In the quest to remove all stack VLA usage from the kernel[1], this
switches to using a stack size large enough for the saved routine and
adds a sanity check making sure the routine doesn't overflow into the
0x600 exception handler.

[1] 
https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...@mail.gmail.com

Signed-off-by: Kees Cook <keesc...@chromium.org>
Reviewed-by: Arnd Bergmann <a...@arndb.de>
---
v2: use "0x600-0x500" for size calculation to illustrate handler sizes
---
 arch/powerpc/platforms/52xx/mpc52xx_pm.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/arch/powerpc/platforms/52xx/mpc52xx_pm.c 
b/arch/powerpc/platforms/52xx/mpc52xx_pm.c
index 31d3515672f3..b1d208ded981 100644
--- a/arch/powerpc/platforms/52xx/mpc52xx_pm.c
+++ b/arch/powerpc/platforms/52xx/mpc52xx_pm.c
@@ -117,7 +117,10 @@ int mpc52xx_pm_enter(suspend_state_t state)
        u32 intr_main_mask;
        void __iomem * irq_0x500 = (void __iomem *)CONFIG_KERNEL_START + 0x500;
        unsigned long irq_0x500_stop = (unsigned long)irq_0x500 + 
mpc52xx_ds_cached_size;
-       char saved_0x500[mpc52xx_ds_cached_size];
+       char saved_0x500[0x600-0x500];
+
+       if (WARN_ON(mpc52xx_ds_cached_size > sizeof(saved_0x500)))
+               return -ENOMEM;
 
        /* disable all interrupts in PIC */
        intr_main_mask = in_be32(&intr->main_mask);
-- 
2.17.1


-- 
Kees Cook
Pixel Security

Reply via email to