On Mon, Jun 23, 2008 at 11:04 PM, Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> wrote: > On Fri, 20 Jun 2008, James Bottomley wrote: > >> Yes, thanks. It's a bit nasty from a security point of view, since the >> leaking data apparently belonged to a different command. Wouldn't a >> better fix (and a more secure one) be to clear from the end of the valid >> data to the end of the buffer? > > Here's the promised patch. Maciej and Peter, please try it out. > > Alan Stern > > > Index: usb-2.6/drivers/scsi/scsi_lib.c > =================================================================== > --- usb-2.6.orig/drivers/scsi/scsi_lib.c > +++ usb-2.6/drivers/scsi/scsi_lib.c > @@ -207,6 +207,15 @@ int scsi_execute(struct scsi_device *sde > */ > blk_execute_rq(req->q, NULL, req, 1); > > + /* > + * Some devices (USB mass-storage in particular) may transfer > + * garbage data together with a residue indicating that the data > + * is invalid. Prevent the garbage from being misinterpreted > + * and prevent security leaks by zeroing out the excess data. > + */ > + if (unlikely(req->data_len > 0 && req->data_len <= bufflen)) > + memset(buffer + (bufflen - req->data_len), 0, req->data_len); > + > ret = req->errors; > out: > blk_put_request(req); > > Yes, it worked (based on latest linus git tree) the before and after patch dmesg are as follows: [ 387.015562] scsi 3:0:0:0: Direct-Access WD 1600BEAExternal 1.02 PQ: 0 ANSI: 0 [ 387.018563] sd 3:0:0:0: [sde] 312581808 512-byte hardware sectors (160042 MB) [ 387.018573] sd 3:0:0:0: [sde] Write Protect is on [ 387.018583] sd 3:0:0:0: [sde] Mode Sense: 12 a1 9e af [ 387.018589] sd 3:0:0:0: [sde] Assuming drive cache: write through [ 387.020182] sd 3:0:0:0: [sde] 312581808 512-byte hardware sectors (160042 MB) [ 387.020602] sd 3:0:0:0: [sde] Write Protect is on [ 387.020602] sd 3:0:0:0: [sde] Mode Sense: 12 a1 9e af [ 387.020602] sd 3:0:0:0: [sde] Assuming drive cache: write through [ 387.020602] sde: sde1 sde2 sde3 < sde5 > sde4 [ 387.094903] sd 3:0:0:0: [sde] Attached SCSI disk [ 387.095304] sd 3:0:0:0: Attached scsi generic sg4 type 0 After patching and recompiling and reboot: [ 230.281708] sd 3:0:0:0: [sdd] 312581808 512-byte hardware sectors (160042 MB) [ 230.282708] sd 3:0:0:0: [sdd] Write Protect is off [ 230.282708] sd 3:0:0:0: [sdd] Mode Sense: 00 00 00 00 [ 230.282708] sd 3:0:0:0: [sdd] Assuming drive cache: write through [ 230.283708] sd 3:0:0:0: [sdd] 312581808 512-byte hardware sectors (160042 MB) [ 230.284709] sd 3:0:0:0: [sdd] Write Protect is off [ 230.284709] sd 3:0:0:0: [sdd] Mode Sense: 00 00 00 00 [ 230.284709] sd 3:0:0:0: [sdd] Assuming drive cache: write through [ 230.284709] sdd: sdd1 sdd2 sdd3 < sdd5 > sdd4 [ 230.364830] sd 3:0:0:0: [sdd] Attached SCSI disk Thank you very much Alan. -- Regards, Peter Teoh -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
