lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150319093834.GB18997@amd>
Date:	Thu, 19 Mar 2015 10:38:34 +0100
From:	Pavel Machek <pavel@....cz>
To:	Oliver Neukum <oneukum@...e.de>
Cc:	Jiri Kosina <jkosina@...e.cz>, Lauri Kasanen <cand@....com>,
	linux-input@...r.kernel.org, linux-kernel@...r.kernel.org,
	ao2@....it, AndrewD207@....com
Subject: Re: [PATCH] HID: sony: Enable Gasia third-party PS3 controllers

On Thu 2015-03-19 10:14:21, Oliver Neukum wrote:
> On Mon, 2015-03-16 at 22:37 +0100, Jiri Kosina wrote:
> > On Mon, 16 Mar 2015, Pavel Machek wrote:
> > 
> > > > > Oliver Neukum <oneukum@...e.de> wrote:
> > > > > 
> > > > > > > +	ret = usb_interrupt_msg(dev, usb_sndintpipe(dev, 0x02),
> > > > > > > +				buf2, sizeof(buf2),
> > > > > > > +				&transfered, USB_CTRL_SET_TIMEOUT);
> > > > > > 
> > > > > > You cannot do this. Even for a single byte DMA on the stack is
> > > > > > wrong. Not on all architectures it works at all and you violate
> > > > > > the DMA constrainsts. You must use kmalloc().
> > > > > 
> > > > > Hi Oliver,
> > > > > 
> > > > > Does this still apply when using hid_hw_output_report?
> > > > 
> > > > Yes. For USB devices hid_hw_output_report() goes to
> > > > usbhid_output_report(). That goes to usb_interrupt_msg(),
> > > > which passes the buffer pointer. It will then be mapped
> > > > for DMA. You must not do that on the stack.
> > > 
> > > Should we have some kind of runtime test for this ...? Because this is
> > > very very easy to get wrong... and I bet we do get it wrong at > 1
> > > place...
> > 
> > Are you sure CONFIG_DMA_API_DEBUG wouldn't warn here?
> 
> As far as I can tell, it will not warn. The problem is not in the
> mapping itself. That is usually legitimate. The problem arises
> because the buffer doesn't have a cacheline of its own. Thus the
> memory corruption happens after the IO operation has started.

Nasty. Would WARN_ON(buffer & CACHELINE_SIZE-1) do at least part of
the trick? Alternatively, could we call ksize() on the object, and
fail if it is not big enough?

Alternatively, we could create "allocate_for_usb" function, and only
take pointers allocated by that function in usb functions. That would
also teach people the problem exists...

									Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ