From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Philipp Stanner <pstanner@redhat.com>,
David Airlie <airlied@redhat.com>, Baoquan He <bhe@redhat.com>,
Kees Cook <keescook@chromium.org>, Zack Rusin <zackr@vmware.com>,
Sasha Levin <sashal@kernel.org>,
ebiederm@xmission.com, kexec@lists.infradead.org
Subject: [PATCH AUTOSEL 5.15 05/20] kernel: kexec: copy user-array safely
Date: Tue, 7 Nov 2023 07:28:59 -0500 [thread overview]
Message-ID: <20231107122940.3762228-5-sashal@kernel.org> (raw)
In-Reply-To: <20231107122940.3762228-1-sashal@kernel.org>
From: Philipp Stanner <pstanner@redhat.com>
[ Upstream commit 569c8d82f95eb5993c84fb61a649a9c4ddd208b3 ]
Currently, there is no overflow-check with memdup_user().
Use the new function memdup_array_user() instead of memdup_user() for
duplicating the user-space array safely.
Suggested-by: David Airlie <airlied@redhat.com>
Signed-off-by: Philipp Stanner <pstanner@redhat.com>
Acked-by: Baoquan He <bhe@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Zack Rusin <zackr@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20230920123612.16914-4-pstanner@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/kexec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/kexec.c b/kernel/kexec.c
index cb8e6e6f983c7..5ff1dcc4acb78 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -240,7 +240,7 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
((flags & KEXEC_ARCH_MASK) != KEXEC_ARCH_DEFAULT))
return -EINVAL;
- ksegments = memdup_user(segments, nr_segments * sizeof(ksegments[0]));
+ ksegments = memdup_array_user(segments, nr_segments, sizeof(ksegments[0]));
if (IS_ERR(ksegments))
return PTR_ERR(ksegments);
--
2.42.0
next prev parent reply other threads:[~2023-11-07 12:42 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-07 12:28 [PATCH AUTOSEL 5.15 01/20] drm/komeda: drop all currently held locks if deadlock happens Sasha Levin
2023-11-07 12:28 ` [PATCH AUTOSEL 5.15 02/20] drm/amdkfd: Fix a race condition of vram buffer unref in svm code Sasha Levin
2023-11-07 12:28 ` [PATCH AUTOSEL 5.15 03/20] drm/amd/display: use full update for clip size increase of large plane source Sasha Levin
2023-11-07 12:28 ` [PATCH AUTOSEL 5.15 04/20] string.h: add array-wrappers for (v)memdup_user() Sasha Levin
2023-11-07 12:28 ` Sasha Levin [this message]
2023-11-07 12:29 ` [PATCH AUTOSEL 5.15 06/20] kernel: watch_queue: copy user-array safely Sasha Levin
2023-11-07 12:29 ` [PATCH AUTOSEL 5.15 07/20] drm: vmwgfx_surface.c: " Sasha Levin
2023-11-07 12:29 ` [PATCH AUTOSEL 5.15 08/20] drm/msm/dp: skip validity check for DP CTS EDID checksum Sasha Levin
2023-11-07 12:29 ` [PATCH AUTOSEL 5.15 09/20] drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7 Sasha Levin
2023-11-07 12:29 ` [PATCH AUTOSEL 5.15 10/20] drm/radeon: Fix UBSAN array-index-out-of-bounds for Radeon HD 5430 Sasha Levin
2023-11-07 12:29 ` [PATCH AUTOSEL 5.15 11/20] drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga Sasha Levin
2023-11-07 12:29 ` [PATCH AUTOSEL 5.15 12/20] drm/amdgpu: Fix potential null pointer derefernce Sasha Levin
2023-11-07 12:29 ` [PATCH AUTOSEL 5.15 13/20] drm/panel: fix a possible null pointer dereference Sasha Levin
2023-11-07 12:29 ` [PATCH AUTOSEL 5.15 14/20] drm/panel/panel-tpo-tpg110: " Sasha Levin
2023-11-07 12:29 ` [PATCH AUTOSEL 5.15 15/20] drm/amdgpu/vkms: " Sasha Levin
2023-11-07 12:29 ` [PATCH AUTOSEL 5.15 16/20] drm/panel: st7703: Pick different reset sequence Sasha Levin
2023-11-07 12:29 ` [PATCH AUTOSEL 5.15 17/20] drm/amdkfd: Fix shift out-of-bounds issue Sasha Levin
2023-11-07 12:29 ` [PATCH AUTOSEL 5.15 18/20] drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL Sasha Levin
2023-11-07 12:29 ` [PATCH AUTOSEL 5.15 19/20] arm64: dts: ls208xa: use a pseudo-bus to constrain usb dma size Sasha Levin
2023-11-07 12:29 ` [PATCH AUTOSEL 5.15 20/20] selftests/efivarfs: create-read: fix a resource leak Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231107122940.3762228-5-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=airlied@redhat.com \
--cc=bhe@redhat.com \
--cc=ebiederm@xmission.com \
--cc=keescook@chromium.org \
--cc=kexec@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pstanner@redhat.com \
--cc=stable@vger.kernel.org \
--cc=zackr@vmware.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox