| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <tkrat.119dc7959532de1f@s5r6.in-berlin.de>
Date: Tue, 20 May 2008 18:46:02 +0200 (CEST)
From: Stefan Richter <stefanr@...6.in-berlin.de>
To: Linus Torvalds <torvalds@...ux-foundation.org>,
Andrew Morton <akpm@...ux-foundation.org>
cc: linux-kernel@...r.kernel.org, linux1394-devel@...ts.sourceforge.net
Subject: [GIT PULL] ieee1394 updates
Linus, please pull from the for-linus branch at
git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6.git for-linus
to receive the following IEEE 1394/ FireWire subsystem updates.
Jay Fenlason (1):
firewire: prevent userspace from accessing shut down devices
Stefan Richter (1):
ieee1394: sbp2: use correct size of command descriptor block
drivers/firewire/fw-cdev.c | 14 ++++++++++++++
drivers/ieee1394/sbp2.c | 20 ++++++++------------
2 files changed, 22 insertions(+), 12 deletions(-)
commit 551f4cb9de716ffcdaf968c99a450c22ff12e8c3
Author: Jay Fenlason <fenlason@...hat.com>
Date: Fri May 16 11:15:23 2008 -0400
firewire: prevent userspace from accessing shut down devices
If userspace ignores the POLLERR bit from poll(), and only attempts to
read() the device when POLLIN is set, it can still make ioctl() calls on
a device that has been removed from the system. The node_id and
generation returned by GET_INFO will be outdated, but INITIATE_BUS_RESET
would still cause a bus reset, and GET_CYCLE_TIMER will return data.
And if you guess the correct generation to use, you can send requests to
a different device on the bus, and get responses back.
This patch prevents open, ioctl, compat_ioctl, and mmap against shutdown
devices.
Signed-off-by: Jay Fenlason <fenlason@...hat.com>
Signed-off-by: Stefan Richter <stefanr@...6.in-berlin.de>
diff --git a/drivers/firewire/fw-cdev.c b/drivers/firewire/fw-cdev.c
index 4a54192..dda1401 100644
--- a/drivers/firewire/fw-cdev.c
+++ b/drivers/firewire/fw-cdev.c
@@ -113,6 +113,11 @@ static int fw_device_op_open(struct inode *inode, struct file *file)
if (device == NULL)
return -ENODEV;
+ if (fw_device_is_shutdown(device)) {
+ fw_device_put(device);
+ return -ENODEV;
+ }
+
client = kzalloc(sizeof(*client), GFP_KERNEL);
if (client == NULL) {
fw_device_put(device);
@@ -901,6 +906,9 @@ fw_device_op_ioctl(struct file *file,
{
struct client *client = file->private_data;
+ if (fw_device_is_shutdown(client->device))
+ return -ENODEV;
+
return dispatch_ioctl(client, cmd, (void __user *) arg);
}
@@ -911,6 +919,9 @@ fw_device_op_compat_ioctl(struct file *file,
{
struct client *client = file->private_data;
+ if (fw_device_is_shutdown(client->device))
+ return -ENODEV;
+
return dispatch_ioctl(client, cmd, compat_ptr(arg));
}
#endif
@@ -922,6 +933,9 @@ static int fw_device_op_mmap(struct file *file, struct vm_area_struct *vma)
unsigned long size;
int page_count, retval;
+ if (fw_device_is_shutdown(client->device))
+ return -ENODEV;
+
/* FIXME: We could support multiple buffers, but we don't. */
if (client->buffer.pages != NULL)
return -EBUSY;
commit 93c596f7d611b379302bbdd26f31acdf72f4859a
Author: Stefan Richter <stefanr@...6.in-berlin.de>
Date: Sun May 4 16:54:14 2008 +0200
ieee1394: sbp2: use correct size of command descriptor block
Boaz Harrosh wrote:
> cmd->cmd_len is now guarantied to be set properly at all cases.
> And some commands you want to support will not be set correctly
> by COMMAND_SIZE().
Signed-off-by: Stefan Richter <stefanr@...6.in-berlin.de>
diff --git a/drivers/ieee1394/sbp2.c b/drivers/ieee1394/sbp2.c
index 16b9d0a..a5ceff2 100644
--- a/drivers/ieee1394/sbp2.c
+++ b/drivers/ieee1394/sbp2.c
@@ -1539,15 +1539,13 @@ static void sbp2_prep_command_orb_sg(struct sbp2_command_orb *orb,
static void sbp2_create_command_orb(struct sbp2_lu *lu,
struct sbp2_command_info *cmd,
- unchar *scsi_cmd,
- unsigned int scsi_use_sg,
- unsigned int scsi_request_bufflen,
- struct scatterlist *sg,
- enum dma_data_direction dma_dir)
+ struct scsi_cmnd *SCpnt)
{
struct sbp2_fwhost_info *hi = lu->hi;
struct sbp2_command_orb *orb = &cmd->command_orb;
u32 orb_direction;
+ unsigned int scsi_request_bufflen = scsi_bufflen(SCpnt);
+ enum dma_data_direction dma_dir = SCpnt->sc_data_direction;
/*
* Set-up our command ORB.
@@ -1580,13 +1578,14 @@ static void sbp2_create_command_orb(struct sbp2_lu *lu,
orb->data_descriptor_lo = 0x0;
orb->misc |= ORB_SET_DIRECTION(1);
} else
- sbp2_prep_command_orb_sg(orb, hi, cmd, scsi_use_sg, sg,
+ sbp2_prep_command_orb_sg(orb, hi, cmd, scsi_sg_count(SCpnt),
+ scsi_sglist(SCpnt),
orb_direction, dma_dir);
sbp2util_cpu_to_be32_buffer(orb, sizeof(*orb));
- memset(orb->cdb, 0, 12);
- memcpy(orb->cdb, scsi_cmd, COMMAND_SIZE(*scsi_cmd));
+ memset(orb->cdb, 0, sizeof(orb->cdb));
+ memcpy(orb->cdb, SCpnt->cmnd, SCpnt->cmd_len);
}
static void sbp2_link_orb_command(struct sbp2_lu *lu,
@@ -1669,16 +1668,13 @@ static void sbp2_link_orb_command(struct sbp2_lu *lu,
static int sbp2_send_command(struct sbp2_lu *lu, struct scsi_cmnd *SCpnt,
void (*done)(struct scsi_cmnd *))
{
- unchar *scsi_cmd = (unchar *)SCpnt->cmnd;
struct sbp2_command_info *cmd;
cmd = sbp2util_allocate_command_orb(lu, SCpnt, done);
if (!cmd)
return -EIO;
- sbp2_create_command_orb(lu, cmd, scsi_cmd, scsi_sg_count(SCpnt),
- scsi_bufflen(SCpnt), scsi_sglist(SCpnt),
- SCpnt->sc_data_direction);
+ sbp2_create_command_orb(lu, cmd, SCpnt);
sbp2_link_orb_command(lu, cmd);
return 0;
Thanks,
--
Stefan Richter
-=====-==--- -=-= =-=--
http://arcgraph.de/sr/
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists