From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kees Cook Subject: [PATCH] drm/nouveau/secboot/acr: Remove VLA usage Date: Thu, 24 May 2018 10:24:36 -0700 Message-ID: <20180524172436.GA17738@beast> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: nouveau-bounces-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org Sender: "Nouveau" Cc: nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org, Alexandre Courbot , linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, dri-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org List-Id: nouveau.vger.kernel.org SW4gdGhlIHF1ZXN0IHRvIHJlbW92ZSBhbGwgc3RhY2sgVkxBIHVzYWdlIGZyb20gdGhlIGtlcm5l bFsxXSwgdGhpcwphbGxvY2F0ZXMgdGhlIHdvcmtpbmcgYnVmZmVycyBiZWZvcmUgc3RhcnRpbmcg dGhlIHdyaXRpbmcgc28gaXQgd29uJ3QKYWJvcnQgaW4gdGhlIG1pZGRsZS4gVGhpcyBuZWVkcyBh biBpbml0aWFsIHdhbGsgb2YgdGhlIGxpc3RzIHRvIGZpZ3VyZQpvdXQgaG93IGxhcmdlIHRoZSBi dWZmZXIgc2hvdWxkIGJlLgoKWzFdIGh0dHBzOi8vbGttbC5rZXJuZWwub3JnL3IvQ0ErNTVhRnpD Ry16Tm1ad1g0QTJGUXBhZGFmTGZFeks2Q0M9cVBYeWRBYWNVMVJxWldBQG1haWwuZ21haWwuY29t CgpTaWduZWQtb2ZmLWJ5OiBLZWVzIENvb2sgPGtlZXNjb29rQGNocm9taXVtLm9yZz4KLS0tCiAu Li4vbm91dmVhdS9udmttL3N1YmRldi9zZWNib290L2Fjcl9yMzUyLmMgICAgfCAyNSArKysrKysr KysrKysrKysrLS0tCiAuLi4vbm91dmVhdS9udmttL3N1YmRldi9zZWNib290L2Fjcl9yMzY3LmMg ICAgfCAxNiArKysrKysrKysrKy0KIDIgZmlsZXMgY2hhbmdlZCwgMzcgaW5zZXJ0aW9ucygrKSwg NCBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS9kcml2ZXJzL2dwdS9kcm0vbm91dmVhdS9udmtt L3N1YmRldi9zZWNib290L2Fjcl9yMzUyLmMgYi9kcml2ZXJzL2dwdS9kcm0vbm91dmVhdS9udmtt L3N1YmRldi9zZWNib290L2Fjcl9yMzUyLmMKaW5kZXggYTcyMTM1NDI0OWNlLi5kMDJlMTgzNzE3 ZGMgMTAwNjQ0Ci0tLSBhL2RyaXZlcnMvZ3B1L2RybS9ub3V2ZWF1L252a20vc3ViZGV2L3NlY2Jv b3QvYWNyX3IzNTIuYworKysgYi9kcml2ZXJzL2dwdS9kcm0vbm91dmVhdS9udmttL3N1YmRldi9z ZWNib290L2Fjcl9yMzUyLmMKQEAgLTQxNCw2ICs0MTQsMjAgQEAgYWNyX3IzNTJfbHNfd3JpdGVf d3ByKHN0cnVjdCBhY3JfcjM1MiAqYWNyLCBzdHJ1Y3QgbGlzdF9oZWFkICppbWdzLAogewogCXN0 cnVjdCBsc191Y29kZV9pbWcgKl9pbWc7CiAJdTMyIHBvcyA9IDA7CisJdTMyIG1heF9kZXNjX3Np emUgPSAwOworCXU4ICpnZGVzYzsKKworCS8qIEZpZ3VyZSBvdXQgaG93IGxhcmdlIHdlIG5lZWQg Z2Rlc2MgdG8gYmUuICovCisJbGlzdF9mb3JfZWFjaF9lbnRyeShfaW1nLCBpbWdzLCBub2RlKSB7 CisJCWNvbnN0IHN0cnVjdCBhY3JfcjM1Ml9sc19mdW5jICpsc19mdW5jID0KKwkJCQkJICAgIGFj ci0+ZnVuYy0+bHNfZnVuY1tfaW1nLT5mYWxjb25faWRdOworCisJCW1heF9kZXNjX3NpemUgPSBt YXgobWF4X2Rlc2Nfc2l6ZSwgbHNfZnVuYy0+YmxfZGVzY19zaXplKTsKKwl9CisKKwlnZGVzYyA9 IGttYWxsb2MobWF4X2Rlc2Nfc2l6ZSwgR0ZQX0tFUk5FTCk7CisJaWYgKCFnZGVzYykKKwkJcmV0 dXJuIC1FTk9NRU07CiAKIAludmttX2ttYXAod3ByX2Jsb2IpOwogCkBAIC00MjEsNyArNDM1LDYg QEAgYWNyX3IzNTJfbHNfd3JpdGVfd3ByKHN0cnVjdCBhY3JfcjM1MiAqYWNyLCBzdHJ1Y3QgbGlz dF9oZWFkICppbWdzLAogCQlzdHJ1Y3QgbHNfdWNvZGVfaW1nX3IzNTIgKmltZyA9IGxzX3Vjb2Rl X2ltZ19yMzUyKF9pbWcpOwogCQljb25zdCBzdHJ1Y3QgYWNyX3IzNTJfbHNfZnVuYyAqbHNfZnVu YyA9CiAJCQkJCSAgICBhY3ItPmZ1bmMtPmxzX2Z1bmNbX2ltZy0+ZmFsY29uX2lkXTsKLQkJdTgg Z2Rlc2NbbHNfZnVuYy0+YmxfZGVzY19zaXplXTsKIAogCQludmttX2dwdW9ial9tZW1jcHlfdG8o d3ByX2Jsb2IsIHBvcywgJmltZy0+d3ByX2hlYWRlciwKIAkJCQkgICAgICBzaXplb2YoaW1nLT53 cHJfaGVhZGVyKSk7CkBAIC00NDcsNiArNDYwLDggQEAgYWNyX3IzNTJfbHNfd3JpdGVfd3ByKHN0 cnVjdCBhY3JfcjM1MiAqYWNyLCBzdHJ1Y3QgbGlzdF9oZWFkICppbWdzLAogCiAJbnZrbV9kb25l KHdwcl9ibG9iKTsKIAorCWtmcmVlKGdkZXNjKTsKKwogCXJldHVybiAwOwogfQogCkBAIC03NzEs NyArNzg2LDExIEBAIGFjcl9yMzUyX2xvYWQoc3RydWN0IG52a21fYWNyICpfYWNyLCBzdHJ1Y3Qg bnZrbV9mYWxjb24gKmZhbGNvbiwKIAlzdHJ1Y3QgZndfYmxfZGVzYyAqaHNibF9kZXNjOwogCXZv aWQgKmJsLCAqYmxvYl9kYXRhLCAqaHNibF9jb2RlLCAqaHNibF9kYXRhOwogCXUzMiBjb2RlX3Np emU7Ci0JdTggYmxfZGVzY1tibF9kZXNjX3NpemVdOworCXU4ICpibF9kZXNjOworCisJYmxfZGVz YyA9IGt6YWxsb2MoYmxfZGVzY19zaXplLCBHRlBfS0VSTkVMKTsKKwlpZiAoIWJsX2Rlc2MpCisJ CXJldHVybiAtRU5PTUVNOwogCiAJLyogRmluZCB0aGUgYm9vdGxvYWRlciBkZXNjcmlwdG9yIGZv ciBvdXIgYmxvYiBhbmQgY29weSBpdCAqLwogCWlmIChibG9iID09IGFjci0+bG9hZF9ibG9iKSB7 CkBAIC04MDIsNyArODIxLDYgQEAgYWNyX3IzNTJfbG9hZChzdHJ1Y3QgbnZrbV9hY3IgKl9hY3Is IHN0cnVjdCBudmttX2ZhbGNvbiAqZmFsY29uLAogCQkJICAgICAgY29kZV9zaXplLCBoc2JsX2Rl c2MtPnN0YXJ0X3RhZywgMCwgZmFsc2UpOwogCiAJLyogR2VuZXJhdGUgdGhlIEJMIGhlYWRlciAq LwotCW1lbXNldChibF9kZXNjLCAwLCBibF9kZXNjX3NpemUpOwogCWFjci0+ZnVuYy0+Z2VuZXJh dGVfaHNfYmxfZGVzYyhsb2FkX2hkciwgYmxfZGVzYywgb2Zmc2V0KTsKIAogCS8qCkBAIC04MTEs NiArODI5LDcgQEAgYWNyX3IzNTJfbG9hZChzdHJ1Y3QgbnZrbV9hY3IgKl9hY3IsIHN0cnVjdCBu dmttX2ZhbGNvbiAqZmFsY29uLAogCW52a21fZmFsY29uX2xvYWRfZG1lbShmYWxjb24sIGJsX2Rl c2MsIGhzYmxfZGVzYy0+ZG1lbV9sb2FkX29mZiwKIAkJCSAgICAgIGJsX2Rlc2Nfc2l6ZSwgMCk7 CiAKKwlrZnJlZShibF9kZXNjKTsKIAlyZXR1cm4gaHNibF9kZXNjLT5zdGFydF90YWcgPDwgODsK IH0KIApkaWZmIC0tZ2l0IGEvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbnZrbS9zdWJkZXYvc2Vj Ym9vdC9hY3JfcjM2Ny5jIGIvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbnZrbS9zdWJkZXYvc2Vj Ym9vdC9hY3JfcjM2Ny5jCmluZGV4IDg2Njg3N2I4ODc5Ny4uOTc4YWQwNzkwMzY3IDEwMDY0NAot LS0gYS9kcml2ZXJzL2dwdS9kcm0vbm91dmVhdS9udmttL3N1YmRldi9zZWNib290L2Fjcl9yMzY3 LmMKKysrIGIvZHJpdmVycy9ncHUvZHJtL25vdXZlYXUvbnZrbS9zdWJkZXYvc2VjYm9vdC9hY3Jf cjM2Ny5jCkBAIC0yNjUsNiArMjY1LDE5IEBAIGFjcl9yMzY3X2xzX3dyaXRlX3dwcihzdHJ1Y3Qg YWNyX3IzNTIgKmFjciwgc3RydWN0IGxpc3RfaGVhZCAqaW1ncywKIHsKIAlzdHJ1Y3QgbHNfdWNv ZGVfaW1nICpfaW1nOwogCXUzMiBwb3MgPSAwOworCXUzMiBtYXhfZGVzY19zaXplID0gMDsKKwl1 OCAqZ2Rlc2M7CisKKwlsaXN0X2Zvcl9lYWNoX2VudHJ5KF9pbWcsIGltZ3MsIG5vZGUpIHsKKwkJ Y29uc3Qgc3RydWN0IGFjcl9yMzUyX2xzX2Z1bmMgKmxzX2Z1bmMgPQorCQkJCQkgICAgYWNyLT5m dW5jLT5sc19mdW5jW19pbWctPmZhbGNvbl9pZF07CisKKwkJbWF4X2Rlc2Nfc2l6ZSA9IG1heCht YXhfZGVzY19zaXplLCBsc19mdW5jLT5ibF9kZXNjX3NpemUpOworCX0KKworCWdkZXNjID0ga21h bGxvYyhtYXhfZGVzY19zaXplLCBHRlBfS0VSTkVMKTsKKwlpZiAoIWdkZXNjKQorCQlyZXR1cm4g LUVOT01FTTsKIAogCW52a21fa21hcCh3cHJfYmxvYik7CiAKQEAgLTI3Miw3ICsyODUsNiBAQCBh Y3JfcjM2N19sc193cml0ZV93cHIoc3RydWN0IGFjcl9yMzUyICphY3IsIHN0cnVjdCBsaXN0X2hl YWQgKmltZ3MsCiAJCXN0cnVjdCBsc191Y29kZV9pbWdfcjM2NyAqaW1nID0gbHNfdWNvZGVfaW1n X3IzNjcoX2ltZyk7CiAJCWNvbnN0IHN0cnVjdCBhY3JfcjM1Ml9sc19mdW5jICpsc19mdW5jID0K IAkJCQkJICAgIGFjci0+ZnVuYy0+bHNfZnVuY1tfaW1nLT5mYWxjb25faWRdOwotCQl1OCBnZGVz Y1tsc19mdW5jLT5ibF9kZXNjX3NpemVdOwogCiAJCW52a21fZ3B1b2JqX21lbWNweV90byh3cHJf YmxvYiwgcG9zLCAmaW1nLT53cHJfaGVhZGVyLAogCQkJCSAgICAgIHNpemVvZihpbWctPndwcl9o ZWFkZXIpKTsKQEAgLTI5OCw2ICszMTAsOCBAQCBhY3JfcjM2N19sc193cml0ZV93cHIoc3RydWN0 IGFjcl9yMzUyICphY3IsIHN0cnVjdCBsaXN0X2hlYWQgKmltZ3MsCiAKIAludmttX2RvbmUod3By X2Jsb2IpOwogCisJa2ZyZWUoZ2Rlc2MpOworCiAJcmV0dXJuIDA7CiB9CiAKLS0gCjIuMTcuMAoK Ci0tIApLZWVzIENvb2sKUGl4ZWwgU2VjdXJpdHkKX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX18KTm91dmVhdSBtYWlsaW5nIGxpc3QKTm91dmVhdUBsaXN0cy5m cmVlZGVza3RvcC5vcmcKaHR0cHM6Ly9saXN0cy5mcmVlZGVza3RvcC5vcmcvbWFpbG1hbi9saXN0 aW5mby9ub3V2ZWF1Cg== From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1034186AbeEXRYl (ORCPT ); Thu, 24 May 2018 13:24:41 -0400 Received: from mail-pl0-f66.google.com ([209.85.160.66]:42459 "EHLO mail-pl0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1031778AbeEXRYj (ORCPT ); Thu, 24 May 2018 13:24:39 -0400 X-Google-Smtp-Source: AB8JxZpFZ2Wbp6I7FE8PkE1QGpfpSxBUboxNotEMkdNl6+UpctepuvnBZeWivkffIi4E7Rt4g77jug== Date: Thu, 24 May 2018 10:24:36 -0700 From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Alexandre Courbot , dri-devel@lists.freedesktop.org, nouveau@lists.freedesktop.org, linux-kernel@vger.kernel.org Subject: [PATCH] drm/nouveau/secboot/acr: Remove VLA usage Message-ID: <20180524172436.GA17738@beast> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In the quest to remove all stack VLA usage from the kernel[1], this allocates the working buffers before starting the writing so it won't abort in the middle. This needs an initial walk of the lists to figure out how large the buffer should be. [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com Signed-off-by: Kees Cook --- .../nouveau/nvkm/subdev/secboot/acr_r352.c | 25 ++++++++++++++++--- .../nouveau/nvkm/subdev/secboot/acr_r367.c | 16 +++++++++++- 2 files changed, 37 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/secboot/acr_r352.c b/drivers/gpu/drm/nouveau/nvkm/subdev/secboot/acr_r352.c index a721354249ce..d02e183717dc 100644 --- a/drivers/gpu/drm/nouveau/nvkm/subdev/secboot/acr_r352.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/secboot/acr_r352.c @@ -414,6 +414,20 @@ acr_r352_ls_write_wpr(struct acr_r352 *acr, struct list_head *imgs, { struct ls_ucode_img *_img; u32 pos = 0; + u32 max_desc_size = 0; + u8 *gdesc; + + /* Figure out how large we need gdesc to be. */ + list_for_each_entry(_img, imgs, node) { + const struct acr_r352_ls_func *ls_func = + acr->func->ls_func[_img->falcon_id]; + + max_desc_size = max(max_desc_size, ls_func->bl_desc_size); + } + + gdesc = kmalloc(max_desc_size, GFP_KERNEL); + if (!gdesc) + return -ENOMEM; nvkm_kmap(wpr_blob); @@ -421,7 +435,6 @@ acr_r352_ls_write_wpr(struct acr_r352 *acr, struct list_head *imgs, struct ls_ucode_img_r352 *img = ls_ucode_img_r352(_img); const struct acr_r352_ls_func *ls_func = acr->func->ls_func[_img->falcon_id]; - u8 gdesc[ls_func->bl_desc_size]; nvkm_gpuobj_memcpy_to(wpr_blob, pos, &img->wpr_header, sizeof(img->wpr_header)); @@ -447,6 +460,8 @@ acr_r352_ls_write_wpr(struct acr_r352 *acr, struct list_head *imgs, nvkm_done(wpr_blob); + kfree(gdesc); + return 0; } @@ -771,7 +786,11 @@ acr_r352_load(struct nvkm_acr *_acr, struct nvkm_falcon *falcon, struct fw_bl_desc *hsbl_desc; void *bl, *blob_data, *hsbl_code, *hsbl_data; u32 code_size; - u8 bl_desc[bl_desc_size]; + u8 *bl_desc; + + bl_desc = kzalloc(bl_desc_size, GFP_KERNEL); + if (!bl_desc) + return -ENOMEM; /* Find the bootloader descriptor for our blob and copy it */ if (blob == acr->load_blob) { @@ -802,7 +821,6 @@ acr_r352_load(struct nvkm_acr *_acr, struct nvkm_falcon *falcon, code_size, hsbl_desc->start_tag, 0, false); /* Generate the BL header */ - memset(bl_desc, 0, bl_desc_size); acr->func->generate_hs_bl_desc(load_hdr, bl_desc, offset); /* @@ -811,6 +829,7 @@ acr_r352_load(struct nvkm_acr *_acr, struct nvkm_falcon *falcon, nvkm_falcon_load_dmem(falcon, bl_desc, hsbl_desc->dmem_load_off, bl_desc_size, 0); + kfree(bl_desc); return hsbl_desc->start_tag << 8; } diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/secboot/acr_r367.c b/drivers/gpu/drm/nouveau/nvkm/subdev/secboot/acr_r367.c index 866877b88797..978ad0790367 100644 --- a/drivers/gpu/drm/nouveau/nvkm/subdev/secboot/acr_r367.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/secboot/acr_r367.c @@ -265,6 +265,19 @@ acr_r367_ls_write_wpr(struct acr_r352 *acr, struct list_head *imgs, { struct ls_ucode_img *_img; u32 pos = 0; + u32 max_desc_size = 0; + u8 *gdesc; + + list_for_each_entry(_img, imgs, node) { + const struct acr_r352_ls_func *ls_func = + acr->func->ls_func[_img->falcon_id]; + + max_desc_size = max(max_desc_size, ls_func->bl_desc_size); + } + + gdesc = kmalloc(max_desc_size, GFP_KERNEL); + if (!gdesc) + return -ENOMEM; nvkm_kmap(wpr_blob); @@ -272,7 +285,6 @@ acr_r367_ls_write_wpr(struct acr_r352 *acr, struct list_head *imgs, struct ls_ucode_img_r367 *img = ls_ucode_img_r367(_img); const struct acr_r352_ls_func *ls_func = acr->func->ls_func[_img->falcon_id]; - u8 gdesc[ls_func->bl_desc_size]; nvkm_gpuobj_memcpy_to(wpr_blob, pos, &img->wpr_header, sizeof(img->wpr_header)); @@ -298,6 +310,8 @@ acr_r367_ls_write_wpr(struct acr_r352 *acr, struct list_head *imgs, nvkm_done(wpr_blob); + kfree(gdesc); + return 0; } -- 2.17.0 -- Kees Cook Pixel Security