[Precise][CVE-2013-2140 1/1] xen/blkback: Check device permissions before allowing OP_DISCARD

Seth Forshee seth.forshee at canonical.com
Tue Oct 22 15:31:12 UTC 2013 

On Tue, Oct 22, 2013 at 03:22:51PM +0100, Luis Henriques wrote:
> From: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
> 
> BugLink: http://bugs.launchpad.net/bugs/1091187
> 
> CVE-2013-2140
> 
> We need to make sure that the device is not RO or that
> the request is not past the number of sectors we want to
> issue the DISCARD operation for.
> 
> This fixes CVE-2013-2140.
> 
> Cc: stable at vger.kernel.org
> Acked-by: Jan Beulich <JBeulich at suse.com>
> Acked-by: Ian Campbell <Ian.Campbell at citrix.com>
> [v1: Made it pr_warn instead of pr_debug]
> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
> (back ported from commit 604c499cbbcc3d5fe5fb8d53306aa0fae1990109)
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
>  drivers/block/xen-blkback/blkback.c | 13 +++++++++++++
>  1 file changed, 13 insertions(+)
> 
> diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c
> index 2232b85..70cd614 100644
> --- a/drivers/block/xen-blkback/blkback.c
> +++ b/drivers/block/xen-blkback/blkback.c
> @@ -426,6 +426,18 @@ static void xen_blk_discard(struct xen_blkif *blkif, struct blkif_request *req)
>  	int err = 0;
>  	int status = BLKIF_RSP_OKAY;
>  	struct block_device *bdev = blkif->vbd.bdev;
> +	struct phys_req preq;
> +
> +	preq.sector_number = req->u.discard.sector_number;
> +	preq.nr_sects      = req->u.discard.nr_sectors;
> +
> +	err = xen_vbd_translate(&preq, blkif, WRITE);
> +	if (err) {
> +		pr_warn(DRV_PFX "access denied: DISCARD [%llu->%llu] on dev=%04x\n",
> +			preq.sector_number,
> +			preq.sector_number + preq.nr_sects, blkif->vbd.pdevice);
> +		goto fail_response;
> +	}

There's a similar check in dispatch_rw_block_io(), but it's assuming a
read/write request rather than discard and only guarantees that the
start of the request is okay. But you must pass through that check to
get to xen_blk_discard(), so you end up running the check twice. It
doesn't look that expensive, but you could avoid doing it twice by
setting preq.{sector_number,nr_sects} in dispatch_rw_block_io() based on
the request type to ensure proper validation on discard.

More information about the kernel-team mailing list