From: Boaz Harrosh <bharrosh@panasas.com>
To: Boaz Harrosh <bharrosh@panasas.com>,
Alan Stern <stern@rowland.harvard.edu>,
Mark Glines <mark@glines.org>,
James Bottomley <James.Bottomley@SteelEye.com>,
USB list <linux-usb@vger.k>
Subject: Re: [PATCH] bugfix for an underflow condition in usb storage & isd200.c
Date: Mon, 04 Feb 2008 11:05:54 +0200 [thread overview]
Message-ID: <47A6D572.5020906@panasas.com> (raw)
In-Reply-To: <20080203192316.GF27785@one-eyed-alien.net>
On Sun, Feb 03 2008 at 21:23 +0200, Matthew Dharm <mdharm-scsi@one-eyed-alien.net> wrote:
> On Sun, Feb 03, 2008 at 06:28:48PM +0200, Boaz Harrosh wrote:
>> >From 3610cfa93c990bbbafb296134ac01ef6d426eb8d Mon Sep 17 00:00:00 2001
>> From: Boaz Harrosh <bharrosh@panasas.com>
>> Date: Thu, 31 Jan 2008 21:31:31 +0200
>> Subject: [PATCH] bugfix for an overflow condition in usb storage & isd200.c
>>
>> scsi_scan is issuing a 36-byte INQUIRY request to llds. isd200 would
>> volunteer 96 bytes of INQUIRY. This caused an overflow condition in
>> protocol.c usb_stor_access_xfer_buf(). So first fix is to
>> usb_stor_access_xfer_buf() to properly handle overflow/underflow conditions.
>> Then usb_stor_set_xfer_buf() should report this condition as cmnd->result ==
>> (DID_BAD_TARGET << 16).
>>
>> Then also isd200.c is fixed to only return the type of INQUIRY && SENSE
>> the upper layer asked for.
>>
>> Signed-off-by: Boaz Harrosh <bharrosh@panasas.com>
>> ---
>> drivers/usb/storage/isd200.c | 7 +++++--
>> drivers/usb/storage/protocol.c | 20 ++++++++++++++++----
>> 2 files changed, 21 insertions(+), 6 deletions(-)
>
> Looking at this again, I think I see Alan's point. The modifications to
> ISD200 code aren't really needed.
>
> Or, put another way, if you're going to modify the ISD200 code, you should
> fix up all the other users of usb_stor_access_xfer_buf() -- there are over
> a dozen or so, and it looks like none of them have sanity checks for length
> (but the happen to work right now).
>
> But, the modifications to usb_stor_access_xfer_buf() look good -- no
> request from a sub-driver should be allowed to scribble into memory. The
> current code does make the implicit assumption that there is enough
> storage, and will walk right off the end of the sg list if there isn't.
>
> I'm not sure I like the mods to usb_stor_set_xfer_buf(). Any place we set
> a status that we know is going to be thrown away is an invitation for a
> problem later if someone changes the code to preserve that status. It's a
> jack-in-the-box, waiting to spring open in our face later. The limit check
> (which mirrors the usb_stor_access_xfer_buf modification) and WARN_ON() are
> probably good.
>
If you want the WARN_ON() then isd200 code modification must stay, other
wise the WARN_ON will trigger regularly.
You will find that most other places are naturally bound by other factors
and will not overflow. I think that those places that can, like INQUIRY,
should be fixed, and the WARN_ON should stay. If you don't fix them the
WARN_ON must go.
> In a strictly technical sense, the change to protocol.c are sufficient.
> That is, they will prevent a serious error. There is a justification tho
> to fix all of the users of usb_stor_access_buf() to not attempt to use more
> SCSI buffer than exists.
>
> My opinion is this: Let's make the protocol.c mods (modulo my comments
> about setting useless status bits) now. Then, let's decide if we're going
> to patch all the other users of the usb_stor_*_xfer_buf() functions as a
> separate discussion.
>
> Matt
>
I'm removing the set of result. I don't see any danger in it but it's your
code. But if the WARN_ON stays then so is the isd200 fixes.
Boaz
---
>From cd66d4d4a4a239e580714e926e9635f3426dd7fd Mon Sep 17 00:00:00 2001
From: Boaz Harrosh <bharrosh@panasas.com>
Date: Thu, 31 Jan 2008 21:31:31 +0200
Subject: [PATCH] bugfix for an overflow condition in usb storage & isd200.c
scsi_scan is issuing a 36-byte INQUIRY request to llds. isd200 would
volunteer 96 bytes of INQUIRY. This caused an overflow condition in
protocol.c usb_stor_access_xfer_buf(). So first fix is to
usb_stor_access_xfer_buf() to properly handle overflow/underflow conditions.
Then put a WARN_ON in usb_stor_set_xfer_buf().
isd200.c is fixed to only return the type of INQUIRY && SENSE
the upper layer asked for.
Signed-off-by: Boaz Harrosh <bharrosh@panasas.com>
---
drivers/usb/storage/isd200.c | 7 +++++--
drivers/usb/storage/protocol.c | 12 ++++++++----
2 files changed, 13 insertions(+), 6 deletions(-)
diff --git a/drivers/usb/storage/isd200.c b/drivers/usb/storage/isd200.c
index 49ba6c0..8186e93 100644
--- a/drivers/usb/storage/isd200.c
+++ b/drivers/usb/storage/isd200.c
@@ -1238,6 +1238,7 @@ static int isd200_scsi_to_ata(struct scsi_cmnd *srb, struct us_data *us,
unsigned long lba;
unsigned long blockCount;
unsigned char senseData[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
+ unsigned xfer_len;
memset(ataCdb, 0, sizeof(union ata_cdb));
@@ -1247,8 +1248,9 @@ static int isd200_scsi_to_ata(struct scsi_cmnd *srb, struct us_data *us,
US_DEBUGP(" ATA OUT - INQUIRY\n");
/* copy InquiryData */
+ xfer_len = min(sizeof(info->InquiryData), scsi_bufflen(srb));
usb_stor_set_xfer_buf((unsigned char *) &info->InquiryData,
- sizeof(info->InquiryData), srb);
+ xfer_len, srb);
srb->result = SAM_STAT_GOOD;
sendToTransport = 0;
break;
@@ -1257,7 +1259,8 @@ static int isd200_scsi_to_ata(struct scsi_cmnd *srb, struct us_data *us,
US_DEBUGP(" ATA OUT - SCSIOP_MODE_SENSE\n");
/* Initialize the return buffer */
- usb_stor_set_xfer_buf(senseData, sizeof(senseData), srb);
+ xfer_len = min(sizeof(senseData), scsi_bufflen(srb));
+ usb_stor_set_xfer_buf(senseData, xfer_len, srb);
if (info->DeviceFlags & DF_MEDIA_STATUS_ENABLED)
{
diff --git a/drivers/usb/storage/protocol.c b/drivers/usb/storage/protocol.c
index 889622b..a3d1d8e 100644
--- a/drivers/usb/storage/protocol.c
+++ b/drivers/usb/storage/protocol.c
@@ -194,7 +194,7 @@ unsigned int usb_stor_access_xfer_buf(unsigned char *buffer,
* and the starting offset within the page, and update
* the *offset and *index values for the next loop. */
cnt = 0;
- while (cnt < buflen) {
+ while (cnt < buflen && sg) {
struct page *page = sg_page(sg) +
((sg->offset + *offset) >> PAGE_SHIFT);
unsigned int poff =
@@ -248,9 +248,13 @@ void usb_stor_set_xfer_buf(unsigned char *buffer,
{
unsigned int offset = 0;
struct scatterlist *sg = NULL;
+ unsigned count;
- usb_stor_access_xfer_buf(buffer, buflen, srb, &sg, &offset,
+ count = usb_stor_access_xfer_buf(buffer, buflen, srb, &sg, &offset,
TO_XFER_BUF);
- if (buflen < srb->request_bufflen)
- srb->resid = srb->request_bufflen - buflen;
+
+ /* Check for overflow */
+ WARN_ON(buflen > scsi_bufflen(srb));
+
+ scsi_set_resid(srb, scsi_bufflen(srb) - count);
}
--
1.5.3.3
next prev parent reply other threads:[~2008-02-04 9:06 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <Pine.LNX.4.44L0.0801301807420.17156-100000@iolanthe.rowland.org>
[not found] ` <47A1948B.2010402@panasas.com>
[not found] ` <20080131070846.4464eb3c@chirp.tahoe>
[not found] ` <20080131070846.4464eb3c-uevSgErl2ChVvDCLMmKh5Q@public.gmane.org>
2008-01-31 15:17 ` [linux-usb-devel] 2.6.24: NULL scatter-gather pointer in usb_storage:usb_stor_access_xfer_buf? Boaz Harrosh
2008-01-31 16:45 ` Alan Stern
[not found] ` <Pine.LNX.4.44L0.0801311143180.3970-100000-IYeN2dnnYyZXsRXLowluHWD2FQJk+8+b@public.gmane.org>
2008-01-31 17:20 ` Boaz Harrosh
[not found] ` <47A1E6A0.8050500-C4P08NqkoRlBDgjK7y7TUQ@public.gmane.org>
2008-01-31 17:19 ` [PATCH] bugfix for an underflow condition in usb storage & isd200.c Boaz Harrosh
[not found] ` <47A2033D.2050502-C4P08NqkoRlBDgjK7y7TUQ@public.gmane.org>
2008-01-31 17:49 ` Alan Stern
[not found] ` <Pine.LNX.4.44L0.0801311244430.4373-100000-IYeN2dnnYyZXsRXLowluHWD2FQJk+8+b@public.gmane.org>
2008-01-31 19:00 ` Boaz Harrosh
2008-01-31 19:34 ` Alan Stern
2008-01-31 19:53 ` Boaz Harrosh
2008-01-31 20:56 ` Alan Stern
[not found] ` <Pine.LNX.4.44L0.0801311546450.22845-100000-IYeN2dnnYyZXsRXLowluHWD2FQJk+8+b@public.gmane.org>
2008-02-03 8:59 ` Boaz Harrosh
[not found] ` <47A5825D.2030901-C4P08NqkoRlBDgjK7y7TUQ@public.gmane.org>
2008-02-03 16:01 ` Alan Stern
2008-02-03 16:28 ` Boaz Harrosh
2008-02-03 19:23 ` Matthew Dharm
2008-02-04 9:05 ` Boaz Harrosh [this message]
2008-02-04 20:05 ` Alan Stern
[not found] ` <Pine.LNX.4.44L0.0802041500420.5186-100000-IYeN2dnnYyZXsRXLowluHWD2FQJk+8+b@public.gmane.org>
2008-02-05 8:41 ` Boaz Harrosh
[not found] ` <47A8213B.9050705-C4P08NqkoRlBDgjK7y7TUQ@public.gmane.org>
2008-02-05 15:42 ` Alan Stern
2008-02-05 16:54 ` Boaz Harrosh
2008-02-05 17:54 ` Matthew Dharm
[not found] ` <20080205175403.GA31714-JGfshJpz5UybPZpvUQj5UqxOck334EZe@public.gmane.org>
2008-02-06 20:23 ` Alan Stern
2008-02-06 21:05 ` Matthew Dharm
2008-02-06 22:18 ` Alan Stern
2008-02-06 23:01 ` James Bottomley
[not found] ` <1202338869.3112.138.camel-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
2008-02-06 23:25 ` Alan Stern
2008-02-06 23:55 ` James Bottomley
[not found] ` <1202342108.3112.146.camel-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
2008-02-07 16:35 ` Alan Stern
2008-02-08 16:46 ` Alan Stern
[not found] ` <Pine.LNX.4.44L0.0802081143010.4593-100000-IYeN2dnnYyZXsRXLowluHWD2FQJk+8+b@public.gmane.org>
2008-02-08 16:59 ` Mark Glines
[not found] ` <47A5EBC0.3060401-C4P08NqkoRlBDgjK7y7TUQ@public.gmane.org>
2008-02-03 21:09 ` Matthew Dharm
2008-01-31 18:00 ` Greg KH
2008-01-31 18:32 ` Boaz Harrosh
2008-01-31 19:37 ` [PATCH 2.6.24] bugfix for an overflow " Boaz Harrosh
[not found] ` <47A22369.80906-C4P08NqkoRlBDgjK7y7TUQ@public.gmane.org>
2008-01-31 19:49 ` Matthew Dharm
2008-01-31 20:05 ` Boaz Harrosh
[not found] ` <47A229FF.4040404@panasas.com>
2008-01-31 20:16 ` Matthew Dharm
2008-02-02 0:55 ` Mark Glines
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47A6D572.5020906@panasas.com \
--to=bharrosh@panasas.com \
--cc=James.Bottomley@SteelEye.com \
--cc=linux-usb@vger.k \
--cc=mark@glines.org \
--cc=stern@rowland.harvard.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox