From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Asim Kadav <kadav@cs.wisc.edu>
Cc: linux-scsi@vger.kernel.org
Subject: Re: [PATCH] a100u2w: Added sanitization for pointer dereference using a value from hardware. Detected using Carburizer (http://lwn.net/Articles/479653/)
Date: Thu, 27 Dec 2012 11:25:03 +0000 [thread overview]
Message-ID: <1356607503.2306.20.camel@dabdike> (raw)
In-Reply-To: <159925B4-EEAA-441E-8A8E-666DCA702D5B@cs.wisc.edu>
On Thu, 2012-12-27 at 02:59 -0600, Asim Kadav wrote:
> Signed-off-by: Asim Kadav <kadav@cs.wisc.edu>
> ---
> drivers/scsi/a100u2w.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/scsi/a100u2w.c b/drivers/scsi/a100u2w.c
> index 0163457..c2ca15c 100644
> --- a/drivers/scsi/a100u2w.c
> +++ b/drivers/scsi/a100u2w.c
> @@ -821,6 +821,9 @@ static irqreturn_t orc_interrupt(struct orc_host * host)
> /* Get the SCB index of the SCB to service */
> scb_index = inb(host->base + ORC_RQUEUE);
>
> + /* Sanitize incoming index */
> + scb_index &= 31;
> +
If your theory is that the hardware just returned a bogus value, this
isn't the right way to sanitise it because the chances are you'll
complete the wrong command and cause corruption: you'd have to halt the
entire system at that point. Also, I don't understand why you think the
value should only be 0-31? The size of variable allocated there is for
SCBs up to 243, no idea why, since some of the allocation routines will
search up to 256. However, safety from overrun should be guaranteed at
least at the system level by the can_queue value.
Double checking hardware values isn't something we habitually do unless
there's a known reason for it (like the state machine does throw bogus
values with a defined recovery procedure). We definitely don't run in
the mode where you can't trust your hardware.
James
next prev parent reply other threads:[~2012-12-27 11:25 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-27 8:59 [PATCH] a100u2w: Added sanitization for pointer dereference using a value from hardware. Detected using Carburizer (http://lwn.net/Articles/479653/) Asim Kadav
2012-12-27 11:25 ` James Bottomley [this message]
2012-12-27 14:12 ` Asim Kadav
2012-12-27 14:53 ` James Bottomley
2012-12-28 23:03 ` Asim Kadav
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1356607503.2306.20.camel@dabdike \
--to=james.bottomley@hansenpartnership.com \
--cc=kadav@cs.wisc.edu \
--cc=linux-scsi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox