In the quest to remove all stack VLA usage from the kernel[1], this removes the on-stack working buffers in favor of pre-allocated working buffers (which were already used in other places). Since these routines must already be serialized (since they work on bch->ecc_buf), adding the usage of bch->ecc_work would be similarly safe. Additionally, since "max m" is only 15, this was adjusted to just use a fixed size array in those cases.
[1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...@mail.gmail.com Signed-off-by: Kees Cook <[email protected]> --- This is directed at linux-mtd because it's the only user of this library and it's how it originally entered the kernel tree... --- include/linux/bch.h | 4 ++-- lib/bch.c | 27 +++++++++++++++------------ 2 files changed, 17 insertions(+), 14 deletions(-) diff --git a/include/linux/bch.h b/include/linux/bch.h index 295b4ef153bb..4d46e6a73319 100644 --- a/include/linux/bch.h +++ b/include/linux/bch.h @@ -39,7 +39,7 @@ * @a_log_tab: Galois field GF(2^m) log lookup table * @mod8_tab: remainder generator polynomial lookup tables * @ecc_buf: ecc parity words buffer - * @ecc_buf2: ecc parity words buffer + * @ecc_work: ecc parity words working buffer * @xi_tab: GF(2^m) base for solving degree 2 polynomial roots * @syn: syndrome buffer * @cache: log-based polynomial representation buffer @@ -57,7 +57,7 @@ struct bch_control { uint16_t *a_log_tab; uint32_t *mod8_tab; uint32_t *ecc_buf; - uint32_t *ecc_buf2; + uint32_t *ecc_work; unsigned int *xi_tab; unsigned int *syn; int *cache; diff --git a/lib/bch.c b/lib/bch.c index bc89dfe4d1b3..f14eac93ecc4 100644 --- a/lib/bch.c +++ b/lib/bch.c @@ -78,10 +78,12 @@ #define GF_M(_p) (CONFIG_BCH_CONST_M) #define GF_T(_p) (CONFIG_BCH_CONST_T) #define GF_N(_p) ((1 << (CONFIG_BCH_CONST_M))-1) +#define BCH_MAX_M (CONFIG_BCH_CONST_M) #else #define GF_M(_p) ((_p)->m) #define GF_T(_p) ((_p)->t) #define GF_N(_p) ((_p)->n) +#define BCH_MAX_M 15 #endif #define BCH_ECC_WORDS(_p) DIV_ROUND_UP(GF_M(_p)*GF_T(_p), 32) @@ -187,7 +189,7 @@ void encode_bch(struct bch_control *bch, const uint8_t *data, const unsigned int l = BCH_ECC_WORDS(bch)-1; unsigned int i, mlen; unsigned long m; - uint32_t w, r[l+1]; + uint32_t w; const uint32_t * const tab0 = bch->mod8_tab; const uint32_t * const tab1 = tab0 + 256*(l+1); const uint32_t * const tab2 = tab1 + 256*(l+1); @@ -198,7 +200,7 @@ void encode_bch(struct bch_control *bch, const uint8_t *data, /* load ecc parity bytes into internal 32-bit buffer */ load_ecc8(bch, bch->ecc_buf, ecc); } else { - memset(bch->ecc_buf, 0, sizeof(r)); + memset(bch->ecc_work, 0, bch->ecc_bytes); } /* process first unaligned data bytes */ @@ -215,7 +217,7 @@ void encode_bch(struct bch_control *bch, const uint8_t *data, mlen = len/4; data += 4*mlen; len -= 4*mlen; - memcpy(r, bch->ecc_buf, sizeof(r)); + memcpy(bch->ecc_work, bch->ecc_buf, bch->ecc_bytes); /* * split each 32-bit word into 4 polynomials of weight 8 as follows: @@ -229,6 +231,8 @@ void encode_bch(struct bch_control *bch, const uint8_t *data, * xxxxxxxx yyyyyyyy zzzzzzzz tttttttt mod g = r0^r1^r2^r3 */ while (mlen--) { + uint32_t *r = bch->ecc_work; + /* input data is read in big-endian format */ w = r[0]^cpu_to_be32(*pdata++); p0 = tab0 + (l+1)*((w >> 0) & 0xff); @@ -241,7 +245,7 @@ void encode_bch(struct bch_control *bch, const uint8_t *data, r[l] = p0[l]^p1[l]^p2[l]^p3[l]; } - memcpy(bch->ecc_buf, r, sizeof(r)); + memcpy(bch->ecc_buf, bch->ecc_work, bch->ecc_bytes); /* process last unaligned bytes */ if (len) @@ -434,7 +438,7 @@ static int solve_linear_system(struct bch_control *bch, unsigned int *rows, { const int m = GF_M(bch); unsigned int tmp, mask; - int rem, c, r, p, k, param[m]; + int rem, c, r, p, k, param[BCH_MAX_M]; k = 0; mask = 1 << m; @@ -1009,10 +1013,10 @@ int decode_bch(struct bch_control *bch, const uint8_t *data, unsigned int len, } /* load received ecc or assume it was XORed in calc_ecc */ if (recv_ecc) { - load_ecc8(bch, bch->ecc_buf2, recv_ecc); + load_ecc8(bch, bch->ecc_work, recv_ecc); /* XOR received and calculated ecc */ for (i = 0, sum = 0; i < (int)ecc_words; i++) { - bch->ecc_buf[i] ^= bch->ecc_buf2[i]; + bch->ecc_buf[i] ^= bch->ecc_work[i]; sum |= bch->ecc_buf[i]; } if (!sum) @@ -1114,7 +1118,7 @@ static int build_deg2_base(struct bch_control *bch) { const int m = GF_M(bch); int i, j, r; - unsigned int sum, x, y, remaining, ak = 0, xi[m]; + unsigned int sum, x, y, remaining, ak = 0, xi[BCH_MAX_M]; /* find k s.t. Tr(a^k) = 1 and 0 <= k < m */ for (i = 0; i < m; i++) { @@ -1254,7 +1258,6 @@ struct bch_control *init_bch(int m, int t, unsigned int prim_poly) struct bch_control *bch = NULL; const int min_m = 5; - const int max_m = 15; /* default primitive polynomials */ static const unsigned int prim_poly_tab[] = { @@ -1270,7 +1273,7 @@ struct bch_control *init_bch(int m, int t, unsigned int prim_poly) goto fail; } #endif - if ((m < min_m) || (m > max_m)) + if ((m < min_m) || (m > BCH_MAX_M)) /* * values of m greater than 15 are not currently supported; * supporting m > 15 would require changing table base type @@ -1300,7 +1303,7 @@ struct bch_control *init_bch(int m, int t, unsigned int prim_poly) bch->a_log_tab = bch_alloc((1+bch->n)*sizeof(*bch->a_log_tab), &err); bch->mod8_tab = bch_alloc(words*1024*sizeof(*bch->mod8_tab), &err); bch->ecc_buf = bch_alloc(words*sizeof(*bch->ecc_buf), &err); - bch->ecc_buf2 = bch_alloc(words*sizeof(*bch->ecc_buf2), &err); + bch->ecc_work = bch_alloc(words*sizeof(*bch->ecc_work), &err); bch->xi_tab = bch_alloc(m*sizeof(*bch->xi_tab), &err); bch->syn = bch_alloc(2*t*sizeof(*bch->syn), &err); bch->cache = bch_alloc(2*t*sizeof(*bch->cache), &err); @@ -1349,7 +1352,7 @@ void free_bch(struct bch_control *bch) kfree(bch->a_log_tab); kfree(bch->mod8_tab); kfree(bch->ecc_buf); - kfree(bch->ecc_buf2); + kfree(bch->ecc_work); kfree(bch->xi_tab); kfree(bch->syn); kfree(bch->cache); -- 2.17.0 -- Kees Cook Pixel Security
