[PATCH AUTOSEL 4.19 47/55] media, bpf: Do not copy more entries than user space requested

Netdev Archive on lore.kernel.org
help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Sean Young <sean@mess.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Sasha Levin <sashal@kernel.org>,
	linux-media@vger.kernel.org, netdev@vger.kernel.org,
	bpf@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 47/55] media, bpf: Do not copy more entries than user space requested
Date: Tue,  6 Jul 2021 07:26:30 -0400	[thread overview]
Message-ID: <20210706112638.2065023-47-sashal@kernel.org> (raw)
In-Reply-To: <20210706112638.2065023-1-sashal@kernel.org>

From: Sean Young <sean@mess.org>

[ Upstream commit 647d446d66e493d23ca1047fa8492b0269674530 ]

The syscall bpf(BPF_PROG_QUERY, &attr) should use the prog_cnt field to
see how many entries user space provided and return ENOSPC if there are
more programs than that. Before this patch, this is not checked and
ENOSPC is never returned.

Note that one lirc device is limited to 64 bpf programs, and user space
I'm aware of -- ir-keytable -- always gives enough space for 64 entries
already. However, we should not copy program ids than are requested.

Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20210623213754.632-1-sean@mess.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/rc/bpf-lirc.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/media/rc/bpf-lirc.c b/drivers/media/rc/bpf-lirc.c
index 8b97fd1f0cea..5a0e26e47f59 100644
--- a/drivers/media/rc/bpf-lirc.c
+++ b/drivers/media/rc/bpf-lirc.c
@@ -295,7 +295,8 @@ int lirc_prog_query(const union bpf_attr *attr, union bpf_attr __user *uattr)
 	}
 
 	if (attr->query.prog_cnt != 0 && prog_ids && cnt)
-		ret = bpf_prog_array_copy_to_user(progs, prog_ids, cnt);
+		ret = bpf_prog_array_copy_to_user(progs, prog_ids,
+						  attr->query.prog_cnt);
 
 unlock:
 	mutex_unlock(&ir_raw_handler_lock);
-- 
2.30.2

next prev parent reply	other threads:[~2021-07-06 11:39 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20210706112638.2065023-1-sashal@kernel.org>
2021-07-06 11:25 ` [PATCH AUTOSEL 4.19 05/55] net: pch_gbe: Use proper accessors to BE data in pch_ptp_match() Sasha Levin
2021-07-06 11:25 ` [PATCH AUTOSEL 4.19 08/55] atm: iphase: fix possible use-after-free in ia_module_exit() Sasha Levin
2021-07-06 11:25 ` [PATCH AUTOSEL 4.19 09/55] mISDN: fix possible use-after-free in HFC_cleanup() Sasha Levin
2021-07-06 11:25 ` [PATCH AUTOSEL 4.19 10/55] atm: nicstar: Fix possible use-after-free in nicstar_cleanup() Sasha Levin
2021-07-06 11:25 ` [PATCH AUTOSEL 4.19 11/55] net: Treat __napi_schedule_irqoff() as __napi_schedule() on PREEMPT_RT Sasha Levin
2021-07-06 11:25 ` [PATCH AUTOSEL 4.19 16/55] e100: handle eeprom as little endian Sasha Levin
2021-07-06 11:26 ` [PATCH AUTOSEL 4.19 19/55] ipv6: use prandom_u32() for ID generation Sasha Levin
2021-07-06 11:26 ` [PATCH AUTOSEL 4.19 23/55] ice: set the value of global config lock timeout longer Sasha Levin
2021-07-06 11:26 ` [PATCH AUTOSEL 4.19 24/55] virtio_net: Remove BUG() to avoid machine dead Sasha Levin
2021-07-06 11:26 ` [PATCH AUTOSEL 4.19 25/55] net: bcmgenet: check return value after calling platform_get_resource() Sasha Levin
2021-07-06 11:26 ` [PATCH AUTOSEL 4.19 26/55] net: mvpp2: " Sasha Levin
2021-07-06 11:26 ` [PATCH AUTOSEL 4.19 27/55] net: micrel: " Sasha Levin
2021-07-06 11:26 ` [PATCH AUTOSEL 4.19 28/55] net: moxa: Use devm_platform_get_and_ioremap_resource() Sasha Levin
2021-07-06 11:26 ` [PATCH AUTOSEL 4.19 29/55] fjes: check return value after calling platform_get_resource() Sasha Levin
2021-07-06 11:26 ` [PATCH AUTOSEL 4.19 31/55] xfrm: Fix error reporting in xfrm_state_construct Sasha Levin
2021-07-06 11:26 ` [PATCH AUTOSEL 4.19 32/55] wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP Sasha Levin
2021-07-06 11:26 ` [PATCH AUTOSEL 4.19 33/55] wl1251: Fix possible buffer overflow in wl1251_cmd_scan Sasha Levin
2021-07-06 11:26 ` [PATCH AUTOSEL 4.19 34/55] cw1200: add missing MODULE_DEVICE_TABLE Sasha Levin
2021-07-06 11:26 ` [PATCH AUTOSEL 4.19 36/55] rtl8xxxu: Fix device info for RTL8192EU devices Sasha Levin
2021-07-06 11:26 ` [PATCH AUTOSEL 4.19 38/55] atm: nicstar: use 'dma_free_coherent' instead of 'kfree' Sasha Levin
2021-07-06 11:26 ` [PATCH AUTOSEL 4.19 39/55] atm: nicstar: register the interrupt handler in the right place Sasha Levin
2021-07-06 11:26 ` [PATCH AUTOSEL 4.19 40/55] vsock: notify server to shutdown when client has pending signal Sasha Levin
2021-07-06 11:26 ` [PATCH AUTOSEL 4.19 42/55] iwlwifi: mvm: don't change band on bound PHY contexts Sasha Levin
2021-07-06 11:26 ` [PATCH AUTOSEL 4.19 43/55] iwlwifi: pcie: free IML DMA memory allocation Sasha Levin
2021-07-06 11:26 ` [PATCH AUTOSEL 4.19 44/55] sfc: avoid double pci_remove of VFs Sasha Levin
2021-07-06 11:26 ` [PATCH AUTOSEL 4.19 45/55] sfc: error code if SRIOV cannot be disabled Sasha Levin
2021-07-06 11:26 ` [PATCH AUTOSEL 4.19 46/55] wireless: wext-spy: Fix out-of-bounds warning Sasha Levin
2021-07-06 11:26 ` Sasha Levin [this message]
2021-07-06 11:26 ` [PATCH AUTOSEL 4.19 48/55] net: ip: avoid OOM kills with large UDP sends over loopback Sasha Levin
2021-07-06 11:26 ` [PATCH AUTOSEL 4.19 50/55] Bluetooth: Fix the HCI to MGMT status conversion table Sasha Levin
2021-07-06 11:26 ` [PATCH AUTOSEL 4.19 51/55] Bluetooth: Shutdown controller after workqueues are flushed or cancelled Sasha Levin
2021-07-06 11:26 ` [PATCH AUTOSEL 4.19 53/55] sctp: validate from_addr_param return Sasha Levin
2021-07-06 11:26 ` [PATCH AUTOSEL 4.19 54/55] sctp: add size validation when walking chunks Sasha Levin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210706112638.2065023-47-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-media@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=sean@mess.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).