KVM: s390: Harden copying of userspace-array against overflow

guestdbg.c utilizes memdup_user() to copy a userspace array. This, currently, does not check for an overflow. Use the new wrapper memdup_array_user() to copy the array more safely. Note, KVM explicitly checks the number of entries before duplicating the array, i.e. adding the overflow check should be a glorified nop. Suggested-by: Dave Airlie <[email protected]> Signed-off-by: Philipp Stanner <[email protected]> Acked-by: Claudio Imbrenda <[email protected]> Acked-by: Christian Borntraeger <[email protected]> Link: https://lore.kernel.org/r/[email protected] [sean: call out that KVM pre-checks the number of entries] Signed-off-by: Sean Christopherson <[email protected]>
author: Philipp Stanner <[email protected]> 2023-11-02 19:15:25 +0100
committer: Sean Christopherson <[email protected]> 2023-12-01 08:00:42 -0800
commit: 8c4976772d9b5858b8b456e84783e089c6cfa66e (patch)
tree: fec2e9235c35aa2446f6054e71001bc73d8ccb63
parent: 573cc0e5cf142d9992d2de3502800890fc717bc0 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/arch/s390/kvm/guestdbg.c b/arch/s390/kvm/guestdbg.c
index 3765c4223bf9..80879fc73c90 100644
--- a/arch/s390/kvm/guestdbg.c
+++ b/arch/s390/kvm/guestdbg.c
@@ -213,8 +213,8 @@ int kvm_s390_import_bp_data(struct kvm_vcpu *vcpu,
 	else if (dbg->arch.nr_hw_bp > MAX_BP_COUNT)
 		return -EINVAL;
 
-	bp_data = memdup_user(dbg->arch.hw_bp,
-			      sizeof(*bp_data) * dbg->arch.nr_hw_bp);
+	bp_data = memdup_array_user(dbg->arch.hw_bp, dbg->arch.nr_hw_bp,
+				    sizeof(*bp_data));
 	if (IS_ERR(bp_data))
 		return PTR_ERR(bp_data);
author	Philipp Stanner <[email protected]>	2023-11-02 19:15:25 +0100
committer	Sean Christopherson <[email protected]>	2023-12-01 08:00:42 -0800
commit	8c4976772d9b5858b8b456e84783e089c6cfa66e (patch)
tree	fec2e9235c35aa2446f6054e71001bc73d8ccb63
parent	573cc0e5cf142d9992d2de3502800890fc717bc0 (diff)