diff mbox series

[next] dmaengine: stm32-mdma: Use struct_size() helper in devm_kzalloc()

Message ID 20210929222922.GA357509@embeddedor (mailing list archive)
State Mainlined
Commit ae8f13f0a6fdd7562e420b756daa9b807e05f775
Headers show
Series [next] dmaengine: stm32-mdma: Use struct_size() helper in devm_kzalloc() | expand

Commit Message

Gustavo A. R. Silva Sept. 29, 2021, 10:29 p.m. UTC 
Make use of the struct_size() helper instead of an open-coded version,
in order to avoid any potential type mistakes or integer overflows that,
in the worse scenario, could lead to heap overflows.

Link: https://github.com/KSPP/linux/issues/160
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
---
 drivers/dma/stm32-mdma.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Kees Cook Sept. 30, 2021, 6 p.m. UTC | #1 
On Wed, Sep 29, 2021 at 05:29:22PM -0500, Gustavo A. R. Silva wrote:
> Make use of the struct_size() helper instead of an open-coded version,
> in order to avoid any potential type mistakes or integer overflows that,
> in the worse scenario, could lead to heap overflows.
> 
> Link: https://github.com/KSPP/linux/issues/160
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>

Looks right to me.

Reviewed-by: Kees Cook <keescook@chromium.org>
Amelie Delaunay Oct. 1, 2021, 7:14 a.m. UTC | #2 
On 9/30/21 12:29 AM, Gustavo A. R. Silva wrote:
> Make use of the struct_size() helper instead of an open-coded version,
> in order to avoid any potential type mistakes or integer overflows that,
> in the worse scenario, could lead to heap overflows.
> 
> Link: https://github.com/KSPP/linux/issues/160
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>

Reviewed-by: Amelie Delaunay <amelie.delaunay@foss.st.com>

> ---
>   drivers/dma/stm32-mdma.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/dma/stm32-mdma.c b/drivers/dma/stm32-mdma.c
> index 18cbd1e43c2e..d30a4a28d3bf 100644
> --- a/drivers/dma/stm32-mdma.c
> +++ b/drivers/dma/stm32-mdma.c
> @@ -1566,7 +1566,8 @@ static int stm32_mdma_probe(struct platform_device *pdev)
>   	if (count < 0)
>   		count = 0;
>   
> -	dmadev = devm_kzalloc(&pdev->dev, sizeof(*dmadev) + sizeof(u32) * count,
> +	dmadev = devm_kzalloc(&pdev->dev,
> +			      struct_size(dmadev, ahb_addr_masks, count),
>   			      GFP_KERNEL);
>   	if (!dmadev)
>   		return -ENOMEM;
>
Vinod Koul Oct. 1, 2021, 11:57 a.m. UTC | #3 
On 29-09-21, 17:29, Gustavo A. R. Silva wrote:
> Make use of the struct_size() helper instead of an open-coded version,
> in order to avoid any potential type mistakes or integer overflows that,
> in the worse scenario, could lead to heap overflows.

Applied, thanks
diff mbox series

Patch

diff --git a/drivers/dma/stm32-mdma.c b/drivers/dma/stm32-mdma.c
index 18cbd1e43c2e..d30a4a28d3bf 100644
--- a/drivers/dma/stm32-mdma.c
+++ b/drivers/dma/stm32-mdma.c
@@ -1566,7 +1566,8 @@  static int stm32_mdma_probe(struct platform_device *pdev)
 	if (count < 0)
 		count = 0;
 
-	dmadev = devm_kzalloc(&pdev->dev, sizeof(*dmadev) + sizeof(u32) * count,
+	dmadev = devm_kzalloc(&pdev->dev,
+			      struct_size(dmadev, ahb_addr_masks, count),
 			      GFP_KERNEL);
 	if (!dmadev)
 		return -ENOMEM;