lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20110812150556.GC3014@zod.bos.redhat.com>
Date:	Fri, 12 Aug 2011 11:05:56 -0400
From:	Josh Boyer <jwboyer@...hat.com>
To:	Adam Cozzette <acozzette@...hmc.edu>
Cc:	edwin_rong <edwin_rong@...lsil.com.cn>,
	wwang <wei_wang@...lsil.com.cn>,
	Greg Kroah-Hartman <gregkh@...e.de>, linux-usb@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: ums-realtek driver uses stack memory for DMA

On Tue, Aug 02, 2011 at 08:41:17AM -0400, Josh Boyer wrote:
> On Mon, Aug 01, 2011 at 11:04:11PM -0600, Adam Cozzette wrote:
> > On Mon, Aug 01, 2011 at 05:09:06PM -0400, Josh Boyer wrote:
> > > Hello,
> > > 
> > > We have a report that the ums-realtek driver is generating a backtrace
> > > due to using stack variables for DMA buffers.  The backtrace is below
> > > and you can view the bug report here:
> > > https://bugzilla.redhat.com/show_bug.cgi?id=720054
> > > 
> > > Looking through the code, it seems that every call to rts51x_read_mem,
> > > rts51x_write_mem, and rts51x_read_status passes a stack variable to
> > > rts51x_bulk_transport, which then calls usb_stor_bulk_transfer_buf with
> > > this and generates the backtrace.  It is my understanding that the
> > > driver should be passing variables that are not on the stack and have
> > > been allocated with memory that will be suitable for the DMA api (e.g.
> > > kmalloc).
> > > 
> > > Was this missed during the initial review and is anyone working on
> > > adapting the driver to be compliant?
> > 
> > Could you try out this patch if it looks ok to you? I have not tested it because
> > unfortunately I don't have the hardware. Right now it generates some compile
> > warnings like this one:
> > 
> > drivers/usb/storage/realtek_cr.c:419:40: warning: ‘buf[0]’ may be used uninitialized in this function [-Wuninitialized]
> > 
> > It think they are harmless but I didn't see an obvious way to get rid of them,
> > so if you have any suggestions I would be glad to hear them.
> > 
> > This patch changed rts51x_read_mem, rts51x_write_mem, and rts51x_read_status to
> > allocate temporary buffers with kmalloc. This way stack addresses are not used
> > for DMA when these functions call rts51x_bulk_transport.
> > 
> > Signed-off-by: Adam Cozzette <acozzette@...hmc.edu>
> 
> This looks pretty good.  I backported it to 3.0 and will do a scratch
> build for the bug reporter to test with.

We've included this patch for a while now.  I think it should get queued
up in mainline.

josh
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ