From patchwork Wed Apr 11 01:03:30 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Laura Abbott X-Patchwork-Id: 10334695 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id EDFB16053C for ; Wed, 11 Apr 2018 01:04:05 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EBE1626253 for ; Wed, 11 Apr 2018 01:04:05 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E08D2285DB; Wed, 11 Apr 2018 01:04:05 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00, MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 0540D26253 for ; Wed, 11 Apr 2018 01:04:04 +0000 (UTC) Received: (qmail 5850 invoked by uid 550); 11 Apr 2018 01:04:03 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 5468 invoked from network); 11 Apr 2018 01:03:57 -0000 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=a8jzB+4333HGsfDCv6oyqqZ3vgyNG2rzXgC5UtxijMM=; b=RUqBgd4PV2SW3iW+mggbZRH/lFBQdTTOHPfsSdLjvMP/UO4PjXlSHrr3MKAdIjW0is v975s6cGBppGYNughrt+vNJX6Xba2Fzi+/oAgJS509jX9DJwJGjFv3jboPZnF+QiGzqz NrS6wnMLgYjEGTV20XJDK00/KAgFgAuF2FrFG689Ev8DPobG/thwUJ9EgT2hNVHjAmnb K8iBu0EaolKZryqb0z8BxiwCwrRm+ybQ3hmlJepc4+7FkwUqmFFNtV8HNhRLCv9+tZ0W uPPKvw2ER9XCb2chIeH+e0jMEgtEEYgVYFGUvpRbuvfAsacrcU5EVjwll8/pbNyq2DjQ DHCw== X-Gm-Message-State: ALQs6tDFPq+AMN6+XFGvmyeuiTSFkLcxIhvqisBpiXVXzSiR3fi+wlcR 4va/xDx9VzHm7ktV1KhFNWvIeg== X-Google-Smtp-Source: AIpwx48WhLw2FpOAvebqJX4yBI0fI7FA8xg5pAJgXs3DV0EiNMwBQC4CALicNHkF5ulmGCOr8y8s2w== X-Received: by 10.98.174.5 with SMTP id q5mr2134917pff.155.1523408624731; Tue, 10 Apr 2018 18:03:44 -0700 (PDT) From: Laura Abbott To: Russell King , David Airlie Cc: Laura Abbott , dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, Kees Cook Subject: [PATCHv2] drm/i2c: tda998x: Remove VLA usage Date: Tue, 10 Apr 2018 18:03:30 -0700 Message-Id: <20180411010330.17866-1-labbott@redhat.com> X-Mailer: git-send-email 2.14.3 X-Virus-Scanned: ClamAV using ClamSMTP There's an ongoing effort to remove VLAs[1] from the kernel to eventually turn on -Wvla. The vla in reg_write_range is based on the length of data passed. The one use of a non-constant size for this range is bounded by the size buffer passed to hdmi_infoframe_pack which is a fixed size. Switch to this upper bound. [1] https://lkml.org/lkml/2018/3/7/621 Signed-off-by: Laura Abbott Reviewed-by: Kees Cook --- v2: Switch to make the buffer size more transparent and add a bounds check. --- drivers/gpu/drm/i2c/tda998x_drv.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/i2c/tda998x_drv.c b/drivers/gpu/drm/i2c/tda998x_drv.c index 9e67a7b4e3a4..c8b6029b7839 100644 --- a/drivers/gpu/drm/i2c/tda998x_drv.c +++ b/drivers/gpu/drm/i2c/tda998x_drv.c @@ -466,13 +466,22 @@ reg_read_range(struct tda998x_priv *priv, u16 reg, char *buf, int cnt) return ret; } +#define MAX_WRITE_RANGE_BUF 32 + static void reg_write_range(struct tda998x_priv *priv, u16 reg, u8 *p, int cnt) { struct i2c_client *client = priv->hdmi; - u8 buf[cnt+1]; + /* This is the maximum size of the buffer passed in */ + u8 buf[MAX_WRITE_RANGE_BUF + 1]; int ret; + if (cnt > MAX_WRITE_RANGE_BUF) { + dev_err(&client->dev, "Fixed write buffer too small (%d)\n", + MAX_WRITE_RANGE_BUF); + return; + } + buf[0] = REG2ADDR(reg); memcpy(&buf[1], p, cnt); @@ -679,7 +688,7 @@ static void tda998x_write_if(struct tda998x_priv *priv, u8 bit, u16 addr, union hdmi_infoframe *frame) { - u8 buf[32]; + u8 buf[MAX_WRITE_RANGE_BUF]; ssize_t len; len = hdmi_infoframe_pack(frame, buf, sizeof(buf));