drm/gud: Use size_add() in call to struct_size()

If, for any reason, the open-coded arithmetic causes a wraparound, the
protection that `struct_size()` adds against potential integer overflows
is defeated. Fix this by hardening call to `struct_size()` with `size_add()`.

Fixes: 40e1a70b4aed ("drm: Add GUD USB Display driver")
Signed-off-by: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/ZQSlyHKPdw/zsy4c@work
Signed-off-by: Kees Cook <keescook@chromium.org>

diff --git a/drivers/gpu/drm/gud/gud_pipe.c b/drivers/gpu/drm/gud/gud_pipe.c
index d2f199ea3c111c532bbb609c684858332908f835..a02f75be81f03e8a542093aa749017f54cb397ed 100644 (file)
--- a/drivers/gpu/drm/gud/gud_pipe.c
+++ b/drivers/gpu/drm/gud/gud_pipe.c
@@ -503,7 +503,7 @@ int gud_pipe_check(struct drm_simple_display_pipe *pipe,
                return -ENOENT;
 
        len = struct_size(req, properties,
-                         GUD_PROPERTIES_MAX_NUM + GUD_CONNECTOR_PROPERTIES_MAX_NUM);
+                         size_add(GUD_PROPERTIES_MAX_NUM, GUD_CONNECTOR_PROPERTIES_MAX_NUM));
        req = kzalloc(len, GFP_KERNEL);
        if (!req)
                return -ENOMEM;