UDMABUF_CREATE_LIST copies a variable-length list using a byte count derived from head.count. The list_limit module parameter is signed and writable, so setting it negative lets a large unsigned count bypass the limit check. The u32 byte-count calculation can then wrap, causing only a small list to be copied while udmabuf_create() still iterates over the large count.
Reject negative list_limit values and use checked size_t multiplication before copying the list.
Assisted-by: Codex:gpt-5.5-cyber-preview Signed-off-by: Samuel Moelius sam.moelius@trailofbits.com --- drivers/dma-buf/udmabuf.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c index 94b8ecb892bb..46b077639bfb 100644 --- a/drivers/dma-buf/udmabuf.c +++ b/drivers/dma-buf/udmabuf.c @@ -13,6 +13,7 @@ #include <linux/hugetlb.h> #include <linux/slab.h> #include <linux/udmabuf.h> +#include <linux/overflow.h> #include <linux/vmalloc.h> #include <linux/iosys-map.h>
@@ -489,13 +490,14 @@ static long udmabuf_ioctl_create_list(struct file *filp, unsigned long arg) struct udmabuf_create_list head; struct udmabuf_create_item *list; int ret = -EINVAL; - u32 lsize; + size_t lsize;
if (copy_from_user(&head, (void __user *)arg, sizeof(head))) return -EFAULT; - if (head.count > list_limit) + if (list_limit < 0 || head.count > list_limit) + return -EINVAL; + if (check_mul_overflow(sizeof(struct udmabuf_create_item), head.count, &lsize)) return -EINVAL; - lsize = sizeof(struct udmabuf_create_item) * head.count; list = memdup_user((void __user *)(arg + sizeof(head)), lsize); if (IS_ERR(list)) return PTR_ERR(list);