On Mon, 24 Jan 2011 rmorell@xxxxxxxxxx wrote: > > > + if (dir == DMA_FROM_DEVICE && !status) > > > + memcpy(temp->old_xfer_buffer, temp->data, > > > + urb->transfer_buffer_length); > > > > Even if status is nonzero, there may be valid data in the buffer. You > > should skip that test. > > Thanks for looking, Alan. I added that test based on earlier feedback. > I think the big concern here is security: if the URB fails in such a way > that the buffer is not overwritten, then we may copy out freed kernel > data to userspace. Not to userspace, only to the driver that submitted the URB. That driver must be part of the kernel. For URBs that _do_ originate in userspace, by way of usbfs, the usbfs code is responsible for not leaking any kernel data. > Are there specific status codes that I can check for here? No. > I guess the > only other option is to remove the direction check from the alloc path > or alloc with GFP_ZERO. You don't have to worry about this; it isn't a security concern. Alan Stern -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
