Re: [PATCH] usb: typec: tps6598x: Remove VLA usage
From: Heikki Krogerus
Date: Thu Jun 21 2018 - 06:00:13 EST
On Wed, Jun 20, 2018 at 11:28:40AM -0700, Kees Cook wrote:
> In the quest to remove all stack VLA usage from the kernel[1], this
> uses the maximum buffer size and adds a sanity check.
>
> [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@xxxxxxxxxxxxxx
>
> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
> ---
> drivers/usb/typec/tps6598x.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/usb/typec/tps6598x.c b/drivers/usb/typec/tps6598x.c
> index 4b4c8d271b27..396193f85e6d 100644
> --- a/drivers/usb/typec/tps6598x.c
> +++ b/drivers/usb/typec/tps6598x.c
> @@ -81,12 +81,17 @@ struct tps6598x {
> struct typec_capability typec_cap;
> };
>
> +#define TPS_MAX_LEN sizeof(u64)
That is not big enough. The registers of this chip can be as big as 64
bytes. The identity register alone is 25 bytes, so the above would
make the driver fail quite fast. Can you set the maximum to 64?
#define TPS_MAX_LEN 64
> static int
> tps6598x_block_read(struct tps6598x *tps, u8 reg, void *val, size_t len)
> {
> - u8 data[len + 1];
> + u8 data[TPS_MAX_LEN + 1];
> int ret;
>
> + if (WARN_ON(len + 1 > sizeof(data)))
> + return -EINVAL;
> +
> if (!tps->i2c_protocol)
> return regmap_raw_read(tps->regmap, reg, val, len);
Thanks,
--
heikki