This is a note to let you know that I've just added the patch titled
Subject: USB: usb-storage: don't access beyond the end of the sg buffer
to my gregkh-2.6 tree. Its filename is
usb-usb-storage-don-t-access-beyond-the-end-of-the-sg-buffer.patch
This tree can be found at
http://www.kernel.org/pub/linux/kernel/people/gregkh/gregkh-2.6/patches/
>From [EMAIL PROTECTED] Wed Feb 20 12:59:54 2008
From: Alan Stern <[EMAIL PROTECTED]>
Date: Wed, 20 Feb 2008 14:15:58 -0500 (EST)
Subject: USB: usb-storage: don't access beyond the end of the sg buffer
To: Greg KH <[EMAIL PROTECTED]>, Matthew Dharm <[EMAIL PROTECTED]>
Cc: Boaz Harrosh <[EMAIL PROTECTED]>, USB Storage list <[EMAIL PROTECTED]>,
USB list <[email protected]>
Message-ID: <[EMAIL PROTECTED]>
This patch (as1035) fixes a bug in usb_stor_access_xfer_buf() (the bug
was originally found by Boaz Harrosh): The routine must not attempt to
write beyond the end of a scatter-gather list or beyond the number of
bytes requested. It also fixes up the formatting of a few comments
and similar whitespace issues.
Signed-off-by: Alan Stern <[EMAIL PROTECTED]>
Signed-off-by: Greg Kroah-Hartman <[EMAIL PROTECTED]>
---
drivers/usb/storage/protocol.c | 27 +++++++++++++++------------
1 file changed, 15 insertions(+), 12 deletions(-)
--- a/drivers/usb/storage/protocol.c
+++ b/drivers/usb/storage/protocol.c
@@ -150,13 +150,14 @@ void usb_stor_transparent_scsi_command(s
/* Copy a buffer of length buflen to/from the srb's transfer buffer.
* Update the **sgptr and *offset variables so that the next copy will
- * pick up from where this one left off. */
-
+ * pick up from where this one left off.
+ */
unsigned int usb_stor_access_xfer_buf(unsigned char *buffer,
unsigned int buflen, struct scsi_cmnd *srb, struct scatterlist **sgptr,
unsigned int *offset, enum xfer_buf_dir dir)
{
unsigned int cnt;
+ struct scatterlist *sg = *sgptr;
/* We have to go through the list one entry
* at a time. Each s-g entry contains some number of pages, and
@@ -164,22 +165,23 @@ unsigned int usb_stor_access_xfer_buf(un
* in kernel-addressable memory then kmap() will return its address.
* If the page is not directly accessible -- such as a user buffer
* located in high memory -- then kmap() will map it to a temporary
- * position in the kernel's virtual address space. */
- struct scatterlist *sg = *sgptr;
+ * position in the kernel's virtual address space.
+ */
if (!sg)
sg = scsi_sglist(srb);
+ buflen = min(buflen, scsi_bufflen(srb));
/* This loop handles a single s-g list entry, which may
- * include multiple pages. Find the initial page structure
- * and the starting offset within the page, and update
- * the *offset and **sgptr values for the next loop. */
+ * include multiple pages. Find the initial page structure
+ * and the starting offset within the page, and update
+ * the *offset and **sgptr values for the next loop.
+ */
cnt = 0;
- while (cnt < buflen) {
+ while (cnt < buflen && sg) {
struct page *page = sg_page(sg) +
((sg->offset + *offset) >> PAGE_SHIFT);
- unsigned int poff =
- (sg->offset + *offset) & (PAGE_SIZE-1);
+ unsigned int poff = (sg->offset + *offset) & (PAGE_SIZE-1);
unsigned int sglen = sg->length - *offset;
if (sglen > buflen - cnt) {
@@ -222,14 +224,15 @@ unsigned int usb_stor_access_xfer_buf(un
}
/* Store the contents of buffer into srb's transfer buffer and set the
- * SCSI residue. */
+ * SCSI residue.
+ */
void usb_stor_set_xfer_buf(unsigned char *buffer,
unsigned int buflen, struct scsi_cmnd *srb)
{
unsigned int offset = 0;
struct scatterlist *sg = NULL;
- usb_stor_access_xfer_buf(buffer, buflen, srb, &sg, &offset,
+ buflen = usb_stor_access_xfer_buf(buffer, buflen, srb, &sg, &offset,
TO_XFER_BUF);
if (buflen < scsi_bufflen(srb))
scsi_set_resid(srb, scsi_bufflen(srb) - buflen);
Patches currently in gregkh-2.6 which might be from [EMAIL PROTECTED] are
driver/cpufreq-fix-kobject-reference-count-handling.patch
driver/pm-remove-unbalanced-mutex_unlock-from-dpm_resume.patch
usb/usb-convert-usb.h-struct-usb_device-to-kernel-doc.patch
usb/usb-make-usb_storage_onetouch-available-with-pm.patch
usb/usb-usb-ohci-sm501-driver-use-the-conventional-convention-for-suspend-and-resume.patch
usb/usb-quirks-and-unusual_devs-entry-for-actions-flash-drive.patch
usb/usb-usb-storage-don-t-clear-halt-when-get-max-lun-stalls.patch
usb/usb-usb-storage-don-t-access-beyond-the-end-of-the-sg-buffer.patch
usb/usb-usb-storage-unusual_devs-entry-for-oracom-mp3-player.patch
-
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
