diff mbox series

[v2] iio: cros_ec: Fix the allocation size for cros_ec_command

Message ID 20230630063132.314700-1-yguoaz@gmail.com (mailing list archive)
State Superseded
Headers show
Series [v2] iio: cros_ec: Fix the allocation size for cros_ec_command | expand

Commit Message

yguoaz June 30, 2023, 6:31 a.m. UTC 
The struct cros_ec_command contains several integer fields and a
trailing array. An allocation size neglecting the integer fields can
lead to buffer overrun.

Signed-off-by: Yiyuan Guo <yguoaz@gmail.com>
---
 drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Tzung-Bi Shih June 30, 2023, 7:36 a.m. UTC | #1 
On Fri, Jun 30, 2023 at 02:31:32PM +0800, Yiyuan Guo wrote:
> The struct cros_ec_command contains several integer fields and a
> trailing array. An allocation size neglecting the integer fields can
> lead to buffer overrun.
> 
> Signed-off-by: Yiyuan Guo <yguoaz@gmail.com>

You could attach my R-b tag as v2 has no major changes from v1.

> ---

Always a good practice to put changelog here.  Search "changelog" in [1].

[1]: https://www.kernel.org/doc/html/latest/process/submitting-patches.html

> @@ -253,8 +253,8 @@ int cros_ec_sensors_core_init(struct platform_device *pdev,
>  	platform_set_drvdata(pdev, indio_dev);
>  
>  	state->ec = ec->ec_dev;
> -	state->msg = devm_kzalloc(&pdev->dev,
> -				max((u16)sizeof(struct ec_params_motion_sense),
> +	state->msg = devm_kzalloc(&pdev->dev, sizeof(*state->msg) +
> +			max((u16)sizeof(struct ec_params_motion_sense),
>  				state->ec->max_response), GFP_KERNEL);

While looking at the patch again, I found a nit.  Please align the code by
adding an extra tab before "max".
diff mbox series

Patch

diff --git a/drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c b/drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c
index 943e9e14d1e9..e4c01f1072bd 100644
--- a/drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c
+++ b/drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c
@@ -253,8 +253,8 @@  int cros_ec_sensors_core_init(struct platform_device *pdev,
 	platform_set_drvdata(pdev, indio_dev);
 
 	state->ec = ec->ec_dev;
-	state->msg = devm_kzalloc(&pdev->dev,
-				max((u16)sizeof(struct ec_params_motion_sense),
+	state->msg = devm_kzalloc(&pdev->dev, sizeof(*state->msg) +
+			max((u16)sizeof(struct ec_params_motion_sense),
 				state->ec->max_response), GFP_KERNEL);
 	if (!state->msg)
 		return -ENOMEM;