| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 21 Dec 2008 14:49:21 +0100
From: Pierre Ossman <drzeus@...eus.cx>
To: Ben Dooks <ben-linux@...ff.org>
Cc: sdhci-devel@...t.drzeus.cx, linux-kernel@...r.kernel.org,
Ben Dooks <ben-linux@...ff.org>
Subject: Re: [patch 6/8] SDHCI: Check DMA for overruns at end of transfer
On Tue, 02 Dec 2008 15:40:24 +0000
Ben Dooks <ben-linux@...ff.org> wrote:
> At the end of a transfer, check that the DMA engine in the
> SDHCI controller actually did what it was meant to and didn't
> overrun the end of the buffer.
>
> This seems to be triggered by a timeout during an CMD25 (multiple block
> write) to a card. The mmc_block module then issues a command to find out
> how much data was moved and this seems to end up triggering this DMA
> check. The result is the card's queue generates an OOPS as the stack has
> been trampled on due to the extra data transfered.
>
Hmm... this is even stranger. CMD25 (write) will only read from main
memory and should not be able to mess up the stack. And it shouldn't be
the stack getting messed up anyway as that is not near the buffer
memory.
I still consider this a critical bug since it seems to be provoked by
hitting the timeout condition.
I'll queue up your patches (once the other things are fixed), but I
will add a patch disabling DMA on this controller until this is
properly understood and handled.
RGds
--
-- Pierre Ossman
WARNING: This correspondence is being monitored by the
Swedish government. Make sure your server uses encryption
for SMTP traffic and consider using PGP for end-to-end
encryption.
Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)
Powered by blists - more mailing lists