[Precise][CVE-2013-2140 1/1] xen/blkback: Check device permissions before allowing OP_DISCARD

[Luis Henriques]

From: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>

BugLink: http://bugs.launchpad.net/bugs/1091187

CVE-2013-2140

We need to make sure that the device is not RO or that
the request is not past the number of sectors we want to
issue the DISCARD operation for.

This fixes CVE-2013-2140.

Cc: stable at vger.kernel.org
Acked-by: Jan Beulich <JBeulich at suse.com>
Acked-by: Ian Campbell <Ian.Campbell at citrix.com>
[v1: Made it pr_warn instead of pr_debug]
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
(back ported from commit 604c499cbbcc3d5fe5fb8d53306aa0fae1990109)
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 drivers/block/xen-blkback/blkback.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c
index 2232b85..8cac42f 100644
--- a/drivers/block/xen-blkback/blkback.c
+++ b/drivers/block/xen-blkback/blkback.c
@@ -666,8 +666,18 @@ static int dispatch_rw_block_io(struct xen_blkif *blkif,
 	}
 
 	preq.dev           = req->handle;
-	preq.sector_number = req->u.rw.sector_number;
-	preq.nr_sects      = 0;
+	if (operation == REQ_DISCARD) {
+		/*
+		 * It's safe to initialise preq.nr_sects here because the
+		 * 'for' loop below won't iterate as req->nr_segments = 0
+		 * (see blkif_queue_request)
+		 */
+		preq.sector_number = req->u.discard.sector_number;
+		preq.nr_sects      = req->u.discard.nr_sectors;
+	} else {
+		preq.sector_number = req->u.rw.sector_number;
+		preq.nr_sects      = 0;
+	}
 
 	pending_req->blkif     = blkif;
 	pending_req->id        = req->id;
-- 
1.8.3.2