lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 24 Apr 2018 06:43:15 +0100
From:   Lee Jones <lee.jones@...aro.org>
To:     Kyle Spiers <ksspiers@...gle.com>
Cc:     linux-kernel@...r.kernel.org, keescook@...omium.org
Subject: Re: [PATCH] rave-sp: Remove VLA

On Mon, 23 Apr 2018, Kyle Spiers wrote:

> As part of the effort to remove VLAs from the kernel[1], this creates
> constants for the checksum lengths of CCITT and 8B2C and changes
> crc_calculated to be the maximum size of a checksum.
> 
> https://lkml.org/lkml/2018/3/7/621
> 
> Signed-off-by: Kyle Spiers <ksspiers@...gle.com>
> ---
>  drivers/mfd/rave-sp.c | 11 +++++++++--
>  1 file changed, 9 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/mfd/rave-sp.c b/drivers/mfd/rave-sp.c
> index 5c858e784a89..99fa482419f9 100644
> --- a/drivers/mfd/rave-sp.c
> +++ b/drivers/mfd/rave-sp.c
> @@ -45,7 +45,9 @@
>  #define RAVE_SP_DLE			0x10
>  
>  #define RAVE_SP_MAX_DATA_SIZE		64
> -#define RAVE_SP_CHECKSUM_SIZE		2  /* Worst case scenario on RDU2 */
> +#define RAVE_SP_CHECKSUM_8B2C		1
> +#define RAVE_SP_CHECKSUM_CCITT		2
> +#define RAVE_SP_CHECKSUM_SIZE		RAVE_SP_CHECKSUM_CCITT
>  /*
>   * We don't store STX, ETX and unescaped bytes, so Rx is only
>   * DATA + CSUM
> @@ -415,7 +417,12 @@ static void rave_sp_receive_frame(struct rave_sp *sp,
>  	const size_t payload_length  = length - checksum_length;
>  	const u8 *crc_reported       = &data[payload_length];
>  	struct device *dev           = &sp->serdev->dev;
> -	u8 crc_calculated[checksum_length];
> +	u8 crc_calculated[RAVE_SP_CHECKSUM_SIZE];
> +
> +	if (unlikely(length > sizeof(crc_calculated))) {

Forgive me if I have this wrong (it's still very early here), but this
doesn't leave any room for the payload?

    <--       length         -->
    <ck len><- payload length ->
    [CK][CK][D][A][T][A] .. [64]

It is my hope that length would always be larger than the size of the
checksum, or else there would never be any data?

Should this not be:

    if (unlikely(length > RAVE_SP_MAX_DATA_SIZE))

Nit: Adding the check is also an unrelated change, so would require a
separate patch.

> +		dev_warn(dev, "Dropping oversized frame\n");
> +		return;
> +	}
>  
>  	print_hex_dump(KERN_DEBUG, "rave-sp rx: ", DUMP_PREFIX_NONE,
>  		       16, 1, data, length, false);

-- 
Lee Jones [李琼斯]
Linaro Services Technical Lead
Linaro.org │ Open source software for ARM SoCs
Follow Linaro: Facebook | Twitter | Blog

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ