| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202209071525.AFFA11872@keescook>
Date: Wed, 7 Sep 2022 15:25:40 -0700
From: Kees Cook <keescook@...omium.org>
To: "Gustavo A. R. Silva" <gustavoars@...nel.org>
Cc: Hans Verkuil <hverkuil@...all.nl>,
Mauro Carvalho Chehab <mchehab@...nel.org>,
linux-media@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-hardening@...r.kernel.org
Subject: Re: [PATCH][next] media: usb: pwc-uncompress: Use flex array
destination for memcpy()
On Wed, Sep 07, 2022 at 07:55:44PM +0100, Gustavo A. R. Silva wrote:
> In preparation for FORTIFY_SOURCE performing run-time destination buffer
> bounds checking for memcpy(), specify the destination output buffer
> explicitly, instead of asking memcpy() to write past the end of what looked
> like a fixed-size object.
>
> Notice that raw_frame is a pointer to a structure that contains
> flexible-array member rawframe[]:
>
> drivers/media/usb/pwc/pwc.h:
> 190 struct pwc_raw_frame {
> 191 __le16 type; /* type of the webcam */
> 192 __le16 vbandlength; /* Size of 4 lines compressed (used by the
> 193 decompressor) */
> 194 __u8 cmd[4]; /* the four byte of the command (in case of
> 195 nala, only the first 3 bytes is filled) */
> 196 __u8 rawframe[]; /* frame_size = H / 4 * vbandlength */
> 197 } __packed;
>
> Link: https://github.com/KSPP/linux/issues/200
> Signed-off-by: Gustavo A. R. Silva <gustavoars@...nel.org>
Thanks! Yeah, this looks very similar to other transformations like
this. And this one even had the flex array already! :)
Reviewed-by: Kees Cook <keescook@...omium.org>
--
Kees Cook
Powered by blists - more mailing lists