[SRU][F/B/X][CVE-2020-25284][PATCH 0/1] rbd: require global CAP_SYS_ADMIN for mapping and unmapping

Thadeu Lima de Souza Cascardo cascardo at canonical.com
Fri Sep 25 15:23:25 UTC 2020


On Fri, Sep 25, 2020 at 11:12:19AM -0400, William Breathitt Gray wrote:
> SRU Justification
> =================
> 
> [Impact]
> 
> The rbd block device driver in drivers/block/rbd.c in the Linux kernel
> through 5.8.9 used incomplete permission checking for access to rbd
> devices, which could be leveraged by local attackers to map or unmap rbd
> block devices, aka CID-f44d04e696fe.
> 
> [Regression Potential]
> 
> Regression potential is low. This fix simply checks if the proper
> permission is held; the only users affected by this change will be those
> who should not have access to rbd devices in the first place.
> 
> [Miscellaneous]
> 
> It's a simple cherry-pick for Focal and Bionic. The Xenial backport
> consisted of just removing the changes for sysfs attributes that do not
> exits in Xenial; the only affected sysfs attribute is 'refresh'.
> 

Xenial still has do_rbd_add and do_rbd_remove. Only rbd_config_info_show is not
there. Anything I am missing here?

Cascardo.

> Ilya Dryomov (1):
>   rbd: require global CAP_SYS_ADMIN for mapping and unmapping
> 
>  drivers/block/rbd.c | 12 ++++++++++++
>  1 file changed, 12 insertions(+)
> 
> -- 
> 2.25.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team



More information about the kernel-team mailing list