| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 19 Jun 2019 09:08:02 -0500
From: Corey Minyard <minyard@....org>
To: Arnd Bergmann <arnd@...db.de>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Asmaa Mnebhi <Asmaa@...lanox.com>, vadimp@...lanox.com,
Corey Minyard <cminyard@...sta.com>,
openipmi-developer@...ts.sourceforge.net,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] ipmi: ipmb: don't allocate i2c_client on stack
On Wed, Jun 19, 2019 at 02:50:34PM +0200, Arnd Bergmann wrote:
> The i2c_client structure can be fairly large, which leads to
> a warning about possible kernel stack overflow in some
> configurations:
>
> drivers/char/ipmi/ipmb_dev_int.c:115:16: error: stack frame size of 1032 bytes in function 'ipmb_write' [-Werror,-Wframe-larger-than=]
>
> There is no real reason to even declare an i2c_client, as we can simply
> call i2c_smbus_xfer() directly instead of the i2c_smbus_write_block_data()
> wrapper.
>
> Convert the ipmb_write() to use an open-coded i2c_smbus_write_block_data()
> here, without changing the behavior.
>
> It seems that there is another problem with this implementation;
> when user space passes a length of more than I2C_SMBUS_BLOCK_MAX
> bytes, all the rest is silently ignored. This should probably be
> addressed in a separate patch, but I don't know what the intended
> behavior is here.
>
> Fixes: 51bd6f291583 ("Add support for IPMB driver")
> Signed-off-by: Arnd Bergmann <arnd@...db.de>
I broke up the line with the call to i2c_smbus_xfer(), which was
longer than 80 characters, but that's it, it's in the IPMI next queue.
Thanks,
-corey
> ---
> drivers/char/ipmi/ipmb_dev_int.c | 20 ++++++++++----------
> 1 file changed, 10 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/char/ipmi/ipmb_dev_int.c b/drivers/char/ipmi/ipmb_dev_int.c
> index 2895abf72e61..c9724f6cf32d 100644
> --- a/drivers/char/ipmi/ipmb_dev_int.c
> +++ b/drivers/char/ipmi/ipmb_dev_int.c
> @@ -117,7 +117,7 @@ static ssize_t ipmb_write(struct file *file, const char __user *buf,
> {
> struct ipmb_dev *ipmb_dev = to_ipmb_dev(file);
> u8 rq_sa, netf_rq_lun, msg_len;
> - struct i2c_client rq_client;
> + union i2c_smbus_data data;
> u8 msg[MAX_MSG_LEN];
> ssize_t ret;
>
> @@ -138,17 +138,17 @@ static ssize_t ipmb_write(struct file *file, const char __user *buf,
>
> /*
> * subtract rq_sa and netf_rq_lun from the length of the msg passed to
> - * i2c_smbus_write_block_data_local
> + * i2c_smbus_xfer
> */
> msg_len = msg[IPMB_MSG_LEN_IDX] - SMBUS_MSG_HEADER_LENGTH;
> -
> - strcpy(rq_client.name, "ipmb_requester");
> - rq_client.adapter = ipmb_dev->client->adapter;
> - rq_client.flags = ipmb_dev->client->flags;
> - rq_client.addr = rq_sa;
> -
> - ret = i2c_smbus_write_block_data(&rq_client, netf_rq_lun, msg_len,
> - msg + SMBUS_MSG_IDX_OFFSET);
> + if (msg_len > I2C_SMBUS_BLOCK_MAX)
> + msg_len = I2C_SMBUS_BLOCK_MAX;
> +
> + data.block[0] = msg_len;
> + memcpy(&data.block[1], msg + SMBUS_MSG_IDX_OFFSET, msg_len);
> + ret = i2c_smbus_xfer(ipmb_dev->client->adapter, rq_sa, ipmb_dev->client->flags,
> + I2C_SMBUS_WRITE, netf_rq_lun,
> + I2C_SMBUS_BLOCK_DATA, &data);
>
> return ret ? : count;
> }
> --
> 2.20.0
>
Powered by blists - more mailing lists