@@ -644,7 +644,7 @@ int con_set_unimap(struct vc_data *vc, ushort ct, struct unipair __user *list)
if (!ct)
return 0;
- unilist = vmemdup_user(list, array_size(sizeof(*unilist), ct));
+ unilist = vmemdup_array_user(list, ct, sizeof(*unilist));
if (IS_ERR(unilist))
return PTR_ERR(unilist);
@@ -1772,12 +1772,10 @@ int vt_do_diacrit(unsigned int cmd, void __user *udp, int perm)
return -EINVAL;
if (ct) {
-
- dia = memdup_user(a->kbdiacr,
- sizeof(struct kbdiacr) * ct);
+ dia = memdup_array_user(a->kbdiacr,
+ ct, sizeof(struct kbdiacr));
if (IS_ERR(dia))
return PTR_ERR(dia);
-
}
spin_lock_irqsave(&kbd_event_lock, flags);
@@ -1811,8 +1809,8 @@ int vt_do_diacrit(unsigned int cmd, void __user *udp, int perm)
return -EINVAL;
if (ct) {
- buf = memdup_user(a->kbdiacruc,
- ct * sizeof(struct kbdiacruc));
+ buf = memdup_array_user(a->kbdiacruc,
+ ct, sizeof(struct kbdiacruc));
if (IS_ERR(buf))
return PTR_ERR(buf);
}
tty/vt currently uses memdup_user() and vmemdup_array_user() to copy userspace arrays. Whereas there is no danger of overflowing, the call to vmemdup_user() currently utilizes array_size() to calculate the array size nevertheless. This is not useful because array_size() would return SIZE_MAX and pass it to vmemdup_user() in case of (the impossible) overflow. string.h from the core-API now provides the wrappers memdup_array_user() and vmemdup_array_user() to copy userspace arrays in a standardized manner. Additionally, they also perform generic overflow-checks. Use these wrappers to make it more obvious and readable that arrays are being copied. As we are at it, remove two unnecessary empty lines. Suggested-by: Dave Airlie <airlied@redhat.com> Signed-off-by: Philipp Stanner <pstanner@redhat.com> --- Changes in v2: - Remove two empty lines from keyboard.c - Rephrase the commit message completely to make it obvious that we're not actually fixing a really possible overflow here. Emphasize the commit being about unifying array-copying. (Al Viro) --- drivers/tty/vt/consolemap.c | 2 +- drivers/tty/vt/keyboard.c | 10 ++++------ 2 files changed, 5 insertions(+), 7 deletions(-)