From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753071AbcEGGg5 (ORCPT <rfc822;w@1wt.eu>);
	Sat, 7 May 2016 02:36:57 -0400
Received: from terminus.zytor.com ([198.137.202.10]:44276 "EHLO
	terminus.zytor.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751930AbcEGGgz (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Sat, 7 May 2016 02:36:55 -0400
Date: Fri, 6 May 2016 23:34:30 -0700
From: tip-bot for Matt Fleming <tipbot@zytor.com>
Message-ID: <tip-fb7a84cac03541f4da18dfa25b3f4767d4efc6fc@git.kernel.org>
Cc: hpa@zytor.com, dvlasenk@redhat.com, luto@amacapital.net, mingo@kernel.org,
        matt@codeblueprint.co.uk, dan.carpenter@oracle.com,
        ard.biesheuvel@linaro.org, bp@alien8.de, torvalds@linux-foundation.org,
        jlee@suse.com, hock.leong.kweh@intel.com, brgerst@gmail.com,
        tglx@linutronix.de, pure.logic@nexus-software.ie,
        linux-kernel@vger.kernel.org, peterz@infradead.org
Reply-To: brgerst@gmail.com, jlee@suse.com, hock.leong.kweh@intel.com,
        bp@alien8.de, torvalds@linux-foundation.org, peterz@infradead.org,
        pure.logic@nexus-software.ie, linux-kernel@vger.kernel.org,
        tglx@linutronix.de, luto@amacapital.net, dvlasenk@redhat.com,
        hpa@zytor.com, mingo@kernel.org, dan.carpenter@oracle.com,
        matt@codeblueprint.co.uk, ard.biesheuvel@linaro.org
In-Reply-To: <1462570771-13324-4-git-send-email-matt@codeblueprint.co.uk>
References: <1462570771-13324-4-git-send-email-matt@codeblueprint.co.uk>
To: linux-tip-commits@vger.kernel.org
Subject: [tip:efi/core] efi/capsule: Move 'capsule' to the stack in
 efi_capsule_supported()
Git-Commit-ID: fb7a84cac03541f4da18dfa25b3f4767d4efc6fc
X-Mailer: tip-git-log-daemon
Robot-ID: <tip-bot.git.kernel.org>
Robot-Unsubscribe: Contact <mailto:hpa@kernel.org> to get blacklisted from
 these emails
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8
Content-Disposition: inline
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Commit-ID:  fb7a84cac03541f4da18dfa25b3f4767d4efc6fc
Gitweb:     http://git.kernel.org/tip/fb7a84cac03541f4da18dfa25b3f4767d4efc6fc
Author:     Matt Fleming <matt@codeblueprint.co.uk>
AuthorDate: Fri, 6 May 2016 22:39:29 +0100
Committer:  Ingo Molnar <mingo@kernel.org>
CommitDate: Sat, 7 May 2016 07:06:13 +0200

efi/capsule: Move 'capsule' to the stack in efi_capsule_supported()

Dan Carpenter reports that passing the address of the pointer to the
kmalloc()'d memory for 'capsule' is dangerous:

 "drivers/firmware/efi/capsule.c:109 efi_capsule_supported()
  warn: did you mean to pass the address of 'capsule'

   108
   109          status = efi.query_capsule_caps(&capsule, 1, &max_size, reset);
                                                ^^^^^^^^
  If we modify capsule inside this function call then at the end of the
  function we aren't freeing the original pointer that we allocated."

Ard Biesheuvel noted that we don't even need to call kmalloc() since the
object we allocate isn't very big and doesn't need to persist after the
function returns.

Place 'capsule' on the stack instead.

Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Bryan O'Donoghue <pure.logic@nexus-software.ie>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Kweh Hock Leong <hock.leong.kweh@intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: joeyli <jlee@suse.com>
Cc: linux-efi@vger.kernel.org
Link: http://lkml.kernel.org/r/1462570771-13324-4-git-send-email-matt@codeblueprint.co.uk
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
 drivers/firmware/efi/capsule.c | 29 +++++++++++------------------
 1 file changed, 11 insertions(+), 18 deletions(-)

diff --git a/drivers/firmware/efi/capsule.c b/drivers/firmware/efi/capsule.c
index e530540..53b9fd2 100644
--- a/drivers/firmware/efi/capsule.c
+++ b/drivers/firmware/efi/capsule.c
@@ -86,33 +86,26 @@ bool efi_capsule_pending(int *reset_type)
  */
 int efi_capsule_supported(efi_guid_t guid, u32 flags, size_t size, int *reset)
 {
-	efi_capsule_header_t *capsule;
+	efi_capsule_header_t capsule;
+	efi_capsule_header_t *cap_list[] = { &capsule };
 	efi_status_t status;
 	u64 max_size;
-	int rv = 0;
 
 	if (flags & ~EFI_CAPSULE_SUPPORTED_FLAG_MASK)
 		return -EINVAL;
 
-	capsule = kmalloc(sizeof(*capsule), GFP_KERNEL);
-	if (!capsule)
-		return -ENOMEM;
-
-	capsule->headersize = capsule->imagesize = sizeof(*capsule);
-	memcpy(&capsule->guid, &guid, sizeof(efi_guid_t));
-	capsule->flags = flags;
+	capsule.headersize = capsule.imagesize = sizeof(capsule);
+	memcpy(&capsule.guid, &guid, sizeof(efi_guid_t));
+	capsule.flags = flags;
 
-	status = efi.query_capsule_caps(&capsule, 1, &max_size, reset);
-	if (status != EFI_SUCCESS) {
-		rv = efi_status_to_err(status);
-		goto out;
-	}
+	status = efi.query_capsule_caps(cap_list, 1, &max_size, reset);
+	if (status != EFI_SUCCESS)
+		return efi_status_to_err(status);
 
 	if (size > max_size)
-		rv = -ENOSPC;
-out:
-	kfree(capsule);
-	return rv;
+		return -ENOSPC;
+
+	return 0;
 }
 EXPORT_SYMBOL_GPL(efi_capsule_supported);