| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 29 Apr 2018 08:00:53 -0700
From: Kees Cook <keescook@...omium.org>
To: Boris Brezillon <boris.brezillon@...tlin.com>
Cc: David Woodhouse <dwmw2@...radead.org>,
Brian Norris <computersforpeace@...il.com>,
Marek Vasut <marek.vasut@...il.com>,
Richard Weinberger <richard@....at>,
linux-mtd@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: [PATCH v2] mtd: nftl: Remove VLA usage
On the quest to remove all stack VLAs from the kernel[1] this changes
the check_free_sectors() routine to use a kmalloc()ed buffer instead
of a large VLA stack buffer.
[1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com
Signed-off-by: Kees Cook <keescook@...omium.org>
---
v2: kmalloc() instead of stack buffer (Boris)
---
drivers/mtd/inftlmount.c | 23 ++++++++++++++++-------
drivers/mtd/nftlmount.c | 23 ++++++++++++++++-------
2 files changed, 32 insertions(+), 14 deletions(-)
diff --git a/drivers/mtd/inftlmount.c b/drivers/mtd/inftlmount.c
index aab4f68bd36f..2d598412972d 100644
--- a/drivers/mtd/inftlmount.c
+++ b/drivers/mtd/inftlmount.c
@@ -334,28 +334,37 @@ static int memcmpb(void *a, int c, int n)
static int check_free_sectors(struct INFTLrecord *inftl, unsigned int address,
int len, int check_oob)
{
- u8 buf[SECTORSIZE + inftl->mbd.mtd->oobsize];
struct mtd_info *mtd = inftl->mbd.mtd;
size_t retlen;
- int i;
+ int i, ret;
+ u8 *buf;
+
+ buf = kmalloc(SECTORSIZE + mtd->oobsize, GFP_KERNEL);
+ if (!buf)
+ return -1;
+ ret = -1;
for (i = 0; i < len; i += SECTORSIZE) {
if (mtd_read(mtd, address, SECTORSIZE, &retlen, buf))
- return -1;
+ goto out;
if (memcmpb(buf, 0xff, SECTORSIZE) != 0)
- return -1;
+ goto out;
if (check_oob) {
if(inftl_read_oob(mtd, address, mtd->oobsize,
&retlen, &buf[SECTORSIZE]) < 0)
- return -1;
+ goto out;
if (memcmpb(buf + SECTORSIZE, 0xff, mtd->oobsize) != 0)
- return -1;
+ goto out;
}
address += SECTORSIZE;
}
- return 0;
+ ret = 0;
+
+out:
+ kfree(buf);
+ return ret;
}
/*
diff --git a/drivers/mtd/nftlmount.c b/drivers/mtd/nftlmount.c
index a6fbfa4e5799..6281da3dadac 100644
--- a/drivers/mtd/nftlmount.c
+++ b/drivers/mtd/nftlmount.c
@@ -272,28 +272,37 @@ static int memcmpb(void *a, int c, int n)
static int check_free_sectors(struct NFTLrecord *nftl, unsigned int address, int len,
int check_oob)
{
- u8 buf[SECTORSIZE + nftl->mbd.mtd->oobsize];
struct mtd_info *mtd = nftl->mbd.mtd;
size_t retlen;
- int i;
+ int i, ret;
+ u8 *buf;
+
+ buf = kmalloc(SECTORSIZE + mtd->oobsize, GFP_KERNEL);
+ if (!buf)
+ return -1;
+ ret = -1;
for (i = 0; i < len; i += SECTORSIZE) {
if (mtd_read(mtd, address, SECTORSIZE, &retlen, buf))
- return -1;
+ goto out;
if (memcmpb(buf, 0xff, SECTORSIZE) != 0)
- return -1;
+ goto out;
if (check_oob) {
if(nftl_read_oob(mtd, address, mtd->oobsize,
&retlen, &buf[SECTORSIZE]) < 0)
- return -1;
+ goto out;
if (memcmpb(buf + SECTORSIZE, 0xff, mtd->oobsize) != 0)
- return -1;
+ goto out;
}
address += SECTORSIZE;
}
- return 0;
+ ret = 0;
+
+out:
+ kfree(buf);
+ return ret;
}
/* NFTL_format: format a Erase Unit by erasing ALL Erase Zones in the Erase Unit and
--
2.7.4
--
Kees Cook
Pixel Security
Powered by blists - more mailing lists