[SRU][F/B/X][CVE-2020-25284][PATCH 0/1] rbd: require global CAP_SYS_ADMIN for mapping and unmapping
William Breathitt Gray
william.gray at canonical.com
Fri Sep 25 15:12:19 UTC 2020
The rbd block device driver in drivers/block/rbd.c in the Linux kernel
through 5.8.9 used incomplete permission checking for access to rbd
devices, which could be leveraged by local attackers to map or unmap rbd
block devices, aka CID-f44d04e696fe.
Regression potential is low. This fix simply checks if the proper
permission is held; the only users affected by this change will be those
who should not have access to rbd devices in the first place.
It's a simple cherry-pick for Focal and Bionic. The Xenial backport
consisted of just removing the changes for sysfs attributes that do not
exits in Xenial; the only affected sysfs attribute is 'refresh'.
Ilya Dryomov (1):
rbd: require global CAP_SYS_ADMIN for mapping and unmapping
drivers/block/rbd.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
More information about the kernel-team