Re: [PATCH 2/6] firewire: ohci: fix Self ID Count register mask (safeguard against buffer overflow)

From: pageexec
Date: Mon Sep 07 2009 - 16:00:46 EST

Next message: Miklos Szeredi: "Re: WARNINGs in usb-serial.c"
Previous message: pageexec: "Re: [PATCH 1/6] firewire: core: reduce stack usage in bus reset tasklet"
In reply to: Stefan Richter: "[PATCH 2/6] firewire: ohci: fix Self ID Count register mask(safeguard against buffer overflow)"
Next in thread: Stefan Richter: "Re: [PATCH 2/6] firewire: ohci: fix Self ID Count register mask (safeguardagainst buffer overflow)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 6 Sep 2009 at 18:49, Stefan Richter wrote:

added stable as .30 is affected, possibly older kernels as well, i didn't check.

> The selfIDSize field of Self ID Count is 9 bits wide, and we are only
> interested in the high 8 bits. Fix the mask accordingly. The
> previously too large mask didn't do damage though because the next few
> bits in the register are reserved and therefore zero with presently
> existing hardware.

unless something prevents one from creating a malicious device,
i wouldn't be so sure about all existing hw ;).

> Also, check for the maximum possible self ID count of 252 (according to
> OHCI 1.1 clause 11.2 and IEEE 1394a-2000 clause 4.3.4.1, i.e. up to four
> self IDs of up to 63 nodes, even though IEEE 1394 up to edition 2008
> defines only up to three self IDs per node). More than 252 self IDs
> would only happen if the self ID receive DMA unit malfunctioned, which
> would likely be caught by other self ID buffer checks. However, check
> it early to be sure. More than 253 quadlets would overflow the Topology
> Map CSR.
>
> Reported-By: PaX Team
> Signed-off-by: Stefan Richter <stefanr@xxxxxxxxxxxxxxxxx>
> ---
> drivers/firewire/ohci.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> Index: linux-2.6.31-rc9/drivers/firewire/ohci.c
> ===================================================================
> --- linux-2.6.31-rc9.orig/drivers/firewire/ohci.c
> +++ linux-2.6.31-rc9/drivers/firewire/ohci.c
> @@ -1279,8 +1279,8 @@ static void bus_reset_tasklet(unsigned l
> * the inverted quadlets and a header quadlet, we shift one
> * bit extra to get the actual number of self IDs.
> */
> - self_id_count = (reg >> 3) & 0x3ff;
> - if (self_id_count == 0) {
> + self_id_count = (reg >> 3) & 0xff;
> + if (self_id_count == 0 || self_id_count > 252) {
> fw_notify("inconsistent self IDs\n");
> return;
> }
>
> --
> Stefan Richter
> -=====-==--= =--= --==-
> http://arcgraph.de/sr/
>
>

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Miklos Szeredi: "Re: WARNINGs in usb-serial.c"
Previous message: pageexec: "Re: [PATCH 1/6] firewire: core: reduce stack usage in bus reset tasklet"
In reply to: Stefan Richter: "[PATCH 2/6] firewire: ohci: fix Self ID Count register mask(safeguard against buffer overflow)"
Next in thread: Stefan Richter: "Re: [PATCH 2/6] firewire: ohci: fix Self ID Count register mask (safeguardagainst buffer overflow)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]