Re: [PATCH 2/2] USB: ehci: tegra: Align DMA transfers to 32 bytes

[Alan Stern]

On Mon, 24 Jan 2011 rmorell@xxxxxxxxxx wrote:

> > > +	if (dir == DMA_FROM_DEVICE && !status)
> > > +		memcpy(temp->old_xfer_buffer, temp->data,
> > > +			urb->transfer_buffer_length);
> > 
> > Even if status is nonzero, there may be valid data in the buffer.  You 
> > should skip that test.
> 
> Thanks for looking, Alan.  I added that test based on earlier feedback.
> I think the big concern here is security: if the URB fails in such a way
> that the buffer is not overwritten, then we may copy out freed kernel
> data to userspace.

Not to userspace, only to the driver that submitted the URB.  That 
driver must be part of the kernel.  For URBs that _do_ originate in 
userspace, by way of usbfs, the usbfs code is responsible for not 
leaking any kernel data.

> Are there specific status codes that I can check for here?

No.

>  I guess the
> only other option is to remove the direction check from the alloc path
> or alloc with GFP_ZERO.

You don't have to worry about this; it isn't a security concern.

Alan Stern

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/