Re: [PATCH][net-next] net/mlx4: Use array_size() helper in copy_to_user()
From: Eric Dumazet <hidden>
Date: 2021-09-29 17:21:55
Also in:
linux-hardening, lkml, netdev
From: Eric Dumazet <hidden>
Date: 2021-09-29 17:21:55
Also in:
linux-hardening, lkml, netdev
On 9/29/21 3:24 AM, Tariq Toukan wrote:
On 9/28/2021 11:17 PM, Gustavo A. R. Silva wrote:quoted
Use array_size() helper instead of the open-coded version in copy_to_user(). These sorts of multiplication factors need to be wrapped in array_size(). Link: https://github.com/KSPP/linux/issues/160 Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> --- drivers/net/ethernet/mellanox/mlx4/cq.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)diff --git a/drivers/net/ethernet/mellanox/mlx4/cq.c b/drivers/net/ethernet/mellanox/mlx4/cq.c index f7053a74e6a8..4d4f9cf9facb 100644 --- a/drivers/net/ethernet/mellanox/mlx4/cq.c +++ b/drivers/net/ethernet/mellanox/mlx4/cq.c@@ -314,7 +314,8 @@ static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size)buf += PAGE_SIZE; } } else { - err = copy_to_user((void __user *)buf, init_ents, entries * cqe_size) ? + err = copy_to_user((void __user *)buf, init_ents, + array_size(entries, cqe_size)) ? -EFAULT : 0; }Thanks for your patch. Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Not sure why avoiding size_t overflows would make this code safer. init_ents contains PAGE_SIZE bytes... BTW Is @entries guaranteed to be a power of two ? This function seems to either copy one chunk ( <= PAGE_SIZE), or a number of full pages.