lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180621100003.GF2847@kuha.fi.intel.com>
Date:   Thu, 21 Jun 2018 13:00:03 +0300
From:   Heikki Krogerus <heikki.krogerus@...ux.intel.com>
To:     Kees Cook <keescook@...omium.org>
Cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        linux-kernel@...r.kernel.org, linux-usb@...r.kernel.org
Subject: Re: [PATCH] usb: typec: tps6598x: Remove VLA usage

On Wed, Jun 20, 2018 at 11:28:40AM -0700, Kees Cook wrote:
> In the quest to remove all stack VLA usage from the kernel[1], this
> uses the maximum buffer size and adds a sanity check.
> 
> [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com
> 
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---
>  drivers/usb/typec/tps6598x.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/typec/tps6598x.c b/drivers/usb/typec/tps6598x.c
> index 4b4c8d271b27..396193f85e6d 100644
> --- a/drivers/usb/typec/tps6598x.c
> +++ b/drivers/usb/typec/tps6598x.c
> @@ -81,12 +81,17 @@ struct tps6598x {
>  	struct typec_capability typec_cap;
>  };
>  
> +#define TPS_MAX_LEN	sizeof(u64)

That is not big enough. The registers of this chip can be as big as 64
bytes. The identity register alone is 25 bytes, so the above would
make the driver fail quite fast. Can you set the maximum to 64?

#define TPS_MAX_LEN	64

>  static int
>  tps6598x_block_read(struct tps6598x *tps, u8 reg, void *val, size_t len)
>  {
> -	u8 data[len + 1];
> +	u8 data[TPS_MAX_LEN + 1];
>  	int ret;
>  
> +	if (WARN_ON(len + 1 > sizeof(data)))
> +		return -EINVAL;
> +
>  	if (!tps->i2c_protocol)
>  		return regmap_raw_read(tps->regmap, reg, val, len);

Thanks,

-- 
heikki

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ