| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 21 Jun 2018 13:00:03 +0300
From: Heikki Krogerus <heikki.krogerus@...ux.intel.com>
To: Kees Cook <keescook@...omium.org>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
linux-kernel@...r.kernel.org, linux-usb@...r.kernel.org
Subject: Re: [PATCH] usb: typec: tps6598x: Remove VLA usage
On Wed, Jun 20, 2018 at 11:28:40AM -0700, Kees Cook wrote:
> In the quest to remove all stack VLA usage from the kernel[1], this
> uses the maximum buffer size and adds a sanity check.
>
> [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com
>
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---
> drivers/usb/typec/tps6598x.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/usb/typec/tps6598x.c b/drivers/usb/typec/tps6598x.c
> index 4b4c8d271b27..396193f85e6d 100644
> --- a/drivers/usb/typec/tps6598x.c
> +++ b/drivers/usb/typec/tps6598x.c
> @@ -81,12 +81,17 @@ struct tps6598x {
> struct typec_capability typec_cap;
> };
>
> +#define TPS_MAX_LEN sizeof(u64)
That is not big enough. The registers of this chip can be as big as 64
bytes. The identity register alone is 25 bytes, so the above would
make the driver fail quite fast. Can you set the maximum to 64?
#define TPS_MAX_LEN 64
> static int
> tps6598x_block_read(struct tps6598x *tps, u8 reg, void *val, size_t len)
> {
> - u8 data[len + 1];
> + u8 data[TPS_MAX_LEN + 1];
> int ret;
>
> + if (WARN_ON(len + 1 > sizeof(data)))
> + return -EINVAL;
> +
> if (!tps->i2c_protocol)
> return regmap_raw_read(tps->regmap, reg, val, len);
Thanks,
--
heikki
Powered by blists - more mailing lists