[Precise][CVE-2013-2140 1/1] xen/blkback: Check device permissions before allowing OP_DISCARD

[Luis Henriques]

From: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>

BugLink: http://bugs.launchpad.net/bugs/1091187

CVE-2013-2140

We need to make sure that the device is not RO or that
the request is not past the number of sectors we want to
issue the DISCARD operation for.

This fixes CVE-2013-2140.

Cc: stable at vger.kernel.org
Acked-by: Jan Beulich <JBeulich at suse.com>
Acked-by: Ian Campbell <Ian.Campbell at citrix.com>
[v1: Made it pr_warn instead of pr_debug]
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
(back ported from commit 604c499cbbcc3d5fe5fb8d53306aa0fae1990109)
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 drivers/block/xen-blkback/blkback.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c
index 2232b85..70cd614 100644
--- a/drivers/block/xen-blkback/blkback.c
+++ b/drivers/block/xen-blkback/blkback.c
@@ -426,6 +426,18 @@ static void xen_blk_discard(struct xen_blkif *blkif, struct blkif_request *req)
 	int err = 0;
 	int status = BLKIF_RSP_OKAY;
 	struct block_device *bdev = blkif->vbd.bdev;
+	struct phys_req preq;
+
+	preq.sector_number = req->u.discard.sector_number;
+	preq.nr_sects      = req->u.discard.nr_sectors;
+
+	err = xen_vbd_translate(&preq, blkif, WRITE);
+	if (err) {
+		pr_warn(DRV_PFX "access denied: DISCARD [%llu->%llu] on dev=%04x\n",
+			preq.sector_number,
+			preq.sector_number + preq.nr_sects, blkif->vbd.pdevice);
+		goto fail_response;
+	}
 
 	if (blkif->blk_backend_type == BLKIF_BACKEND_PHY)
 		/* just forward the discard request */
@@ -448,6 +460,7 @@ static void xen_blk_discard(struct xen_blkif *blkif, struct blkif_request *req)
 	} else
 		err = -EOPNOTSUPP;
 
+fail_response:
 	if (err == -EOPNOTSUPP) {
 		pr_debug(DRV_PFX "discard op failed, not supported\n");
 		status = BLKIF_RSP_EOPNOTSUPP;
-- 
1.8.3.2