[PATCH] drm/i2c: tda9950: Remove VLA usage
Kees Cook
keescook at chromium.org
Tue Jul 17 04:02:33 UTC 2018
On Wed, Jun 20, 2018 at 11:27 AM, Kees Cook <keescook at chromium.org> wrote:
> In the quest to remove all stack VLA usage from the kernel[1], this
> sets the buffer to maximum size and adds a sanity check.
>
> [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com
>
> Signed-off-by: Kees Cook <keescook at chromium.org>
Friendly ping! Who's tree should this go through?
Thanks!
-Kees
> ---
> drivers/gpu/drm/i2c/tda9950.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/i2c/tda9950.c b/drivers/gpu/drm/i2c/tda9950.c
> index 3f7396caad48..28314433c351 100644
> --- a/drivers/gpu/drm/i2c/tda9950.c
> +++ b/drivers/gpu/drm/i2c/tda9950.c
> @@ -76,9 +76,12 @@ struct tda9950_priv {
> static int tda9950_write_range(struct i2c_client *client, u8 addr, u8 *p, int cnt)
> {
> struct i2c_msg msg;
> - u8 buf[cnt + 1];
> + u8 buf[CEC_MAX_MSG_SIZE + 3];
> int ret;
>
> + if (WARN_ON(cnt > sizeof(buf)))
> + return -EINVAL;
> +
> buf[0] = addr;
> memcpy(buf + 1, p, cnt);
>
> --
> 2.17.1
>
>
> --
> Kees Cook
> Pixel Security
--
Kees Cook
Pixel Security
More information about the dri-devel
mailing list