nvmem: rave-sp-eeprom: Remove VLA usage

In the quest to remove all stack VLA usage from the kernel[1], this
uses the maximum allocation size for the stack and adds a sanity check,
similar to what has already be done for the regular rave-sp driver.

[1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com

Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Tested-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/nvmem/rave-sp-eeprom.c b/drivers/nvmem/rave-sp-eeprom.c
index 50aeea6ec6cc62c4a0822df3399b2bf38742fd12..66699d44f73d4c6b6d01fd2203e77cb24f02ca4e 100644 (file)
--- a/drivers/nvmem/rave-sp-eeprom.c
+++ b/drivers/nvmem/rave-sp-eeprom.c
@@ -35,6 +35,7 @@ enum rave_sp_eeprom_header_size {
        RAVE_SP_EEPROM_HEADER_SMALL = 4U,
        RAVE_SP_EEPROM_HEADER_BIG   = 5U,
 };
+#define RAVE_SP_EEPROM_HEADER_MAX      RAVE_SP_EEPROM_HEADER_BIG
 
 #define        RAVE_SP_EEPROM_PAGE_SIZE        32U
 
@@ -97,9 +98,12 @@ static int rave_sp_eeprom_io(struct rave_sp_eeprom *eeprom,
        const unsigned int rsp_size =
                is_write ? sizeof(*page) - sizeof(page->data) : sizeof(*page);
        unsigned int offset = 0;
-       u8 cmd[cmd_size];
+       u8 cmd[RAVE_SP_EEPROM_HEADER_MAX + sizeof(page->data)];
        int ret;
 
+       if (WARN_ON(cmd_size > sizeof(cmd)))
+               return -EINVAL;
+
        cmd[offset++] = eeprom->address;
        cmd[offset++] = 0;
        cmd[offset++] = type;