ b/include/linux/string.h
@@ -5,7 +5,9 @@
 #include <linux/compiler.h>	/* for inline */
 #include <linux/types.h>	/* for size_t */
 #include <linux/stddef.h>	/* for NULL */
+#include <linux/err.h>		/* for ERR_PTR() */
 #include <linux/errno.h>	/* for E2BIG */
+#include <linux/overflow.h>	/* for check_mul_overflow() */
 #include <linux/stdarg.h>
 #include <uapi/linux/string.h>
 
@@ -14,6 +16,44 @@ extern void *memdup_user(const void __user *, size_t);
 extern void *vmemdup_user(const void __user *, size_t);
 extern void *memdup_user_nul(const void __user *, size_t);
 
+/**
+ * memdup_array_user - duplicate array from user space
+ * @src: source address in user space
+ * @n: number of array members to copy
+ * @size: size of one array member
+ *
+ * Return: an ERR_PTR() on failure. Result is physically
+ * contiguous, to be freed by kfree().
+ */
+static inline void *memdup_array_user(const void __user *src, size_t n, size_t size)
+{
+	size_t nbytes;
+
+	if (check_mul_overflow(n, size, &nbytes))
+		return ERR_PTR(-EOVERFLOW);
+
+	return memdup_user(src, nbytes);
+}
+
+/**
+ * vmemdup_array_user - duplicate array from user space
+ * @src: source address in user space
+ * @n: number of array members to copy
+ * @size: size of one array member
+ *
+ * Return: an ERR_PTR() on failure. Result may be not
+ * physically contiguous. Use kvfree() to free.
+ */
+static inline void *vmemdup_array_user(const void __user *src, size_t n, size_t size)
+{
+	size_t nbytes;
+
+	if (check_mul_overflow(n, size, &nbytes))
+		return ERR_PTR(-EOVERFLOW);
+
+	return vmemdup_user(src, nbytes);
+}
+
 /*
  * Include machine specific inline routines
  */
-- 
2.42.0

next prev parent reply	other threads:[~2023-11-07 12:56 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-11-07 12:26 [PATCH AUTOSEL 6.1 01/25] drm/gma500: Fix call trace when psb_gem_mm_init() fails Sasha Levin
2023-11-07 12:26 ` [PATCH AUTOSEL 6.1 02/25] drm/komeda: drop all currently held locks if deadlock happens Sasha Levin
2023-11-07 12:26 ` [PATCH AUTOSEL 6.1 03/25] drm/amdgpu: not to save bo in the case of RAS err_event_athub Sasha Levin
2023-11-07 12:26 ` [PATCH AUTOSEL 6.1 04/25] drm/amdkfd: Fix a race condition of vram buffer unref in svm code Sasha Levin
2023-11-07 12:26 ` [PATCH AUTOSEL 6.1 05/25] drm/amd: Update `update_pcie_parameters` functions to use uint8_t arguments Sasha Levin
2023-11-07 12:26 ` [PATCH AUTOSEL 6.1 06/25] drm/amd/display: use full update for clip size increase of large plane source Sasha Levin
2023-11-07 12:26 ` Sasha Levin [this message]
2023-11-07 12:26 ` [PATCH AUTOSEL 6.1 08/25] kernel: kexec: copy user-array safely Sasha Levin
2023-11-07 12:26 ` [PATCH AUTOSEL 6.1 09/25] kernel: watch_queue: " Sasha Levin
2023-11-07 12:26 ` [PATCH AUTOSEL 6.1 10/25] drm_lease.c: " Sasha Levin
2023-11-07 12:26 ` [PATCH AUTOSEL 6.1 11/25] drm: vmwgfx_surface.c: " Sasha Levin
2023-11-07 12:26 ` [PATCH AUTOSEL 6.1 12/25] drm/msm/dp: skip validity check for DP CTS EDID checksum Sasha Levin
2023-11-07 12:26 ` [PATCH AUTOSEL 6.1 13/25] drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7 Sasha Levin
2023-11-07 12:26 ` [PATCH AUTOSEL 6.1 14/25] drm/radeon: Fix UBSAN array-index-out-of-bounds for Radeon HD 5430 Sasha Levin
2023-11-07 12:26 ` [PATCH AUTOSEL 6.1 15/25] drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga Sasha Levin
2023-11-07 12:26 ` [PATCH AUTOSEL 6.1 16/25] drm/amdgpu: Fix potential null pointer derefernce Sasha Levin
2023-11-07 12:26 ` [PATCH AUTOSEL 6.1 17/25] drm/panel: fix a possible null pointer dereference Sasha Levin
2023-11-07 12:26 ` [PATCH AUTOSEL 6.1 18/25] drm/panel/panel-tpo-tpg110: " Sasha Levin
2023-11-07 12:26 ` [PATCH AUTOSEL 6.1 19/25] drm/radeon: " Sasha Levin
2023-11-07 12:26 ` [PATCH AUTOSEL 6.1 20/25] drm/amdgpu/vkms: " Sasha Levin
2023-11-07 12:27 ` [PATCH AUTOSEL 6.1 21/25] drm/panel: st7703: Pick different reset sequence Sasha Levin
2023-11-07 12:27 ` [PATCH AUTOSEL 6.1 22/25] drm/amdkfd: Fix shift out-of-bounds issue Sasha Levin
2023-11-07 12:27 ` [PATCH AUTOSEL 6.1 23/25] drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL Sasha Levin
2023-11-07 12:27 ` [PATCH AUTOSEL 6.1 24/25] arm64: dts: ls208xa: use a pseudo-bus to constrain usb dma size Sasha Levin
2023-11-07 12:27 ` [PATCH AUTOSEL 6.1 25/25] selftests/efivarfs: create-read: fix a resource leak Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:cf7607b32102 dfblob:b1c944a6dbe6 )
 OR (
bs:"[PATCH AUTOSEL 6.1 07/25] string.h: add array-wrappers for (v)memdup_user()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20231107122745.3761613-7-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=airlied@redhat.com \
    --cc=andy.shevchenko@gmail.com \
    --cc=keescook@chromium.org \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pstanner@redhat.com \
    --cc=stable@vger.kernel.org \
    --cc=zackr@vmware.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox