Re: [PATCH] USB: wusbcore: crypto: Remove VLA usage

Fri, 16 Mar 2018 06:43:15 -0700
I just discovered an issue with this patch. Please, drop it. I'll send v2 shortly. 

Thanks
--
Gustavo

On 03/16/2018 08:01 AM, Gustavo A. R. Silva wrote:

In preparation to enabling -Wvla, remove VLA and replace it
with dynamic memory allocation instead.

The use of stack Variable Length Arrays needs to be avoided, as they
can be a vector for stack exhaustion, which can be both a runtime bug
or a security flaw. Also, in general, as code evolves it is easy to
lose track of how big a VLA can get. Thus, we can end up having runtime
failures that are hard to debug.

Also, fixed as part of the directive to remove all VLAs from
the kernel: https://lkml.org/lkml/2018/3/7/621

Notice that in this particular case, an alternative to kzalloc is kcalloc,
in which case the code would look as follows instead:

iv = kcalloc(crypto_skcipher_ivsize(tfm_cbc), sizeof(*iv), GFP_KERNEL);

but if the data type of _iv_ never changes, or the type size is always one
byte, kzalloc is good enough.

Signed-off-by: Gustavo A. R. Silva <gust...@embeddedor.com>
---
  drivers/usb/wusbcore/crypto.c | 11 +++++++----
  1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/drivers/usb/wusbcore/crypto.c b/drivers/usb/wusbcore/crypto.c
index 4c00be2d..3511473 100644
--- a/drivers/usb/wusbcore/crypto.c
+++ b/drivers/usb/wusbcore/crypto.c
@@ -202,7 +202,7 @@ static int wusb_ccm_mac(struct crypto_skcipher *tfm_cbc,
        struct scatterlist sg[4], sg_dst;
        void *dst_buf;
        size_t dst_size;
-       u8 iv[crypto_skcipher_ivsize(tfm_cbc)];
+       u8 *iv;
        size_t zero_padding;

  
  	/*

@@ -222,9 +222,11 @@ static int wusb_ccm_mac(struct crypto_skcipher *tfm_cbc,
                zero_padding;
        dst_buf = kzalloc(dst_size, GFP_KERNEL);
        if (!dst_buf)
-               goto error_dst_buf;
+               goto error_alloc;

  
-	memset(iv, 0, sizeof(iv));

+       iv = kzalloc(crypto_skcipher_ivsize(tfm_cbc), GFP_KERNEL);
+       if (!iv)
+               goto error_alloc;

  
  	/* Setup B0 */

        scratch->b0.flags = 0x59;    /* Format B0 */
@@ -276,8 +278,9 @@ static int wusb_ccm_mac(struct crypto_skcipher *tfm_cbc,
        bytewise_xor(mic, &scratch->ax, iv, 8);
        result = 8;
  error_cbc_crypt:
+       kfree(iv);
        kfree(dst_buf);
-error_dst_buf:
+error_alloc:
        return result;
  }

  




--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html






















					Reply via email to