[PATCH 30/32] usb: gadget: f_fs: Use mem_to_flex_dup() with struct ffs_buffer
Kees Cook
keescook at chromium.org
Wed May 4 01:44:39 UTC 2022
As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.
Cc: Felipe Balbi <balbi at kernel.org>
Cc: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
Cc: Eugeniu Rosca <erosca at de.adit-jv.com>
Cc: John Keeping <john at metanate.com>
Cc: Jens Axboe <axboe at kernel.dk>
Cc: Udipto Goswami <quic_ugoswami at quicinc.com>
Cc: Andrew Gabbasov <andrew_gabbasov at mentor.com>
Cc: linux-usb at vger.kernel.org
Signed-off-by: Kees Cook <keescook at chromium.org>
---
drivers/usb/gadget/function/f_fs.c | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 4585ee3a444a..bb0ff41dabd2 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -202,9 +202,9 @@ struct ffs_epfile {
};
struct ffs_buffer {
- size_t length;
+ DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(size_t, length);
char *data;
- char storage[];
+ DECLARE_FLEX_ARRAY_ELEMENTS(char, storage);
};
/* ffs_io_data structure ***************************************************/
@@ -905,7 +905,7 @@ static ssize_t __ffs_epfile_read_data(struct ffs_epfile *epfile,
void *data, int data_len,
struct iov_iter *iter)
{
- struct ffs_buffer *buf;
+ struct ffs_buffer *buf = NULL;
ssize_t ret = copy_to_iter(data, data_len, iter);
if (data_len == ret)
@@ -919,12 +919,9 @@ static ssize_t __ffs_epfile_read_data(struct ffs_epfile *epfile,
data_len, ret);
data_len -= ret;
- buf = kmalloc(struct_size(buf, storage, data_len), GFP_KERNEL);
- if (!buf)
+ if (mem_to_flex_dup(&buf, data + ret, data_len, GFP_KERNEL))
return -ENOMEM;
- buf->length = data_len;
buf->data = buf->storage;
- memcpy(buf->storage, data + ret, flex_array_size(buf, storage, data_len));
/*
* At this point read_buffer is NULL or READ_BUFFER_DROP (if
--
2.32.0
More information about the Linux-security-module-archive
mailing list