kernel: watch_queue: copy user-array safely

Currently, there is no overflow-check with memdup_user().

Use the new function memdup_array_user() instead of memdup_user() for
duplicating the user-space array safely.

Suggested-by: David Airlie <airlied@redhat.com>
Signed-off-by: Philipp Stanner <pstanner@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Zack Rusin <zackr@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20230920123612.16914-5-pstanner@redhat.com

diff --git a/kernel/watch_queue.c b/kernel/watch_queue.c
index d0b6b390ee42332bb47711eb563242f70663ebf2..778b4056700ff5703e6c5c984c469c173dfcaa69 100644 (file)
--- a/kernel/watch_queue.c
+++ b/kernel/watch_queue.c
@@ -331,7 +331,7 @@ long watch_queue_set_filter(struct pipe_inode_info *pipe,
            filter.__reserved != 0)
                return -EINVAL;
 
-       tf = memdup_user(_filter->filters, filter.nr_filters * sizeof(*tf));
+       tf = memdup_array_user(_filter->filters, filter.nr_filters, sizeof(*tf));
        if (IS_ERR(tf))
                return PTR_ERR(tf);