drm: vmwgfx_surface.c: copy user-array safely

Currently, there is no overflow-check with memdup_user().

Use the new function memdup_array_user() instead of memdup_user() for
duplicating the user-space array safely.

Suggested-by: David Airlie <airlied@redhat.com>
Signed-off-by: Philipp Stanner <pstanner@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Zack Rusin <zackr@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20230920123612.16914-7-pstanner@redhat.com

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
index 5db403ee8261d38dae1477ac414c70c7b3ff689a..9be185b094cbb83bd214a41ce1f8d067bf75abc1 100644 (file)
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
@@ -777,9 +777,9 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
               sizeof(metadata->mip_levels));
        metadata->num_sizes = num_sizes;
        metadata->sizes =
-               memdup_user((struct drm_vmw_size __user *)(unsigned long)
+               memdup_array_user((struct drm_vmw_size __user *)(unsigned long)
                            req->size_addr,
-                           sizeof(*metadata->sizes) * metadata->num_sizes);
+                           metadata->num_sizes, sizeof(*metadata->sizes));
        if (IS_ERR(metadata->sizes)) {
                ret = PTR_ERR(metadata->sizes);
                goto out_no_sizes;