[Precise][CVE-2013-2140 1/1] xen/blkback: Check device permissions before allowing OP_DISCARD

Stefan Bader stefan.bader at canonical.com
Tue Oct 22 15:13:32 UTC 2013 

On 22.10.2013 16:22, Luis Henriques wrote:
> From: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
> 
> BugLink: http://bugs.launchpad.net/bugs/1091187
> 
> CVE-2013-2140
> 
> We need to make sure that the device is not RO or that
> the request is not past the number of sectors we want to
> issue the DISCARD operation for.
> 
> This fixes CVE-2013-2140.
> 
> Cc: stable at vger.kernel.org
> Acked-by: Jan Beulich <JBeulich at suse.com>
> Acked-by: Ian Campbell <Ian.Campbell at citrix.com>
> [v1: Made it pr_warn instead of pr_debug]
> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
> (back ported from commit 604c499cbbcc3d5fe5fb8d53306aa0fae1990109)
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
>  drivers/block/xen-blkback/blkback.c | 13 +++++++++++++
>  1 file changed, 13 insertions(+)
> 
> diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c
> index 2232b85..70cd614 100644
> --- a/drivers/block/xen-blkback/blkback.c
> +++ b/drivers/block/xen-blkback/blkback.c
> @@ -426,6 +426,18 @@ static void xen_blk_discard(struct xen_blkif *blkif, struct blkif_request *req)
>  	int err = 0;
>  	int status = BLKIF_RSP_OKAY;
>  	struct block_device *bdev = blkif->vbd.bdev;
> +	struct phys_req preq;
> +
> +	preq.sector_number = req->u.discard.sector_number;
> +	preq.nr_sects      = req->u.discard.nr_sectors;
> +
> +	err = xen_vbd_translate(&preq, blkif, WRITE);
> +	if (err) {
> +		pr_warn(DRV_PFX "access denied: DISCARD [%llu->%llu] on dev=%04x\n",
> +			preq.sector_number,
> +			preq.sector_number + preq.nr_sects, blkif->vbd.pdevice);
> +		goto fail_response;
> +	}
>  
>  	if (blkif->blk_backend_type == BLKIF_BACKEND_PHY)
>  		/* just forward the discard request */
> @@ -448,6 +460,7 @@ static void xen_blk_discard(struct xen_blkif *blkif, struct blkif_request *req)
>  	} else
>  		err = -EOPNOTSUPP;
>  
> +fail_response:
>  	if (err == -EOPNOTSUPP) {
>  		pr_debug(DRV_PFX "discard op failed, not supported\n");
>  		status = BLKIF_RSP_EOPNOTSUPP;
> 

Maybe it does not do any harm to add that check here as well. Though there seems
to be something very similar being done in the 3.2 function dispatch_rw_block_io
which then calls xen_blk_discard... Just above, between checking for
BLKIF_OP_DISCARD and handling the REQ_DISCARD.




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20131022/29f01635/attachment.sig>

More information about the kernel-team mailing list