ARM: orion: avoid VLA in orion_mpp_conf

Message ID 20181005161601.875388-1-arnd@arndb.de
State Accepted
Commit d4f79cb872bd4faa44eb133c1aee5f3411342c54
Headers show
Series
  • ARM: orion: avoid VLA in orion_mpp_conf
Related show

Commit Message

Arnd Bergmann Oct. 5, 2018, 4:15 p.m.
Testing randconfig builds found an instance of a VLA that was
missed when determining that we have removed them all:

arch/arm/plat-orion/mpp.c: In function 'orion_mpp_conf':
arch/arm/plat-orion/mpp.c:31:2: error: ISO C90 forbids variable length array 'mpp_ctrl' [-Werror=vla]

This one is fairly straightforward: we know what all three
callers are, and the maximum length is not very long.

Fixes: 68664695ae57 ("Makefile: Globally enable VLA warning")
Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>

---
 arch/arm/plat-orion/mpp.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

-- 
2.18.0

Comments

Andrew Lunn Oct. 5, 2018, 4:26 p.m. | #1
On Fri, Oct 05, 2018 at 06:15:49PM +0200, Arnd Bergmann wrote:
> Testing randconfig builds found an instance of a VLA that was

> missed when determining that we have removed them all:

> 

> arch/arm/plat-orion/mpp.c: In function 'orion_mpp_conf':

> arch/arm/plat-orion/mpp.c:31:2: error: ISO C90 forbids variable length array 'mpp_ctrl' [-Werror=vla]

> 

> This one is fairly straightforward: we know what all three

> callers are, and the maximum length is not very long.

> 

> Fixes: 68664695ae57 ("Makefile: Globally enable VLA warning")

> Cc: Kees Cook <keescook@chromium.org>

> Signed-off-by: Arnd Bergmann <arnd@arndb.de>


Reviewed-by: Andrew Lunn <andrew@lunn.ch>


Hi Arnd

Do you want this to go via the mvebu tree? Or you can take it direct
into arm-soc. There have not been any patches to orion5x, dove or
mv78xx0 for a long time, so there won't be any merge conflicts.

Thanks

    Andrew
Kees Cook Oct. 5, 2018, 4:33 p.m. | #2
On Fri, Oct 5, 2018 at 9:15 AM, Arnd Bergmann <arnd@arndb.de> wrote:
> Testing randconfig builds found an instance of a VLA that was

> missed when determining that we have removed them all:

>

> arch/arm/plat-orion/mpp.c: In function 'orion_mpp_conf':

> arch/arm/plat-orion/mpp.c:31:2: error: ISO C90 forbids variable length array 'mpp_ctrl' [-Werror=vla]


Ah! Thanks for catching this. It seems "allmodconfig" isn't quite "all". ;)

> This one is fairly straightforward: we know what all three

> callers are, and the maximum length is not very long.

>

> Fixes: 68664695ae57 ("Makefile: Globally enable VLA warning")

> Cc: Kees Cook <keescook@chromium.org>

> Signed-off-by: Arnd Bergmann <arnd@arndb.de>

> ---

>  arch/arm/plat-orion/mpp.c | 7 ++++++-

>  1 file changed, 6 insertions(+), 1 deletion(-)

>

> diff --git a/arch/arm/plat-orion/mpp.c b/arch/arm/plat-orion/mpp.c

> index 5b4ff9373c89..8a6880d528b6 100644

> --- a/arch/arm/plat-orion/mpp.c

> +++ b/arch/arm/plat-orion/mpp.c

> @@ -28,10 +28,15 @@ void __init orion_mpp_conf(unsigned int *mpp_list, unsigned int variant_mask,

>                            unsigned int mpp_max, void __iomem *dev_bus)


arch/arm/mach-dove/mpp.c:       orion_mpp_conf(mpp_list, 0, MPP_MAX,
DOVE_MPP_VIRT_BASE);
arch/arm/mach-dove/mpp.c-
--
arch/arm/mach-mv78xx0/mpp.c:    orion_mpp_conf(mpp_list, mv78xx0_variant(),
arch/arm/mach-mv78xx0/mpp.c-                   MPP_MAX, DEV_BUS_VIRT_BASE);
--
arch/arm/mach-orion5x/mpp.c:    orion_mpp_conf(mpp_list, orion5x_variant(),
arch/arm/mach-orion5x/mpp.c-                   MPP_MAX,
ORION5X_DEV_BUS_VIRT_BASE);

arch/arm/mach-dove/mpp.h:#define MPP_MAX                        23
arch/arm/mach-mv78xx0/mpp.h:#define MPP_MAX            49
arch/arm/mach-orion5x/mpp.h:#define MPP_MAX                     19

>  {

>         unsigned int mpp_nr_regs = (1 + mpp_max/8);

> -       u32 mpp_ctrl[mpp_nr_regs];

> +       u32 mpp_ctrl[8];


Largest possible is 1 + 49 / 8 == 7. But 8 makes it nice an round. :)

Reviewed-by: Kees Cook <keescook@chromium.org>


>         int i;

>

>         printk(KERN_DEBUG "initial MPP regs:");

> +       if (mpp_nr_regs > ARRAY_SIZE(mpp_ctrl)) {

> +               printk(KERN_ERR "orion_mpp_conf: invalid mpp_max\n");

> +               return;

> +       }

> +

>         for (i = 0; i < mpp_nr_regs; i++) {

>                 mpp_ctrl[i] = readl(mpp_ctrl_addr(i, dev_bus));

>                 printk(" %08x", mpp_ctrl[i]);

> --

> 2.18.0

>


-Kees

-- 
Kees Cook
Pixel Security
Olof Johansson Nov. 2, 2018, 6:28 p.m. | #3
On Fri, Oct 05, 2018 at 09:33:28AM -0700, Kees Cook wrote:
> On Fri, Oct 5, 2018 at 9:15 AM, Arnd Bergmann <arnd@arndb.de> wrote:

> > Testing randconfig builds found an instance of a VLA that was

> > missed when determining that we have removed them all:

> >

> > arch/arm/plat-orion/mpp.c: In function 'orion_mpp_conf':

> > arch/arm/plat-orion/mpp.c:31:2: error: ISO C90 forbids variable length array 'mpp_ctrl' [-Werror=vla]

> 

> Ah! Thanks for catching this. It seems "allmodconfig" isn't quite "all". ;)

> 

> > This one is fairly straightforward: we know what all three

> > callers are, and the maximum length is not very long.

> >

> > Fixes: 68664695ae57 ("Makefile: Globally enable VLA warning")

> > Cc: Kees Cook <keescook@chromium.org>

> > Signed-off-by: Arnd Bergmann <arnd@arndb.de>

> > ---

> >  arch/arm/plat-orion/mpp.c | 7 ++++++-

> >  1 file changed, 6 insertions(+), 1 deletion(-)

> >

> > diff --git a/arch/arm/plat-orion/mpp.c b/arch/arm/plat-orion/mpp.c

> > index 5b4ff9373c89..8a6880d528b6 100644

> > --- a/arch/arm/plat-orion/mpp.c

> > +++ b/arch/arm/plat-orion/mpp.c

> > @@ -28,10 +28,15 @@ void __init orion_mpp_conf(unsigned int *mpp_list, unsigned int variant_mask,

> >                            unsigned int mpp_max, void __iomem *dev_bus)

> 

> arch/arm/mach-dove/mpp.c:       orion_mpp_conf(mpp_list, 0, MPP_MAX,

> DOVE_MPP_VIRT_BASE);

> arch/arm/mach-dove/mpp.c-

> --

> arch/arm/mach-mv78xx0/mpp.c:    orion_mpp_conf(mpp_list, mv78xx0_variant(),

> arch/arm/mach-mv78xx0/mpp.c-                   MPP_MAX, DEV_BUS_VIRT_BASE);

> --

> arch/arm/mach-orion5x/mpp.c:    orion_mpp_conf(mpp_list, orion5x_variant(),

> arch/arm/mach-orion5x/mpp.c-                   MPP_MAX,

> ORION5X_DEV_BUS_VIRT_BASE);

> 

> arch/arm/mach-dove/mpp.h:#define MPP_MAX                        23

> arch/arm/mach-mv78xx0/mpp.h:#define MPP_MAX            49

> arch/arm/mach-orion5x/mpp.h:#define MPP_MAX                     19

> 

> >  {

> >         unsigned int mpp_nr_regs = (1 + mpp_max/8);

> > -       u32 mpp_ctrl[mpp_nr_regs];

> > +       u32 mpp_ctrl[8];

> 

> Largest possible is 1 + 49 / 8 == 7. But 8 makes it nice an round. :)

> 

> Reviewed-by: Kees Cook <keescook@chromium.org>


Applied, thanks!


-Olof

Patch

diff --git a/arch/arm/plat-orion/mpp.c b/arch/arm/plat-orion/mpp.c
index 5b4ff9373c89..8a6880d528b6 100644
--- a/arch/arm/plat-orion/mpp.c
+++ b/arch/arm/plat-orion/mpp.c
@@ -28,10 +28,15 @@  void __init orion_mpp_conf(unsigned int *mpp_list, unsigned int variant_mask,
 			   unsigned int mpp_max, void __iomem *dev_bus)
 {
 	unsigned int mpp_nr_regs = (1 + mpp_max/8);
-	u32 mpp_ctrl[mpp_nr_regs];
+	u32 mpp_ctrl[8];
 	int i;
 
 	printk(KERN_DEBUG "initial MPP regs:");
+	if (mpp_nr_regs > ARRAY_SIZE(mpp_ctrl)) {
+		printk(KERN_ERR "orion_mpp_conf: invalid mpp_max\n");
+		return;
+	}
+
 	for (i = 0; i < mpp_nr_regs; i++) {
 		mpp_ctrl[i] = readl(mpp_ctrl_addr(i, dev_bus));
 		printk(" %08x", mpp_ctrl[i]);