lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 13 Mar 2018 22:29:06 +0530
From:   Himanshu Jha <himanshujha199640@...il.com>
To:     "Gustavo A. R. Silva" <gustavo@...eddedor.com>
Cc:     Jonathan Cameron <jic23@...nel.org>,
        Hartmut Knaack <knaack.h@....de>,
        Lars-Peter Clausen <lars@...afoo.de>,
        Peter Meerwald-Stadler <pmeerw@...erw.net>,
        linux-iio@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] iio: potentiometer: ds1803: remove VLA usage

On Tue, Mar 13, 2018 at 11:31:19AM -0500, Gustavo A. R. Silva wrote:
> 
> 
> On 03/13/2018 11:24 AM, Himanshu Jha wrote:
> >Hi Gustavo,
> >
> >On Tue, Mar 13, 2018 at 10:23:43AM -0500, Gustavo A. R. Silva wrote:
> >>In preparation to enabling -Wvla, remove VLA. In this particular
> >>case use macro ARRAY_SIZE so the length of array _result_ can be
> >>computed at preprocessing time.
> >>
> >>The use of stack Variable Length Arrays needs to be avoided, as they
> >>can be a vector for stack exhaustion, which can be both a runtime bug
> >>or a security flaw. Also, in general, as code evolves it is easy to
> >>lose track of how big a VLA can get. Thus, we can end up having runtime
> >>failures that are hard to debug.
> >>
> >>Also, fixed as part of the directive to remove all VLAs from
> >>the kernel: https://lkml.org/lkml/2018/3/7/621
> >>
> >>Signed-off-by: Gustavo A. R. Silva <gustavo@...eddedor.com>
> >>---
> >
> >It is already applied as I had sent the patch few days ago.
> >https://lkml.org/lkml/2018/3/10/164
> >
> >I specifically CC'ed you and Kees to avoid the patch collisions.
> >
> 
> I see. Can you please update this spreadsheet:
> 
> https://docs.google.com/spreadsheets/d/1OcfyKK8pJ24esYhSEsW4Q2boZE7UTGbYsSEEtFXf7U0/edit

Updated!

Also,

drivers/iio/humidity/hts221_i2c.c:43:2: warning: ISO C90
forbids variable length array ‘send’ [-Wvla]

This was already removed in recent commit when regmap API was used.

"6217792 iio: humidity: hts221: add regmap API support"

For this I added a short note in the *Notes* column.

-- 
Thanks
Himanshu Jha

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ