lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20190619140802.GB7168@minyard.net>
Date:   Wed, 19 Jun 2019 09:08:02 -0500
From:   Corey Minyard <minyard@....org>
To:     Arnd Bergmann <arnd@...db.de>
Cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Asmaa Mnebhi <Asmaa@...lanox.com>, vadimp@...lanox.com,
        Corey Minyard <cminyard@...sta.com>,
        openipmi-developer@...ts.sourceforge.net,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] ipmi: ipmb: don't allocate i2c_client on stack

On Wed, Jun 19, 2019 at 02:50:34PM +0200, Arnd Bergmann wrote:
> The i2c_client structure can be fairly large, which leads to
> a warning about possible kernel stack overflow in some
> configurations:
> 
> drivers/char/ipmi/ipmb_dev_int.c:115:16: error: stack frame size of 1032 bytes in function 'ipmb_write' [-Werror,-Wframe-larger-than=]
> 
> There is no real reason to even declare an i2c_client, as we can simply
> call i2c_smbus_xfer() directly instead of the i2c_smbus_write_block_data()
> wrapper.
> 
> Convert the ipmb_write() to use an open-coded i2c_smbus_write_block_data()
> here, without changing the behavior.
> 
> It seems that there is another problem with this implementation;
> when user space passes a length of more than I2C_SMBUS_BLOCK_MAX
> bytes, all the rest is silently ignored. This should probably be
> addressed in a separate patch, but I don't know what the intended
> behavior is here.
> 
> Fixes: 51bd6f291583 ("Add support for IPMB driver")
> Signed-off-by: Arnd Bergmann <arnd@...db.de>

I broke up the line with the call to i2c_smbus_xfer(), which was
longer than 80 characters, but that's it, it's in the IPMI next queue.

Thanks,

-corey

> ---
>  drivers/char/ipmi/ipmb_dev_int.c | 20 ++++++++++----------
>  1 file changed, 10 insertions(+), 10 deletions(-)
> 
> diff --git a/drivers/char/ipmi/ipmb_dev_int.c b/drivers/char/ipmi/ipmb_dev_int.c
> index 2895abf72e61..c9724f6cf32d 100644
> --- a/drivers/char/ipmi/ipmb_dev_int.c
> +++ b/drivers/char/ipmi/ipmb_dev_int.c
> @@ -117,7 +117,7 @@ static ssize_t ipmb_write(struct file *file, const char __user *buf,
>  {
>  	struct ipmb_dev *ipmb_dev = to_ipmb_dev(file);
>  	u8 rq_sa, netf_rq_lun, msg_len;
> -	struct i2c_client rq_client;
> +	union i2c_smbus_data data;
>  	u8 msg[MAX_MSG_LEN];
>  	ssize_t ret;
>  
> @@ -138,17 +138,17 @@ static ssize_t ipmb_write(struct file *file, const char __user *buf,
>  
>  	/*
>  	 * subtract rq_sa and netf_rq_lun from the length of the msg passed to
> -	 * i2c_smbus_write_block_data_local
> +	 * i2c_smbus_xfer
>  	 */
>  	msg_len = msg[IPMB_MSG_LEN_IDX] - SMBUS_MSG_HEADER_LENGTH;
> -
> -	strcpy(rq_client.name, "ipmb_requester");
> -	rq_client.adapter = ipmb_dev->client->adapter;
> -	rq_client.flags = ipmb_dev->client->flags;
> -	rq_client.addr = rq_sa;
> -
> -	ret = i2c_smbus_write_block_data(&rq_client, netf_rq_lun, msg_len,
> -					msg + SMBUS_MSG_IDX_OFFSET);
> +	if (msg_len > I2C_SMBUS_BLOCK_MAX)
> +		msg_len = I2C_SMBUS_BLOCK_MAX;
> +
> +	data.block[0] = msg_len;
> +	memcpy(&data.block[1], msg + SMBUS_MSG_IDX_OFFSET, msg_len);
> +	ret = i2c_smbus_xfer(ipmb_dev->client->adapter, rq_sa, ipmb_dev->client->flags,
> +			     I2C_SMBUS_WRITE, netf_rq_lun,
> +			     I2C_SMBUS_BLOCK_DATA, &data);
>  
>  	return ret ? : count;
>  }
> -- 
> 2.20.0
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ