On 4 May 2016 at 14:12, Matt Fleming <matt@xxxxxxxxxxxxxxxxxxx> wrote:
> On Tue, 03 May, at 05:58:18PM, Ard Biesheuvel wrote:
>>
>> Well, I suppose we could simply allocate the pointer array and the
>> single member statically, i.e.,
>>
>> efi_capsule_header_t capsule1;
>> efi_capsule_header_t *capsule[] = { &capsule1 };
>>
>> That way, we can get rid of the heap allocation entirely, and we take
>> the address of the array, i.e., without the &
>
> This?
>
Yes, that looks correct to me, although I haven't tried to compile it.
Acked-by: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx>
> ---
>
> From cc80265af2073e99627933d9a2192a175dddaca0 Mon Sep 17 00:00:00 2001
> From: Matt Fleming <matt@xxxxxxxxxxxxxxxxxxx>
> Date: Wed, 4 May 2016 12:52:06 +0100
> Subject: [PATCH] efi/capsule: Move 'capsule' to the stack in
> efi_capsule_supported()
>
> Dan reports that passing the address of the pointer to the kmalloc()'d
> memory for 'capsule' is dangerous,
>
> "drivers/firmware/efi/capsule.c:109 efi_capsule_supported()
> warn: did you mean to pass the address of 'capsule'
>
> 108
> 109 status = efi.query_capsule_caps(&capsule, 1, &max_size, reset);
> ^^^^^^^^
> If we modify capsule inside this function call then at the end of the
> function we aren't freeing the original pointer that we allocated."
>
> Ard noted that we don't even need to call kmalloc() since the object
> we allocate isn't very big and doesn't need to persist after the
> function returns.
>
> Place 'capsule' on the stack instead.
>
> Suggested-by: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx>
> Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> Cc: Borislav Petkov <bp@xxxxxxxxx>
> Cc: Kweh Hock Leong <hock.leong.kweh@xxxxxxxxx>
> Cc: Bryan O'Donoghue <pure.logic@xxxxxxxxxxxxxxxxx>
> Cc: joeyli <jlee@xxxxxxxx>
> Signed-off-by: Matt Fleming <matt@xxxxxxxxxxxxxxxxxxx>
> ---
> drivers/firmware/efi/capsule.c | 29 +++++++++++------------------
> 1 file changed, 11 insertions(+), 18 deletions(-)
>
> diff --git a/drivers/firmware/efi/capsule.c b/drivers/firmware/efi/capsule.c
> index 4703dc9b8fbd..7593108f5402 100644
> --- a/drivers/firmware/efi/capsule.c
> +++ b/drivers/firmware/efi/capsule.c
> @@ -86,33 +86,26 @@ bool efi_capsule_pending(int *reset_type)
> */
> int efi_capsule_supported(efi_guid_t guid, u32 flags, size_t size, int *reset)
> {
> - efi_capsule_header_t *capsule;
> + efi_capsule_header_t capsule;
> + efi_capsule_header_t *cap_list[] = { &capsule };
> efi_status_t status;
> u64 max_size;
> - int rv = 0;
>
> if (flags & ~EFI_CAPSULE_SUPPORTED_FLAG_MASK)
> return -EINVAL;
>
> - capsule = kmalloc(sizeof(*capsule), GFP_KERNEL);
> - if (!capsule)
> - return -ENOMEM;
> -
> - capsule->headersize = capsule->imagesize = sizeof(*capsule);
> - memcpy(&capsule->guid, &guid, sizeof(efi_guid_t));
> - capsule->flags = flags;
> + capsule.headersize = capsule.imagesize = sizeof(capsule);
> + memcpy(&capsule.guid, &guid, sizeof(efi_guid_t));
> + capsule.flags = flags;
>
> - status = efi.query_capsule_caps(&capsule, 1, &max_size, reset);
> - if (status != EFI_SUCCESS) {
> - rv = efi_status_to_err(status);
> - goto out;
> - }
> + status = efi.query_capsule_caps(cap_list, 1, &max_size, reset);
> + if (status != EFI_SUCCESS)
> + return efi_status_to_err(status);
>
> if (size > max_size)
> - rv = -ENOSPC;
> -out:
> - kfree(capsule);
> - return rv;
> + return -ENOSPC;
> +
> + return 0;
> }
> EXPORT_SYMBOL_GPL(efi_capsule_supported);
>
> --
> 2.7.3
>
--
To unsubscribe from this list: send the line "unsubscribe linux-efi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
