* [PATCH] sparc64: viohs: Remove VLA usage
@ 2018-09-05 22:03 Kees Cook
2018-09-25 3:17 ` Kees Cook
2018-10-08 5:57 ` David Miller
0 siblings, 2 replies; 4+ messages in thread
From: Kees Cook @ 2018-09-05 22:03 UTC (permalink / raw)
To: David S. Miller; +Cc: Allen Pais, Philippe Ombredanne, sparclinux, linux-kernel
In the quest to remove all stack VLA usage from the kernel[1], this
allocates a fixed size array for the maximum number of cookies and
adds a runtime sanity check.
[1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1
RqZWA@mail.gmail.com
Signed-off-by: Kees Cook <keescook@chromium.org>
---
arch/sparc/kernel/viohs.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/arch/sparc/kernel/viohs.c b/arch/sparc/kernel/viohs.c
index 635d67ffc9a3..7db5aabe9708 100644
--- a/arch/sparc/kernel/viohs.c
+++ b/arch/sparc/kernel/viohs.c
@@ -180,11 +180,17 @@ static int send_dreg(struct vio_driver_state *vio)
struct vio_dring_register pkt;
char all[sizeof(struct vio_dring_register) +
(sizeof(struct ldc_trans_cookie) *
- dr->ncookies)];
+ VIO_MAX_RING_COOKIES)];
} u;
+ size_t bytes = sizeof(struct vio_dring_register) +
+ (sizeof(struct ldc_trans_cookie) *
+ dr->ncookies);
int i;
- memset(&u, 0, sizeof(u));
+ if (WARN_ON(bytes > sizeof(u)))
+ return -EINVAL;
+
+ memset(&u, 0, bytes);
init_tag(&u.pkt.tag, VIO_TYPE_CTRL, VIO_SUBTYPE_INFO, VIO_DRING_REG);
u.pkt.dring_ident = 0;
u.pkt.num_descr = dr->num_entries;
@@ -206,7 +212,7 @@ static int send_dreg(struct vio_driver_state *vio)
(unsigned long long) u.pkt.cookies[i].cookie_size);
}
- return send_ctrl(vio, &u.pkt.tag, sizeof(u));
+ return send_ctrl(vio, &u.pkt.tag, bytes);
}
static int send_rdx(struct vio_driver_state *vio)
--
2.17.1
--
Kees Cook
Pixel Security
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] sparc64: viohs: Remove VLA usage
2018-09-05 22:03 [PATCH] sparc64: viohs: Remove VLA usage Kees Cook
@ 2018-09-25 3:17 ` Kees Cook
2018-09-25 3:22 ` David Miller
2018-10-08 5:57 ` David Miller
1 sibling, 1 reply; 4+ messages in thread
From: Kees Cook @ 2018-09-25 3:17 UTC (permalink / raw)
To: David S. Miller; +Cc: Allen Pais, Philippe Ombredanne, sparclinux, LKML
On Wed, Sep 5, 2018 at 3:03 PM, Kees Cook <keescook@chromium.org> wrote:
> In the quest to remove all stack VLA usage from the kernel[1], this
> allocates a fixed size array for the maximum number of cookies and
> adds a runtime sanity check.
>
> [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1
> RqZWA@mail.gmail.com
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
Friendly ping. Dave, can you take this?
Thanks!
-Kees
> ---
> arch/sparc/kernel/viohs.c | 12 +++++++++---
> 1 file changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/arch/sparc/kernel/viohs.c b/arch/sparc/kernel/viohs.c
> index 635d67ffc9a3..7db5aabe9708 100644
> --- a/arch/sparc/kernel/viohs.c
> +++ b/arch/sparc/kernel/viohs.c
> @@ -180,11 +180,17 @@ static int send_dreg(struct vio_driver_state *vio)
> struct vio_dring_register pkt;
> char all[sizeof(struct vio_dring_register) +
> (sizeof(struct ldc_trans_cookie) *
> - dr->ncookies)];
> + VIO_MAX_RING_COOKIES)];
> } u;
> + size_t bytes = sizeof(struct vio_dring_register) +
> + (sizeof(struct ldc_trans_cookie) *
> + dr->ncookies);
> int i;
>
> - memset(&u, 0, sizeof(u));
> + if (WARN_ON(bytes > sizeof(u)))
> + return -EINVAL;
> +
> + memset(&u, 0, bytes);
> init_tag(&u.pkt.tag, VIO_TYPE_CTRL, VIO_SUBTYPE_INFO, VIO_DRING_REG);
> u.pkt.dring_ident = 0;
> u.pkt.num_descr = dr->num_entries;
> @@ -206,7 +212,7 @@ static int send_dreg(struct vio_driver_state *vio)
> (unsigned long long) u.pkt.cookies[i].cookie_size);
> }
>
> - return send_ctrl(vio, &u.pkt.tag, sizeof(u));
> + return send_ctrl(vio, &u.pkt.tag, bytes);
> }
>
> static int send_rdx(struct vio_driver_state *vio)
> --
> 2.17.1
>
>
> --
> Kees Cook
> Pixel Security
--
Kees Cook
Pixel Security
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] sparc64: viohs: Remove VLA usage
2018-09-25 3:17 ` Kees Cook
@ 2018-09-25 3:22 ` David Miller
0 siblings, 0 replies; 4+ messages in thread
From: David Miller @ 2018-09-25 3:22 UTC (permalink / raw)
To: keescook; +Cc: allen.pais, pombredanne, sparclinux, linux-kernel
From: Kees Cook <keescook@chromium.org>
Date: Mon, 24 Sep 2018 20:17:55 -0700
> On Wed, Sep 5, 2018 at 3:03 PM, Kees Cook <keescook@chromium.org> wrote:
>> In the quest to remove all stack VLA usage from the kernel[1], this
>> allocates a fixed size array for the maximum number of cookies and
>> adds a runtime sanity check.
>>
>> [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1
>> RqZWA@mail.gmail.com
>>
>> Signed-off-by: Kees Cook <keescook@chromium.org>
>
> Friendly ping. Dave, can you take this?
I'll try to get to this soon, kinda backlogged at the moment.
Sorry.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] sparc64: viohs: Remove VLA usage
2018-09-05 22:03 [PATCH] sparc64: viohs: Remove VLA usage Kees Cook
2018-09-25 3:17 ` Kees Cook
@ 2018-10-08 5:57 ` David Miller
1 sibling, 0 replies; 4+ messages in thread
From: David Miller @ 2018-10-08 5:57 UTC (permalink / raw)
To: keescook; +Cc: allen.pais, pombredanne, sparclinux, linux-kernel
From: Kees Cook <keescook@chromium.org>
Date: Wed, 5 Sep 2018 15:03:51 -0700
> In the quest to remove all stack VLA usage from the kernel[1], this
> allocates a fixed size array for the maximum number of cookies and
> adds a runtime sanity check.
>
> [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1
> RqZWA@mail.gmail.com
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
Applied.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-10-08 5:57 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-09-05 22:03 [PATCH] sparc64: viohs: Remove VLA usage Kees Cook
2018-09-25 3:17 ` Kees Cook
2018-09-25 3:22 ` David Miller
2018-10-08 5:57 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).