* Re: [PATCH] usb: storage: alauda: fix possible buffer overflow casued by bad DMA value in alauda_read_map()
[not found] <20200530144230.3550-1-baijiaju@tsinghua.edu.cn>
@ 2020-05-30 15:59 ` Alan Stern
0 siblings, 0 replies; only message in thread
From: Alan Stern @ 2020-05-30 15:59 UTC (permalink / raw)
To: Jia-Ju Bai; +Cc: gregkh, linux-usb, usb-storage, linux-kernel, Jia-Ju Bai
On Sat, May 30, 2020 at 10:42:30PM +0800, Jia-Ju Bai wrote:
> From: Jia-Ju Bai <baijiaju1990@gmail.com>
>
> The value us->iobuf is stored in DMA memory, and it is assigned to data,
> so data[6] and data[7] can be modified at anytime by malicious hardware.
> In this case, data[6] ^ data[7] can be a quite large number, which may
> cause buffer overflow when the code "parity[data[6] ^ data[7]]" is
> executed.
>
> To fix this possible bug, data[6] ^ data[7] is assigned to a local
> variable, and then this variable is checked before being used.
There are much worse problems than this in the alauda driver. For
example, alauda_get_redu_data() does I/O from a data buffer on the
stack; this is not allowed. That's just the example I noticed; there
may very well be others.
If you want to fix something, fix that.
If you're still worried about malicious hardware, the way to fix the
problem is not to change this one location. Instead, you should modify
the driver so that us->iobuf is not stored in DMA memory.
Alan Stern
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-05-30 15:59 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20200530144230.3550-1-baijiaju@tsinghua.edu.cn>
2020-05-30 15:59 ` [PATCH] usb: storage: alauda: fix possible buffer overflow casued by bad DMA value in alauda_read_map() Alan Stern
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).