lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 22 Jul 2016 07:34:30 +0800
From:	tom.ty89@...il.com
To:	tj@...nel.org, hare@...e.de, sergei.shtylyov@...entembedded.com,
	arnd@...db.de
Cc:	sfr@...b.auug.org.au, linux-ide@...r.kernel.org,
	linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org,
	linux-next@...r.kernel.org, Tom Yan <tom.ty89@...il.com>
Subject: [PATCH resend v2 2/5] libata-scsi: fix read-only bits checking in ata_mselect_*()

From: Tom Yan <tom.ty89@...il.com>

Commit 7780081c1f04 ("libata-scsi: Set information sense field for
invalid parameter") changed how ata_mselect_*() make sure read-only
bits are not modified. The new implementation introduced a bug that
the read-only bits in the byte that has a changeable bit will not
be checked.

Made it check every byte but mask the changeable bit.

Signed-off-by: Tom Yan <tom.ty89@...il.com>

diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
index eb5e8ff..4a4e6f1 100644
--- a/drivers/ata/libata-scsi.c
+++ b/drivers/ata/libata-scsi.c
@@ -3611,7 +3611,7 @@ static int ata_mselect_caching(struct ata_queued_cmd *qc,
 	struct ata_taskfile *tf = &qc->tf;
 	struct ata_device *dev = qc->dev;
 	char mpage[CACHE_MPAGE_LEN];
-	u8 wce;
+	u8 wce, mask;
 	int i;
 
 	/*
@@ -3632,8 +3632,11 @@ static int ata_mselect_caching(struct ata_queued_cmd *qc,
 	ata_msense_caching(dev->id, mpage, false);
 	for (i = 0; i < CACHE_MPAGE_LEN - 2; i++) {
 		if (i == 0)
-			continue;
-		if (mpage[i + 2] != buf[i]) {
+			mask = 0xfb;
+		else
+			mask = 0xff;
+
+		if ((mpage[i + 2] & mask) != (buf[i] & mask)) {
 			*fp = i;
 			return -EINVAL;
 		}
@@ -3666,7 +3669,7 @@ static int ata_mselect_control(struct ata_queued_cmd *qc,
 {
 	struct ata_device *dev = qc->dev;
 	char mpage[CONTROL_MPAGE_LEN];
-	u8 d_sense;
+	u8 d_sense, mask;
 	int i;
 
 	/*
@@ -3687,8 +3690,11 @@ static int ata_mselect_control(struct ata_queued_cmd *qc,
 	ata_msense_control(dev, mpage, false);
 	for (i = 0; i < CONTROL_MPAGE_LEN - 2; i++) {
 		if (i == 0)
-			continue;
-		if (mpage[2 + i] != buf[i]) {
+			mask = 0xfb;
+		else
+			mask = 0xff;
+
+		if ((mpage[2 + i] & mask) != (buf[i] & mask)) {
 			*fp = i;
 			return -EINVAL;
 		}
-- 
2.9.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ