On Wed, Jun 20, 2018 at 11:28:40AM -0700, Kees Cook wrote: > In the quest to remove all stack VLA usage from the kernel[1], this > uses the maximum buffer size and adds a sanity check. > > [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@xxxxxxxxxxxxxx > > Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> > --- > drivers/usb/typec/tps6598x.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/drivers/usb/typec/tps6598x.c b/drivers/usb/typec/tps6598x.c > index 4b4c8d271b27..396193f85e6d 100644 > --- a/drivers/usb/typec/tps6598x.c > +++ b/drivers/usb/typec/tps6598x.c > @@ -81,12 +81,17 @@ struct tps6598x { > struct typec_capability typec_cap; > }; > > +#define TPS_MAX_LEN sizeof(u64) That is not big enough. The registers of this chip can be as big as 64 bytes. The identity register alone is 25 bytes, so the above would make the driver fail quite fast. Can you set the maximum to 64? #define TPS_MAX_LEN 64 > static int > tps6598x_block_read(struct tps6598x *tps, u8 reg, void *val, size_t len) > { > - u8 data[len + 1]; > + u8 data[TPS_MAX_LEN + 1]; > int ret; > > + if (WARN_ON(len + 1 > sizeof(data))) > + return -EINVAL; > + > if (!tps->i2c_protocol) > return regmap_raw_read(tps->regmap, reg, val, len); Thanks, -- heikki -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html