lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 2 Aug 2011 08:41:18 -0400
From:	Josh Boyer <jwboyer@...hat.com>
To:	Adam Cozzette <acozzette@...hmc.edu>
Cc:	edwin_rong <edwin_rong@...lsil.com.cn>,
	wwang <wei_wang@...lsil.com.cn>,
	Greg Kroah-Hartman <gregkh@...e.de>, linux-usb@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: ums-realtek driver uses stack memory for DMA

On Mon, Aug 01, 2011 at 11:04:11PM -0600, Adam Cozzette wrote:
> On Mon, Aug 01, 2011 at 05:09:06PM -0400, Josh Boyer wrote:
> > Hello,
> > 
> > We have a report that the ums-realtek driver is generating a backtrace
> > due to using stack variables for DMA buffers.  The backtrace is below
> > and you can view the bug report here:
> > https://bugzilla.redhat.com/show_bug.cgi?id=720054
> > 
> > Looking through the code, it seems that every call to rts51x_read_mem,
> > rts51x_write_mem, and rts51x_read_status passes a stack variable to
> > rts51x_bulk_transport, which then calls usb_stor_bulk_transfer_buf with
> > this and generates the backtrace.  It is my understanding that the
> > driver should be passing variables that are not on the stack and have
> > been allocated with memory that will be suitable for the DMA api (e.g.
> > kmalloc).
> > 
> > Was this missed during the initial review and is anyone working on
> > adapting the driver to be compliant?
> 
> Could you try out this patch if it looks ok to you? I have not tested it because
> unfortunately I don't have the hardware. Right now it generates some compile
> warnings like this one:
> 
> drivers/usb/storage/realtek_cr.c:419:40: warning: ‘buf[0]’ may be used uninitialized in this function [-Wuninitialized]
> 
> It think they are harmless but I didn't see an obvious way to get rid of them,
> so if you have any suggestions I would be glad to hear them.
> 
> This patch changed rts51x_read_mem, rts51x_write_mem, and rts51x_read_status to
> allocate temporary buffers with kmalloc. This way stack addresses are not used
> for DMA when these functions call rts51x_bulk_transport.
> 
> Signed-off-by: Adam Cozzette <acozzette@...hmc.edu>

This looks pretty good.  I backported it to 3.0 and will do a scratch
build for the bug reporter to test with.

josh
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ