Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp271572imm; Tue, 17 Jul 2018 18:50:08 -0700 (PDT) X-Google-Smtp-Source: AAOMgpcoVfkfZ2Di+kMUnlhP46objNRF4GZ4tCfG4zwhf291oR9a9cDl3yRpeZtTGUWADWCEHrZW X-Received: by 2002:a17:902:a9:: with SMTP id a38-v6mr3956088pla.102.1531878608767; Tue, 17 Jul 2018 18:50:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531878608; cv=none; d=google.com; s=arc-20160816; b=SDHus8kfVnOPJdGV5eCpjZjW/5RVZaNCXVkNo6bWqpLyQ+lr5FPKpDOn68DR5LBPG8 q4zVLem/oCppHGDplknABxll6myolV9tfg29obcWTEqh7wUu6kkzIdTxkws4upnLjycL IHcVeDwhXLNFaZjeUJozPE0crMDAOfKP51djvnS7mbqYy0GGhIKltvpF9Bpm+5ketAd9 g4qj7FrTawa8aoAKZUd4hZwrcuEOzEzuBvvxLqdXTJy+8LjyJUCRDLpGiqXGb8y7x6rE GiZ1N3Jo43XJLbtjCgdXY8FRdD2EOWPsHqIr041JJvojfinrGKOr0/RpEIV8a+voH0ay 5Y0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date :arc-authentication-results; bh=5Ib9qLJsQAfK1VpsE6tGgyNYz6SbXMJ/soTJ/BAZSgA=; b=tLZpUknXByn8L9C7TVE1D/FPbJUKaBkIvXCxFEHAfMcrtcsGZ20wYmXBDPB9TYVI1b LF26SMG2SBKlHBTH+9S7W4qNbbVmSpWzy24RUeLssoaKfGWCS8cREqUVYnaGGwNrgQe6 EIGGg20BfQHujwlYj2swwFF8rquORwxFZv/y2w6ZHMnRBARgOOmq37LAyAFr25pY0FVu arySGhSHadnN1+Ld2qxvtphnwkFpK8aGCBdR49F53nAtQ78l/BAWdopcCtYNjPNNXKxU g/OA0naY0nugqh92AB4bvWWmYhSI6t1Iq33LTv73OrKsD9Kzgyovw2shREmaqsnQQQaV JeIQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 66-v6si2047619pge.159.2018.07.17.18.49.54; Tue, 17 Jul 2018 18:50:08 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731702AbeGRCXn (ORCPT + 99 others); Tue, 17 Jul 2018 22:23:43 -0400 Received: from tartarus.angband.pl ([89.206.35.136]:60700 "EHLO tartarus.angband.pl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730774AbeGRCXn (ORCPT ); Tue, 17 Jul 2018 22:23:43 -0400 Received: from kilobyte by tartarus.angband.pl with local (Exim 4.89) (envelope-from ) id 1ffbZd-0007Ek-CM; Wed, 18 Jul 2018 03:48:13 +0200 Date: Wed, 18 Jul 2018 03:48:13 +0200 From: Adam Borowski To: Nicolas Pitre Cc: Greg Kroah-Hartman , Kees Cook , Geert Uytterhoeven , Dave Mielke , Samuel Thibault , linux-kernel@vger.kernel.org, linux-console@vger.kernel.org Subject: Re: [PATCH 1/3] vt: avoid a VLA in the unicode screen scroll function Message-ID: <20180718014813.ygcbgqxk4yo3ydbl@angband.pl> References: <20180718010242.5254-1-nicolas.pitre@linaro.org> <20180718010242.5254-2-nicolas.pitre@linaro.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20180718010242.5254-2-nicolas.pitre@linaro.org> X-Junkbait: aaron@angband.pl, zzyx@angband.pl User-Agent: NeoMutt/20170113 (1.7.2) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: kilobyte@angband.pl X-SA-Exim-Scanned: No (on tartarus.angband.pl); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 17, 2018 at 09:02:40PM -0400, Nicolas Pitre wrote: > The nr argument is typically small: most often nr == 1. However this > could be abused with a very large explicit scroll in a resized screen. > Make the code scroll lines one at a time in all cases to avoid the VLA. > Anything smarter is most likely not warranted here. Even though nr can be 32767 at most, your new version is O(nr*nr) for no reason. Instead of O(n) memory or O(n?) time, a variant of the original that copies values one at a time would be shorter and faster. > Requested-by: Kees Cook > Signed-off-by: Nicolas Pitre > --- > drivers/tty/vt/vt.c | 18 ++++++++++-------- > 1 file changed, 10 insertions(+), 8 deletions(-) > > diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c > index 2d14bb195d..03e79f7787 100644 > --- a/drivers/tty/vt/vt.c > +++ b/drivers/tty/vt/vt.c > @@ -433,20 +433,22 @@ static void vc_uniscr_scroll(struct vc_data *vc, unsigned int t, unsigned int b, > > if (uniscr) { > unsigned int s, d, rescue, clear; > - char32_t *save[nr]; > > s = clear = t; > - d = t + nr; > - rescue = b - nr; > + d = t + 1; > + rescue = b - 1; > if (dir == SM_UP) { > swap(s, d); > swap(clear, rescue); > } > - memcpy(save, uniscr->lines + rescue, nr * sizeof(*save)); > - memmove(uniscr->lines + d, uniscr->lines + s, > - (b - t - nr) * sizeof(*uniscr->lines)); > - memcpy(uniscr->lines + clear, save, nr * sizeof(*save)); > - vc_uniscr_clear_lines(vc, clear, nr); > + while (nr--) { > + char32_t *tmp; > + tmp = uniscr->lines[rescue]; > + memmove(uniscr->lines + d, uniscr->lines + s, > + (b - t - 1) * sizeof(*uniscr->lines)); > + uniscr->lines[clear] = tmp; > + vc_uniscr_clear_lines(vc, clear, 1); > + } > } > } What the function does is rotating an array (slice [t..b) here), by nr if SM_DOWN or by -nr ie (b - t - nr) if SM_UP. A nice problem that almost every "code interview questions" book includes :) Please say if you don't have time for such games, I've just refreshed what's a good answer. :? Meow. -- // If you believe in so-called "intellectual property", please immediately // cease using counterfeit alphabets. Instead, contact the nearest temple // of Amon, whose priests will provide you with scribal services for all // your writing needs, for Reasonable And Non-Discriminatory prices.