On Mon, Feb 03, 2025 at 05:13:28PM +0100, Greg Kroah-Hartman wrote: > On Mon, Feb 03, 2025 at 06:05:19PM +0200, Andy Shevchenko wrote: ... > > > > > + faux_obj = kzalloc(sizeof(*faux_obj) + strlen(name) + 1, GFP_KERNEL); > > > > > > > > Potential overflow. To avoid one may use struct_size() from overflow.h. > > > > > > Users should not be providing the string here. Again, this comes from > > > platform.c. > > > > I'm not sure I follow. The name parameter is not limited anyhow, so one may > > provide non-terminated string and strlen() will return an arbitrary number. > > Potentially this can lead to big numbers and become an overflow when gets > > to a parameter for kmalloc(). This most likely never happen in real life, > > but still the overflow is possible. > > I've now bounded at 256, because really, who needs a bigger name for a > device than that :) Works for me! With printable ASCII characters it can be estimated as up to 64^256 combinations, which "ought to be enough for everybody" (of course it will be much less if we count only human-readable strings). :-) -- With Best Regards, Andy Shevchenko
