lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAGXu5jJD6Rcszn5T+jeJBESg_0VbERJh6JWMtZaWjGszer1zGQ@mail.gmail.com>
Date:   Mon, 23 Apr 2018 13:08:27 -0700
From:   Kees Cook <keescook@...omium.org>
To:     Kyle Spiers <ksspiers@...gle.com>
Cc:     Lee Jones <lee.jones@...aro.org>,
        LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] rave-sp: Remove VLA

On Mon, Apr 23, 2018 at 1:02 PM, Kyle Spiers <ksspiers@...gle.com> wrote:
> As part of the effort to remove VLAs from the kernel[1], this creates
> constants for the checksum lengths of CCITT and 8B2C and changes
> crc_calculated to be the maximum size of a checksum.
>
> https://lkml.org/lkml/2018/3/7/621
>
> Signed-off-by: Kyle Spiers <ksspiers@...gle.com>

Reviewed-by: Kees Cook <keescook@...omium.org>

-Kees

> ---
>  drivers/mfd/rave-sp.c | 11 +++++++++--
>  1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/mfd/rave-sp.c b/drivers/mfd/rave-sp.c
> index 5c858e784a89..99fa482419f9 100644
> --- a/drivers/mfd/rave-sp.c
> +++ b/drivers/mfd/rave-sp.c
> @@ -45,7 +45,9 @@
>  #define RAVE_SP_DLE                    0x10
>
>  #define RAVE_SP_MAX_DATA_SIZE          64
> -#define RAVE_SP_CHECKSUM_SIZE          2  /* Worst case scenario on RDU2 */
> +#define RAVE_SP_CHECKSUM_8B2C          1
> +#define RAVE_SP_CHECKSUM_CCITT         2
> +#define RAVE_SP_CHECKSUM_SIZE          RAVE_SP_CHECKSUM_CCITT
>  /*
>   * We don't store STX, ETX and unescaped bytes, so Rx is only
>   * DATA + CSUM
> @@ -415,7 +417,12 @@ static void rave_sp_receive_frame(struct rave_sp *sp,
>         const size_t payload_length  = length - checksum_length;
>         const u8 *crc_reported       = &data[payload_length];
>         struct device *dev           = &sp->serdev->dev;
> -       u8 crc_calculated[checksum_length];
> +       u8 crc_calculated[RAVE_SP_CHECKSUM_SIZE];
> +
> +       if (unlikely(length > sizeof(crc_calculated))) {
> +               dev_warn(dev, "Dropping oversized frame\n");
> +               return;
> +       }
>
>         print_hex_dump(KERN_DEBUG, "rave-sp rx: ", DUMP_PREFIX_NONE,
>                        16, 1, data, length, false);
> --
> 2.17.0.484.g0c8726318c-goog
>



-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ