| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 5 Mar 2010 22:37:51 +0100
From: Markus Rechberger <mrechberger@...il.com>
To: Greg KH <greg@...ah.com>
Cc: Alan Stern <stern@...land.harvard.edu>,
Linus Torvalds <torvalds@...ux-foundation.org>,
linux-usb@...r.kernel.org, werner@...ane.dyn-o-saur.com,
Marcus Meissner <meissner@...e.de>,
linux-kernel@...r.kernel.org
Subject: Re: 2.6.33 bugs (USBFS, Intel graphic)
On Wed, Mar 3, 2010 at 1:09 AM, Greg KH <greg@...ah.com> wrote:
> On Sat, Feb 27, 2010 at 12:20:35PM -0500, Alan Stern wrote:
>> On Fri, 26 Feb 2010, Greg KH wrote:
>>
>> > Hm, so it's back to the original idea of just doing a kzalloc of the
>> > initial buffer, that should solve the problem that Marcus found.
>> >
>> > I'll go dig that back up and if you could test it, that would be most
>> > appreciated.
>>
>> Here's a better solution. In theory we could copy just the individual
>> packets from within the transfer buffer, but that would probably take
>> longer than simply copying the whole buffer.
>>
>> (This was a little hasty; I haven't even compile-tested the patch.
>> Some small fixes may be needed.)
>
> Markus, did you test this patch out?
>
sorry just saw this now, will do tomorrow morning...
Markus
> thanks,
>
> greg k-h
>
>> -----------------------------------------------------------------------
>>
>> This patch fixes a bug in the way isochronous input data is returned
>> to userspace for usbfs transfers. The entire buffer must be copied,
>> not just the first actual_length bytes, because the individual packets
>> will be discontiguous if any of them are short.
>>
>> Signed-off-by: Alan Stern <stern@...land.harvard.edu>
>> CC: stable <stable@...nel.org>
>>
>> ---
>>
>> Index: usb-2.6/drivers/usb/core/devio.c
>> ===================================================================
>> --- usb-2.6.orig/drivers/usb/core/devio.c
>> +++ usb-2.6/drivers/usb/core/devio.c
>> @@ -1176,6 +1176,13 @@ static int proc_do_submiturb(struct dev_
>> free_async(as);
>> return -ENOMEM;
>> }
>> + /* Isochronous input data may end up being discontiguous
>> + * if some of the packets are short. Clear the buffer so
>> + * that the gaps don't leak kernel data to userspace.
>> + */
>> + if (is_in && uurb->type == USBDEVFS_URB_TYPE_ISO)
>> + memset(as->urb->transfer_buffer, 0,
>> + uurb->buffer_length);
>> }
>> as->urb->dev = ps->dev;
>> as->urb->pipe = (uurb->type << 30) |
>> @@ -1312,10 +1319,14 @@ static int processcompl(struct async *as
>> void __user *addr = as->userurb;
>> unsigned int i;
>>
>> - if (as->userbuffer && urb->actual_length)
>> - if (copy_to_user(as->userbuffer, urb->transfer_buffer,
>> - urb->actual_length))
>> + if (as->userbuffer && urb->actual_length) {
>> + if (urb->number_of_packets > 0) /* Isochronous */
>> + i = urb->transfer_buffer_length;
>> + else /* Non-Isoc */
>> + i = urb->actual_length;
>> + if (copy_to_user(as->userbuffer, urb->transfer_buffer, i))
>> goto err_out;
>> + }
>> if (put_user(as->status, &userurb->status))
>> goto err_out;
>> if (put_user(urb->actual_length, &userurb->actual_length))
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists