* [Bug 32362] New: ATA Passthrough generates incorrect LBA addresses with OS ASYNC activity, Image of Bus-trace attached
@ 2011-03-31 16:11 bugzilla-daemon
2012-05-12 14:49 ` [Bug 32362] " bugzilla-daemon
0 siblings, 1 reply; 2+ messages in thread
From: bugzilla-daemon @ 2011-03-31 16:11 UTC (permalink / raw)
To: linux-scsi
https://bugzilla.kernel.org/show_bug.cgi?id=32362
Summary: ATA Passthrough generates incorrect LBA addresses with
OS ASYNC activity, Image of Bus-trace attached
Product: SCSI Drivers
Version: 2.5
Kernel Version: All
Platform: All
OS/Version: Linux
Tree: Mainline
Status: NEW
Severity: blocking
Priority: P1
Component: Other
AssignedTo: scsi_drivers-other@kernel-bugs.osdl.org
ReportedBy: marcus.firthview@gmail.com
Regression: No
Created an attachment (id=52792)
--> (https://bugzilla.kernel.org/attachment.cgi?id=52792)
Finisar Bus-Trace of SG tools w/System Activity
Bug: Low 28 bits of LBA address to drive after DMA completion (read/write),
following the interrupt to the kernel, status is read from the drive with the
updated LBA address. The 28 lower bits are then transposed into the NEXT drive
commands upper 28bits.
Confirmed: smartmon/sgtools using a Finisar protocol analyzer.
When: Only occurs when using systems whos BIOS is set into Legacy (or ATA/IDE)
modes. (Does NOT occur when using AHCI bios mode).
See attached image to see what occured when running SG tools to read the SMART
log (command 0x2F)... It becomes very obvious that the ATA Pass-Through
driver's actual data becomes over-written with the previous commands LBA
address.
Example:
DMA-Write LBA=00000123456
->> BUS: Cmd 0x2f, LBA=0x0000123456
Read Status: DRDY, drive LBA=0x123457 (LBA updated in HW)
Device Identify LBA=0000000000
->> BUS: Cmd 0xec, LBA=12345700000 <-- BAD/OOPS!!!
(In this case, CMD 0xec ignores LBA)..
However, a cleverly constructed packet could use a read/writes combined with a
previously corrupted LBA address to access portions of the drive which should
be considered 'restricted/confidential', thus compromising system security and
potentially by-passing AV or other security products.
--
Configure bugmail: https://bugzilla.kernel.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 2+ messages in thread
* [Bug 32362] ATA Passthrough generates incorrect LBA addresses with OS ASYNC activity, Image of Bus-trace attached
2011-03-31 16:11 [Bug 32362] New: ATA Passthrough generates incorrect LBA addresses with OS ASYNC activity, Image of Bus-trace attached bugzilla-daemon
@ 2012-05-12 14:49 ` bugzilla-daemon
0 siblings, 0 replies; 2+ messages in thread
From: bugzilla-daemon @ 2012-05-12 14:49 UTC (permalink / raw)
To: linux-scsi
https://bugzilla.kernel.org/show_bug.cgi?id=32362
Alan <alan@lxorguk.ukuu.org.uk> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |alan@lxorguk.ukuu.org.uk
Component|Other |Serial ATA
AssignedTo|scsi_drivers-other@kernel-b |jgarzik@pobox.com
|ugs.osdl.org |
Product|SCSI Drivers |IO/Storage
--
Configure bugmail: https://bugzilla.kernel.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-05-12 14:49 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-03-31 16:11 [Bug 32362] New: ATA Passthrough generates incorrect LBA addresses with OS ASYNC activity, Image of Bus-trace attached bugzilla-daemon
2012-05-12 14:49 ` [Bug 32362] " bugzilla-daemon
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).