From: Boaz Harrosh <bharrosh@panasas.com>
To: Elias Oltmanns <eo@nebensachen.de>
Cc: Alan Stern <stern@rowland.harvard.edu>,
James Bottomley <James.Bottomley@HansenPartnership.com>,
Peter Teoh <htmldeveloper@gmail.com>,
Maciej Rutecki <maciej.rutecki@gmail.com>,
USB Storage list <usb-storage@lists.one-eyed-alien.net>,
SCSI development list <linux-scsi@vger.kernel.org>
Subject: Re: [PATCH] SCSI: erase invalid data returned by device
Date: Wed, 16 Jul 2008 17:01:04 +0300 [thread overview]
Message-ID: <487DFF20.2020303@panasas.com> (raw)
In-Reply-To: <87vdz63q1b.fsf@denkblock.local>
Elias Oltmanns wrote:
> Alan Stern <stern@rowland.harvard.edu> wrote:
>> This patch (as1108) fixes a problem that can occur with certain USB
>> mass-storage devices: They return invalid data together with a residue
>> indicating that the data should be ignored. Rather than leave the
>> invalid data in a transfer buffer, where it can get misinterpreted,
>> the patch clears the invalid portion of the buffer.
>
> I've only just stumbled upon this patch and I don't quite understand how
> it is supposed to work.
>
>> This solves a problem (wrong write-protect setting detected) reported
>> by Maciej Rutecki and Peter Teoh.
>>
>> Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
>> Tested-by: Peter Teoh <htmldeveloper@gmail.com>
>>
>> ---
>>
>> Index: usb-2.6/drivers/scsi/scsi_lib.c
>> ===================================================================
>> --- usb-2.6.orig/drivers/scsi/scsi_lib.c
>> +++ usb-2.6/drivers/scsi/scsi_lib.c
>> @@ -207,6 +207,15 @@ int scsi_execute(struct scsi_device *sde
>> */
>> blk_execute_rq(req->q, NULL, req, 1);
>>
>> + /*
>> + * Some devices (USB mass-storage in particular) may transfer
>> + * garbage data together with a residue indicating that the data
>> + * is invalid. Prevent the garbage from being misinterpreted
>> + * and prevent security leaks by zeroing out the excess data.
>> + */
>> + if (unlikely(req->data_len > 0 && req->data_len <= bufflen))
>> + memset(buffer + (bufflen - req->data_len), 0, req->data_len);
>
> Sorry, I don't understand that line at all. Surely, we want to zero out
> either the excess data, i.e. buffer -> buffer + req->data_len, or the
> residue, i.e. buffer + req->data_len -> buffer + bufflen. Your patch
> implies that there are bufflen - req->data_len bytes of valid data at
> the beginning of buffer. If this is intentional, please bear with me and
> explain. Otherwise, what about the following patch to 2.6.26? On the
> other hand, the same could probably be achieved by setting req->data_len
> to 0. Oh dear, it would appear that I'm completely lost here.
>
> Elias
>
>
> diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
> index cbf55d5..977f22b 100644
> --- a/drivers/scsi/scsi_lib.c
> +++ b/drivers/scsi/scsi_lib.c
> @@ -214,7 +214,7 @@ int scsi_execute(struct scsi_device *sdev, const unsigned char *cmd,
> * and prevent security leaks by zeroing out the excess data.
> */
> if (unlikely(req->data_len > 0 && req->data_len <= bufflen))
> - memset(buffer + (bufflen - req->data_len), 0, req->data_len);
> + memset(buffer + req->data_len, 0, bufflen - req->data_len);
>
> ret = req->errors;
> out:
This is not your fault it is built confusing.
The req->data_len is used in to ways. At first it is used as bufflen, as input
to blk_execute but at the very last stage of execution it is set to be the residual
of the transfer, from the scsi_cmnd->resid member. So at this stage you see above,
req->data_len is whats left of @bufflen that was not written/read by blk_execute.
Boaz
next prev parent reply other threads:[~2008-07-16 14:01 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <48328E81.2080504@panasas.com>
2008-05-20 14:23 ` [Re: Linux 2.6.26-rc2] Write protect on on Alan Stern
2008-06-03 15:02 ` Alan Stern
2008-06-13 16:57 ` Maciej Rutecki
2008-06-13 18:02 ` Alan Stern
2008-06-14 7:02 ` Maciej Rutecki
2008-06-20 20:22 ` Alan Stern
2008-06-20 20:56 ` James Bottomley
2008-06-20 21:46 ` Alan Stern
2008-06-20 22:09 ` James Bottomley
2008-06-21 2:17 ` Alan Stern
2008-06-23 15:04 ` Alan Stern
2008-06-24 3:25 ` Peter Teoh
2008-06-24 4:09 ` Peter Teoh
2008-06-24 18:03 ` [PATCH] SCSI: erase invalid data returned by device Alan Stern
2008-07-10 23:15 ` Cal Peake
2008-07-10 23:23 ` Linus Torvalds
2008-07-10 23:28 ` James Bottomley
2008-07-10 23:35 ` Linus Torvalds
2008-07-16 13:41 ` Elias Oltmanns
2008-07-16 13:55 ` James Bottomley
2008-07-16 14:12 ` Elias Oltmanns
2008-07-16 14:28 ` Alan Stern
2008-07-16 14:39 ` Elias Oltmanns
2008-07-16 14:01 ` Boaz Harrosh [this message]
2008-06-24 14:59 ` [Re: Linux 2.6.26-rc2] Write protect on on Alan Stern
2008-06-24 16:59 ` Maciej Rutecki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=487DFF20.2020303@panasas.com \
--to=bharrosh@panasas.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=eo@nebensachen.de \
--cc=htmldeveloper@gmail.com \
--cc=linux-scsi@vger.kernel.org \
--cc=maciej.rutecki@gmail.com \
--cc=stern@rowland.harvard.edu \
--cc=usb-storage@lists.one-eyed-alien.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox