[PATCH] nvmem: rave-sp-eeprom: Remove VLA usage

Kees Cook Wed, 20 Jun 2018 11:26:28 -0700

In the quest to remove all stack VLA usage from the kernel[1], this
uses the maximum allocation size for the stack and adds a sanity check,
similar to what has already be done for the regular rave-sp driver.


[1] 
https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...@mail.gmail.com

Signed-off-by: Kees Cook <keesc...@chromium.org>
---
 drivers/nvmem/rave-sp-eeprom.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/nvmem/rave-sp-eeprom.c b/drivers/nvmem/rave-sp-eeprom.c
index 50aeea6ec6cc..66699d44f73d 100644
--- a/drivers/nvmem/rave-sp-eeprom.c
+++ b/drivers/nvmem/rave-sp-eeprom.c
@@ -35,6 +35,7 @@ enum rave_sp_eeprom_header_size {
        RAVE_SP_EEPROM_HEADER_SMALL = 4U,
        RAVE_SP_EEPROM_HEADER_BIG   = 5U,
 };
+#define RAVE_SP_EEPROM_HEADER_MAX      RAVE_SP_EEPROM_HEADER_BIG
 
 #define        RAVE_SP_EEPROM_PAGE_SIZE        32U
 
@@ -97,9 +98,12 @@ static int rave_sp_eeprom_io(struct rave_sp_eeprom *eeprom,
        const unsigned int rsp_size =
                is_write ? sizeof(*page) - sizeof(page->data) : sizeof(*page);
        unsigned int offset = 0;
-       u8 cmd[cmd_size];
+       u8 cmd[RAVE_SP_EEPROM_HEADER_MAX + sizeof(page->data)];
        int ret;
 
+       if (WARN_ON(cmd_size > sizeof(cmd)))
+               return -EINVAL;
+
        cmd[offset++] = eeprom->address;
        cmd[offset++] = 0;
        cmd[offset++] = type;
-- 
2.17.1


-- 
Kees Cook
Pixel Security

[PATCH] nvmem: rave-sp-eeprom: Remove VLA usage

Reply via email to