lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 24 Jan 2011 21:59:02 -0500 (EST)
From:	Alan Stern <stern@...land.harvard.edu>
To:	rmorell@...dia.com
cc:	David Brownell <dbrownell@...rs.sourceforge.net>,
	Greg Kroah-Hartman <gregkh@...e.de>,
	Benoit Goby <benoit@...roid.com>,
	Sarah Sharp <sarah.a.sharp@...ux.intel.com>,
	Matthew Wilcox <willy@...ux.intel.com>,
	Ming Lei <tom.leiming@...il.com>,
	Jacob Pan <jacob.jun.pan@...el.com>,
	Oliver Neukum <oliver@...kum.org>,
	Olof Johansson <olof@...om.net>,
	Erik Gilling <konkers@...roid.com>,
	Colin Cross <ccross@...roid.com>,
	"linux-usb@...r.kernel.org" <linux-usb@...r.kernel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"linux-tegra@...r.kernel.org" <linux-tegra@...r.kernel.org>
Subject: Re: [PATCH 2/2] USB: ehci: tegra: Align DMA transfers to 32 bytes

On Mon, 24 Jan 2011 rmorell@...dia.com wrote:

> > > +	if (dir == DMA_FROM_DEVICE && !status)
> > > +		memcpy(temp->old_xfer_buffer, temp->data,
> > > +			urb->transfer_buffer_length);
> > 
> > Even if status is nonzero, there may be valid data in the buffer.  You 
> > should skip that test.
> 
> Thanks for looking, Alan.  I added that test based on earlier feedback.
> I think the big concern here is security: if the URB fails in such a way
> that the buffer is not overwritten, then we may copy out freed kernel
> data to userspace.

Not to userspace, only to the driver that submitted the URB.  That 
driver must be part of the kernel.  For URBs that _do_ originate in 
userspace, by way of usbfs, the usbfs code is responsible for not 
leaking any kernel data.

> Are there specific status codes that I can check for here?

No.

>  I guess the
> only other option is to remove the direction check from the alloc path
> or alloc with GFP_ZERO.

You don't have to worry about this; it isn't a security concern.

Alan Stern

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ