Commit fd58f7df authored by Dan Carpenter's avatar Dan Carpenter Committed by Alexei Starovoitov
Browse files

bpf: Use safer kvmalloc_array() where possible 



The kvmalloc_array() function is safer because it has a check for
integer overflows.  These sizes come from the user and I was not
able to see any bounds checking so an integer overflow seems like a
realistic concern.

Fixes: 0dcac272 ("bpf: Add multi kprobe link")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/Yo9VRVMeHbALyjUH@kili


Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
parent 10f3b29c

kernel/trace/bpf_trace.c

+4 −4
Original line number Diff line number Diff line
@@ -2263,11 +2263,11 @@ static int copy_user_syms(struct user_syms *us, unsigned long __user *usyms, u32 
	int err = -ENOMEM;

	unsigned int i;



	syms = kvmalloc(cnt * sizeof(*syms), GFP_KERNEL);

	syms = kvmalloc_array(cnt, sizeof(*syms), GFP_KERNEL);

	if (!syms)

		goto error;



	buf = kvmalloc(cnt * KSYM_NAME_LEN, GFP_KERNEL);

	buf = kvmalloc_array(cnt, KSYM_NAME_LEN, GFP_KERNEL);

	if (!buf)

		goto error;
@@ -2464,7 +2464,7 @@ int bpf_kprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *pr 
		return -EINVAL;



	size = cnt * sizeof(*addrs);

	addrs = kvmalloc(size, GFP_KERNEL);

	addrs = kvmalloc_array(cnt, sizeof(*addrs), GFP_KERNEL);

	if (!addrs)

		return -ENOMEM;
@@ -2489,7 +2489,7 @@ int bpf_kprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *pr 


	ucookies = u64_to_user_ptr(attr->link_create.kprobe_multi.cookies);

	if (ucookies) {

		cookies = kvmalloc(size, GFP_KERNEL);

		cookies = kvmalloc_array(cnt, sizeof(*addrs), GFP_KERNEL);

		if (!cookies) {

			err = -ENOMEM;

			goto error;