drm_lease.c: copy user-array safely

Currently, there is no overflow-check with memdup_user().

Use the new function memdup_array_user() instead of memdup_user() for
duplicating the user-space array safely.

Suggested-by: David Airlie <airlied@redhat.com>
Signed-off-by: Philipp Stanner <pstanner@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Zack Rusin <zackr@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20230920123612.16914-6-pstanner@redhat.com

diff --git a/drivers/gpu/drm/drm_lease.c b/drivers/gpu/drm/drm_lease.c
index 150fe155506809598e663251696673b4d584f914..94375c6a542564717dfbe60846fe24dcf736f4e9 100644 (file)
--- a/drivers/gpu/drm/drm_lease.c
+++ b/drivers/gpu/drm/drm_lease.c
@@ -510,8 +510,8 @@ int drm_mode_create_lease_ioctl(struct drm_device *dev,
        /* Handle leased objects, if any */
        idr_init(&leases);
        if (object_count != 0) {
-               object_ids = memdup_user(u64_to_user_ptr(cl->object_ids),
-                                        array_size(object_count, sizeof(__u32)));
+               object_ids = memdup_array_user(u64_to_user_ptr(cl->object_ids),
+                                              object_count, sizeof(__u32));
                if (IS_ERR(object_ids)) {
                        ret = PTR_ERR(object_ids);
                        idr_destroy(&leases);