[Precise][CVE-2013-2140 1/1] xen/blkback: Check device permissions before allowing OP_DISCARD
Stefan Bader
stefan.bader at canonical.com
Tue Oct 22 15:13:32 UTC 2013
On 22.10.2013 16:22, Luis Henriques wrote:
> From: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
>
> BugLink: http://bugs.launchpad.net/bugs/1091187
>
> CVE-2013-2140
>
> We need to make sure that the device is not RO or that
> the request is not past the number of sectors we want to
> issue the DISCARD operation for.
>
> This fixes CVE-2013-2140.
>
> Cc: stable at vger.kernel.org
> Acked-by: Jan Beulich <JBeulich at suse.com>
> Acked-by: Ian Campbell <Ian.Campbell at citrix.com>
> [v1: Made it pr_warn instead of pr_debug]
> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
> (back ported from commit 604c499cbbcc3d5fe5fb8d53306aa0fae1990109)
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
> drivers/block/xen-blkback/blkback.c | 13 +++++++++++++
> 1 file changed, 13 insertions(+)
>
> diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c
> index 2232b85..70cd614 100644
> --- a/drivers/block/xen-blkback/blkback.c
> +++ b/drivers/block/xen-blkback/blkback.c
> @@ -426,6 +426,18 @@ static void xen_blk_discard(struct xen_blkif *blkif, struct blkif_request *req)
> int err = 0;
> int status = BLKIF_RSP_OKAY;
> struct block_device *bdev = blkif->vbd.bdev;
> + struct phys_req preq;
> +
> + preq.sector_number = req->u.discard.sector_number;
> + preq.nr_sects = req->u.discard.nr_sectors;
> +
> + err = xen_vbd_translate(&preq, blkif, WRITE);
> + if (err) {
> + pr_warn(DRV_PFX "access denied: DISCARD [%llu->%llu] on dev=%04x\n",
> + preq.sector_number,
> + preq.sector_number + preq.nr_sects, blkif->vbd.pdevice);
> + goto fail_response;
> + }
>
> if (blkif->blk_backend_type == BLKIF_BACKEND_PHY)
> /* just forward the discard request */
> @@ -448,6 +460,7 @@ static void xen_blk_discard(struct xen_blkif *blkif, struct blkif_request *req)
> } else
> err = -EOPNOTSUPP;
>
> +fail_response:
> if (err == -EOPNOTSUPP) {
> pr_debug(DRV_PFX "discard op failed, not supported\n");
> status = BLKIF_RSP_EOPNOTSUPP;
>
Maybe it does not do any harm to add that check here as well. Though there seems
to be something very similar being done in the 3.2 function dispatch_rw_block_io
which then calls xen_blk_discard... Just above, between checking for
BLKIF_OP_DISCARD and handling the REQ_DISCARD.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20131022/29f01635/attachment.sig>
More information about the kernel-team
mailing list