The patch titled Subject: lib/vsprintf.c: remove accidental VLA usage has been added to the -mm tree. Its filename is vsprintf-remove-accidental-vla-usage.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/vsprintf-remove-accidental-vla-usage.patch and later at http://ozlabs.org/~akpm/mmotm/broken-out/vsprintf-remove-accidental-vla-usage.patch Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Kees Cook <keescook@xxxxxxxxxxxx> Subject: lib/vsprintf.c: remove accidental VLA usage The "sym" calculation is actually a fixed size, but since the max() macro uses some extensive tricks for safety, it ends up looking like a variable size. This replaces max() with a simple max macro which is sufficient for the calculation of the array size. Seen with -Wvla. Fixed as part of the directive to remove all VLAs from the kernel: https://lkml.org/lkml/2018/3/7/621 Link: http://lkml.kernel.org/r/20180307230714.GA20797@beast Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> Cc; "Tobin C. Harding" <me@xxxxxxxx> Cc: Jonathan Corbet <corbet@xxxxxxx> Cc: Pantelis Antoniou <pantelis.antoniou@xxxxxxxxxxxx> Cc: Petr Mladek <pmladek@xxxxxxxx> Cc: Sergey Senozhatsky <sergey.senozhatsky@xxxxxxxxx> Cc: "Steven Rostedt (VMware)" <rostedt@xxxxxxxxxxx> Cc: "Gustavo A. R. Silva" <gustavo@xxxxxxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- lib/vsprintf.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff -puN lib/vsprintf.c~vsprintf-remove-accidental-vla-usage lib/vsprintf.c --- a/lib/vsprintf.c~vsprintf-remove-accidental-vla-usage +++ a/lib/vsprintf.c @@ -754,8 +754,9 @@ char *resource_string(char *buf, char *e #define FLAG_BUF_SIZE (2 * sizeof(res->flags)) #define DECODED_BUF_SIZE sizeof("[mem - 64bit pref window disabled]") #define RAW_BUF_SIZE sizeof("[mem - flags 0x]") - char sym[max(2*RSRC_BUF_SIZE + DECODED_BUF_SIZE, - 2*RSRC_BUF_SIZE + FLAG_BUF_SIZE + RAW_BUF_SIZE)]; +#define SIMPLE_MAX(x, y) ((x) > (y) ? (x) : (y)) + char sym[SIMPLE_MAX(2*RSRC_BUF_SIZE + DECODED_BUF_SIZE, + 2*RSRC_BUF_SIZE + FLAG_BUF_SIZE + RAW_BUF_SIZE)]; char *p = sym, *pend = sym + sizeof(sym); int decode = (fmt[0] == 'R') ? 1 : 0; _ Patches currently in -mm which might be from keescook@xxxxxxxxxxxx are bug-use-%pb-in-bug-and-stack-protector-failure.patch bug-exclude-non-bug-warn-exceptions-from-report_bug.patch taint-convert-to-indexed-initialization.patch taint-consolidate-documentation.patch taint-add-taint-for-randstruct.patch test_bitmap-do-not-accidentally-use-stack-vla.patch vsprintf-remove-accidental-vla-usage.patch fork-unconditionally-clear-stack-on-fork.patch exec-pass-stack-rlimit-into-mm-layout-functions.patch exec-introduce-finalize_exec-before-start_thread.patch exec-pin-stack-limit-during-exec.patch -- To unsubscribe from this list: send the line "unsubscribe mm-commits" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html