| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <tkrat.af1058f9e26f4dba@s5r6.in-berlin.de>
Date: Thu, 8 Oct 2009 00:40:38 +0200 (CEST)
From: Stefan Richter <stefanr@...6.in-berlin.de>
To: linux1394-devel@...ts.sourceforge.net
cc: linux-kernel@...r.kernel.org
Subject: [PATCH 3/8] firewire: cdev: reduce stack usage by ioctl_dispatch
Shrink the stack-allocated ioctl argument buffer from 256 to 40 bytes.
This is the maximum of what we currently need for all ioctls.
Also, turn runtime checks of the buffer size into compile-time checks.
This involves a few more lines of code but they are all taken care of by
the compiler's dead code elimination, and this way the buffer size
should actually be a little easier to update when new ioctls are added.
Signed-off-by: Stefan Richter <stefanr@...6.in-berlin.de>
---
drivers/firewire/core-cdev.c | 41 ++++++++++++++++++++++++++---------
1 file changed, 30 insertions(+), 11 deletions(-)
Index: linux-2.6.31/drivers/firewire/core-cdev.c
===================================================================
--- linux-2.6.31.orig/drivers/firewire/core-cdev.c
+++ linux-2.6.31/drivers/firewire/core-cdev.c
@@ -1299,28 +1299,47 @@ static int (* const ioctl_handlers[])(st
static int dispatch_ioctl(struct client *client,
unsigned int cmd, void __user *arg)
{
- char buffer[256];
+ char buffer[40];
int ret;
+#define check_ioctl_size(x) BUILD_BUG_ON(_IOC_SIZE(x) > sizeof(buffer))
+
+ check_ioctl_size(FW_CDEV_IOC_GET_INFO);
+ check_ioctl_size(FW_CDEV_IOC_SEND_REQUEST);
+ check_ioctl_size(FW_CDEV_IOC_ALLOCATE);
+ check_ioctl_size(FW_CDEV_IOC_DEALLOCATE);
+ check_ioctl_size(FW_CDEV_IOC_SEND_RESPONSE);
+ check_ioctl_size(FW_CDEV_IOC_INITIATE_BUS_RESET);
+ check_ioctl_size(FW_CDEV_IOC_ADD_DESCRIPTOR);
+ check_ioctl_size(FW_CDEV_IOC_REMOVE_DESCRIPTOR);
+ check_ioctl_size(FW_CDEV_IOC_CREATE_ISO_CONTEXT);
+ check_ioctl_size(FW_CDEV_IOC_QUEUE_ISO);
+ check_ioctl_size(FW_CDEV_IOC_START_ISO);
+ check_ioctl_size(FW_CDEV_IOC_STOP_ISO);
+ check_ioctl_size(FW_CDEV_IOC_GET_CYCLE_TIMER);
+ check_ioctl_size(FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE);
+ check_ioctl_size(FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE);
+ check_ioctl_size(FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE_ONCE);
+ check_ioctl_size(FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE_ONCE);
+ check_ioctl_size(FW_CDEV_IOC_GET_SPEED);
+ check_ioctl_size(FW_CDEV_IOC_SEND_BROADCAST_REQUEST);
+ check_ioctl_size(FW_CDEV_IOC_SEND_STREAM_PACKET);
+
if (_IOC_TYPE(cmd) != '#' ||
_IOC_NR(cmd) >= ARRAY_SIZE(ioctl_handlers))
return -EINVAL;
- if (_IOC_DIR(cmd) & _IOC_WRITE) {
- if (_IOC_SIZE(cmd) > sizeof(buffer) ||
- copy_from_user(buffer, arg, _IOC_SIZE(cmd)))
- return -EFAULT;
- }
+ if (_IOC_DIR(cmd) & _IOC_WRITE &&
+ copy_from_user(buffer, arg, _IOC_SIZE(cmd)))
+ return -EFAULT;
ret = ioctl_handlers[_IOC_NR(cmd)](client, buffer);
if (ret < 0)
return ret;
- if (_IOC_DIR(cmd) & _IOC_READ) {
- if (_IOC_SIZE(cmd) > sizeof(buffer) ||
- copy_to_user(arg, buffer, _IOC_SIZE(cmd)))
- return -EFAULT;
- }
+ if (_IOC_DIR(cmd) & _IOC_READ &&
+ copy_to_user(arg, buffer, _IOC_SIZE(cmd)))
+ return -EFAULT;
return ret;
}
--
Stefan Richter
-=====-==--= =-=- -=---
http://arcgraph.de/sr/
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists