lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 19 Mar 2015 10:14:21 +0100
From:	Oliver Neukum <oneukum@...e.de>
To:	Jiri Kosina <jkosina@...e.cz>
Cc:	Pavel Machek <pavel@....cz>, Lauri Kasanen <cand@....com>,
	linux-input@...r.kernel.org, linux-kernel@...r.kernel.org,
	ao2@....it, AndrewD207@....com
Subject: Re: [PATCH] HID: sony: Enable Gasia third-party PS3 controllers

On Mon, 2015-03-16 at 22:37 +0100, Jiri Kosina wrote:
> On Mon, 16 Mar 2015, Pavel Machek wrote:
> 
> > > > Oliver Neukum <oneukum@...e.de> wrote:
> > > > 
> > > > > > +	ret = usb_interrupt_msg(dev, usb_sndintpipe(dev, 0x02),
> > > > > > +				buf2, sizeof(buf2),
> > > > > > +				&transfered, USB_CTRL_SET_TIMEOUT);
> > > > > 
> > > > > You cannot do this. Even for a single byte DMA on the stack is
> > > > > wrong. Not on all architectures it works at all and you violate
> > > > > the DMA constrainsts. You must use kmalloc().
> > > > 
> > > > Hi Oliver,
> > > > 
> > > > Does this still apply when using hid_hw_output_report?
> > > 
> > > Yes. For USB devices hid_hw_output_report() goes to
> > > usbhid_output_report(). That goes to usb_interrupt_msg(),
> > > which passes the buffer pointer. It will then be mapped
> > > for DMA. You must not do that on the stack.
> > 
> > Should we have some kind of runtime test for this ...? Because this is
> > very very easy to get wrong... and I bet we do get it wrong at > 1
> > place...
> 
> Are you sure CONFIG_DMA_API_DEBUG wouldn't warn here?

As far as I can tell, it will not warn. The problem is not in the
mapping itself. That is usually legitimate. The problem arises
because the buffer doesn't have a cacheline of its own. Thus the
memory corruption happens after the IO operation has started.

	Regards
		Oliver



--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ