diff options
| author | Philipp Stanner <pstanner@redhat.com> | 2023-11-02 19:15:25 +0100 |
|---|---|---|
| committer | Sean Christopherson <seanjc@google.com> | 2023-12-01 08:00:42 -0800 |
| commit | 8c4976772d9b5858b8b456e84783e089c6cfa66e (patch) | |
| tree | fec2e9235c35aa2446f6054e71001bc73d8ccb63 /arch/s390 | |
| parent | 573cc0e5cf142d9992d2de3502800890fc717bc0 (diff) | |
| download | linux-stable-8c4976772d9b5858b8b456e84783e089c6cfa66e.tar.gz linux-stable-8c4976772d9b5858b8b456e84783e089c6cfa66e.tar.bz2 linux-stable-8c4976772d9b5858b8b456e84783e089c6cfa66e.zip | |
KVM: s390: Harden copying of userspace-array against overflow
guestdbg.c utilizes memdup_user() to copy a userspace array. This,
currently, does not check for an overflow.
Use the new wrapper memdup_array_user() to copy the array more safely.
Note, KVM explicitly checks the number of entries before duplicating the
array, i.e. adding the overflow check should be a glorified nop.
Suggested-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Philipp Stanner <pstanner@redhat.com>
Acked-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Acked-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Link: https://lore.kernel.org/r/20231102181526.43279-3-pstanner@redhat.com
[sean: call out that KVM pre-checks the number of entries]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Diffstat (limited to 'arch/s390')
| -rw-r--r-- | arch/s390/kvm/guestdbg.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/arch/s390/kvm/guestdbg.c b/arch/s390/kvm/guestdbg.c index 3765c4223bf9..80879fc73c90 100644 --- a/arch/s390/kvm/guestdbg.c +++ b/arch/s390/kvm/guestdbg.c @@ -213,8 +213,8 @@ int kvm_s390_import_bp_data(struct kvm_vcpu *vcpu, else if (dbg->arch.nr_hw_bp > MAX_BP_COUNT) return -EINVAL; - bp_data = memdup_user(dbg->arch.hw_bp, - sizeof(*bp_data) * dbg->arch.nr_hw_bp); + bp_data = memdup_array_user(dbg->arch.hw_bp, dbg->arch.nr_hw_bp, + sizeof(*bp_data)); if (IS_ERR(bp_data)) return PTR_ERR(bp_data); |