[PATCH] drm/i2c: tda9950: Remove VLA usage

Kees Cook keescook at chromium.org
Tue Jul 17 04:02:33 UTC 2018


On Wed, Jun 20, 2018 at 11:27 AM, Kees Cook <keescook at chromium.org> wrote:
> In the quest to remove all stack VLA usage from the kernel[1], this
> sets the buffer to maximum size and adds a sanity check.
>
> [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com
>
> Signed-off-by: Kees Cook <keescook at chromium.org>

Friendly ping! Who's tree should this go through?

Thanks!

-Kees

> ---
>  drivers/gpu/drm/i2c/tda9950.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/i2c/tda9950.c b/drivers/gpu/drm/i2c/tda9950.c
> index 3f7396caad48..28314433c351 100644
> --- a/drivers/gpu/drm/i2c/tda9950.c
> +++ b/drivers/gpu/drm/i2c/tda9950.c
> @@ -76,9 +76,12 @@ struct tda9950_priv {
>  static int tda9950_write_range(struct i2c_client *client, u8 addr, u8 *p, int cnt)
>  {
>         struct i2c_msg msg;
> -       u8 buf[cnt + 1];
> +       u8 buf[CEC_MAX_MSG_SIZE + 3];
>         int ret;
>
> +       if (WARN_ON(cnt > sizeof(buf)))
> +               return -EINVAL;
> +
>         buf[0] = addr;
>         memcpy(buf + 1, p, cnt);
>
> --
> 2.17.1
>
>
> --
> Kees Cook
> Pixel Security



-- 
Kees Cook
Pixel Security


More information about the dri-devel mailing list