Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp4810958imm; Fri, 18 May 2018 11:02:22 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqZC61HkwlznMQQP7Ge4oTbl2CDszfuCqX+LtYz+VY+v8H6fHsqqzWMVEuzkP+sJR/fBnlR X-Received: by 2002:a62:4fd8:: with SMTP id f85-v6mr10426191pfj.77.1526666542833; Fri, 18 May 2018 11:02:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526666542; cv=none; d=google.com; s=arc-20160816; b=jXNJu2SUCehHfTEkDdywCqad1KByHBuXrvbxaNv2cVpLpBCqzGeAK5zZJ4+h5atXR6 JG3waul9j1pi7Ay4bHL4VIRRnaXD2fmESGvun96dEf0Ww5CA/YI0tvG74SET0f4puKuF UixR8HHurxyJhUUpyBMy+cDcOauFo7Ipda8fH9gR4o/WUhEOxI6GUBcN6jew2f7vBGyt ZbpApCPgH0kcgFUGDJ7F7Fcqxj5HlOGozvJz6tLLtOEerSTQP9z42qCueEv7unzKPp8/ et1SPY0iLLKIyx1FiMxFftMq5jUNQdvhtTdhUNeh+vrElozFvvmScpR2/V+P/9WOpEWu uvtQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=5OllvNE/6v5sSCjsLvrBaWpGjOsgYCb8FK2DS6o+cg8=; b=B3OBVpH74HId2LCk4x9Ojp3m3r9HozgwbhkIZvfKP4WlhgGuDAgB4HaHJqE9+GurLU qPbLdSwVhATqGWHSg9fPAQhoaO/Hb5cnH3973GPS1ABxwyZvF0joND2tUgNwJsJjN0jw Llycfrf5uHLgAyCmk+YO+Gb4vHr2Ru7tPWMeRLdDylH85mcsyJBWvp/2Sp6JkjeX3GXE HL3fcWjs74M/v9kuPFj7wI7PGJuuNYsyAcKKVrmrX5kbdljA7KIVODtiUpCLwkit2Kpu rOkL7NS4klbKmOu/NnUqEyoroNeidNfRXRULg+UBa5N7ArzxyhTI/twgx6oe3RQGmLJF arSQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=Io2XutrL; dkim=fail header.i=@chromium.org header.s=google header.b=AiPhDeV1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p1-v6si7610209pfn.269.2018.05.18.11.02.07; Fri, 18 May 2018 11:02:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=Io2XutrL; dkim=fail header.i=@chromium.org header.s=google header.b=AiPhDeV1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751943AbeERSB6 (ORCPT + 99 others); Fri, 18 May 2018 14:01:58 -0400 Received: from mail-ua0-f193.google.com ([209.85.217.193]:46800 "EHLO mail-ua0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751542AbeERSB4 (ORCPT ); Fri, 18 May 2018 14:01:56 -0400 Received: by mail-ua0-f193.google.com with SMTP id e8-v6so5903776uam.13 for ; Fri, 18 May 2018 11:01:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=5OllvNE/6v5sSCjsLvrBaWpGjOsgYCb8FK2DS6o+cg8=; b=Io2XutrL1ROrkajldxK7L/pW0ExqRs+MMwt2y1/8UBIbswKODAutwKK/YfHpIvG9Ej Hgf7Um5WBzz93qwiWM7lPs1+YM5J7GUUK9i1VpQu8h//8kveSjRJA5uIBTeQqjhAvcj8 3hmCPIz+YaCV/O1lGYEUBiBEc9XUG8tNUP4WIaxU6BdSojUNPXHt4gcXE3UMW8pVlVTm OT5NjgbpGsryEQIlmrqeCUnSHr2ZU/VyrmmZfeH+wvusc66DpQbrfrKEzez0zrwszQna sSPMXw6vO0kX9C09pH26LmzWcupHJwt746X5xDQVYjAeJYIsZfmKecD3R8UU+orcTQ0M ud3w== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=5OllvNE/6v5sSCjsLvrBaWpGjOsgYCb8FK2DS6o+cg8=; b=AiPhDeV1HtgClVRPVaLz5+T0hqzrJIR+FyL8+MvVGXgZx6Ox3M7/6G+dNPM1bVcBGS 02AbamWzO5sxTsuBJq1bJAyi2QIXTvamnC+qbpAjvAlFYQ7xslN34e6LdXFcla4WslpL t0Nzl/APIJ0d37V71ThgZFF87SSCtiNjoYn5A= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=5OllvNE/6v5sSCjsLvrBaWpGjOsgYCb8FK2DS6o+cg8=; b=CBNcMtuDeAq7aYWQ5tz7SKm4d3+mZQWT1mAbhL/qrF5YxAYSawNFe0VGuF29tJFarE 1Pchy9Lr0ag+T6pgGoYbA9zLoyjjED7gM97XCMhltVQQycoJ90JV4tD3WIJADjq++Muy tug64OjqkFxyalVLxSlGsOn8aJtUxOTdhgcInNRlsHSAeHPcv7g0fRB7U7D2oIVvErxF uM5Xzgm7lNR1t3LppoleCAEOzOoCwPAKm1Er3II9unsYLEGJe6K0k9YBS3n2BK2wnZ1G uy3giI7SDUUhAQXXCUTFUY036oU9ocJ8cvuyQThPzbrvYUYV5gg3pUthFXKIKquPUNuw 55kQ== X-Gm-Message-State: ALKqPwe48ErUlCSo/c1oCnAR/7dL5x3TU3FxpszU1/n4x4LKgK1YoeQR VkcrSjJ6quXi30LZY6sBn7IrfqbOO7CBEtt47Kt0Yg== X-Received: by 2002:a9f:3bd5:: with SMTP id y21-v6mr8099665uah.167.1526666515803; Fri, 18 May 2018 11:01:55 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a1f:bd1:0:0:0:0:0 with HTTP; Fri, 18 May 2018 11:01:55 -0700 (PDT) In-Reply-To: <20180411010330.17866-1-labbott@redhat.com> References: <20180411010330.17866-1-labbott@redhat.com> From: Kees Cook Date: Fri, 18 May 2018 11:01:55 -0700 X-Google-Sender-Auth: zdLABaMZCfNE1crLVq1ccl7lsq8 Message-ID: Subject: Re: [PATCHv2] drm/i2c: tda998x: Remove VLA usage To: Daniel Vetter Cc: Laura Abbott , Russell King , David Airlie , Maling list - DRI developers , LKML , Kernel Hardening Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 10, 2018 at 6:03 PM, Laura Abbott wrote: > There's an ongoing effort to remove VLAs[1] from the kernel to eventually > turn on -Wvla. The vla in reg_write_range is based on the length of data > passed. The one use of a non-constant size for this range is bounded by > the size buffer passed to hdmi_infoframe_pack which is a fixed size. > Switch to this upper bound. > > [1] https://lkml.org/lkml/2018/3/7/621 > > Signed-off-by: Laura Abbott Reviewed-by: Kees Cook Same question for this patch: who's best to take this? Thanks! -Kees > --- > v2: Switch to make the buffer size more transparent and add a bounds > check. > --- > drivers/gpu/drm/i2c/tda998x_drv.c | 13 +++++++++++-- > 1 file changed, 11 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/i2c/tda998x_drv.c b/drivers/gpu/drm/i2c/tda998x_drv.c > index 9e67a7b4e3a4..c8b6029b7839 100644 > --- a/drivers/gpu/drm/i2c/tda998x_drv.c > +++ b/drivers/gpu/drm/i2c/tda998x_drv.c > @@ -466,13 +466,22 @@ reg_read_range(struct tda998x_priv *priv, u16 reg, char *buf, int cnt) > return ret; > } > > +#define MAX_WRITE_RANGE_BUF 32 > + > static void > reg_write_range(struct tda998x_priv *priv, u16 reg, u8 *p, int cnt) > { > struct i2c_client *client = priv->hdmi; > - u8 buf[cnt+1]; > + /* This is the maximum size of the buffer passed in */ > + u8 buf[MAX_WRITE_RANGE_BUF + 1]; > int ret; > > + if (cnt > MAX_WRITE_RANGE_BUF) { > + dev_err(&client->dev, "Fixed write buffer too small (%d)\n", > + MAX_WRITE_RANGE_BUF); > + return; > + } > + > buf[0] = REG2ADDR(reg); > memcpy(&buf[1], p, cnt); > > @@ -679,7 +688,7 @@ static void > tda998x_write_if(struct tda998x_priv *priv, u8 bit, u16 addr, > union hdmi_infoframe *frame) > { > - u8 buf[32]; > + u8 buf[MAX_WRITE_RANGE_BUF]; > ssize_t len; > > len = hdmi_infoframe_pack(frame, buf, sizeof(buf)); > -- > 2.14.3 > -- Kees Cook Pixel Security