Skip to content

Commit e6e097f

Browse files
keeskees
committed
sparc64: viohs: Remove VLA usage
In the quest to remove all stack VLA usage from the kernel[1], this allocates a fixed size array for the maximum number of cookies and adds a runtime sanity check. [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1 RqZWA@mail.gmail.com Cc: "David S. Miller" <davem@davemloft.net> Cc: Allen Pais <allen.pais@oracle.com> Cc: Philippe Ombredanne <pombredanne@nexb.com> Cc: sparclinux@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org>
1 parent 5736184 commit e6e097f

File tree

1 file changed

+9
-3
lines changed

1 file changed

+9
-3
lines changed

arch/sparc/kernel/viohs.c

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -180,11 +180,17 @@ static int send_dreg(struct vio_driver_state *vio)
180180
struct vio_dring_register pkt;
181181
char all[sizeof(struct vio_dring_register) +
182182
(sizeof(struct ldc_trans_cookie) *
183-
dr->ncookies)];
183+
VIO_MAX_RING_COOKIES)];
184184
} u;
185+
size_t bytes = sizeof(struct vio_dring_register) +
186+
(sizeof(struct ldc_trans_cookie) *
187+
dr->ncookies);
185188
int i;
186189

187-
memset(&u, 0, sizeof(u));
190+
if (WARN_ON(bytes > sizeof(u)))
191+
return -EINVAL;
192+
193+
memset(&u, 0, bytes);
188194
init_tag(&u.pkt.tag, VIO_TYPE_CTRL, VIO_SUBTYPE_INFO, VIO_DRING_REG);
189195
u.pkt.dring_ident = 0;
190196
u.pkt.num_descr = dr->num_entries;
@@ -206,7 +212,7 @@ static int send_dreg(struct vio_driver_state *vio)
206212
(unsigned long long) u.pkt.cookies[i].cookie_size);
207213
}
208214

209-
return send_ctrl(vio, &u.pkt.tag, sizeof(u));
215+
return send_ctrl(vio, &u.pkt.tag, bytes);
210216
}
211217

212218
static int send_rdx(struct vio_driver_state *vio)

0 commit comments

Comments
 (0)