NACK: [SRU][F/B/X][CVE-2020-25284][PATCH 0/1] rbd: require global CAP_SYS_ADMIN for mapping and unmapping
William Breathitt Gray
william.gray at canonical.com
Fri Sep 25 15:27:36 UTC 2020
On Fri, Sep 25, 2020 at 12:23:25PM -0300, Thadeu Lima de Souza Cascardo wrote:
> On Fri, Sep 25, 2020 at 11:12:19AM -0400, William Breathitt Gray wrote:
> > SRU Justification
> > =================
> >
> > [Impact]
> >
> > The rbd block device driver in drivers/block/rbd.c in the Linux kernel
> > through 5.8.9 used incomplete permission checking for access to rbd
> > devices, which could be leveraged by local attackers to map or unmap rbd
> > block devices, aka CID-f44d04e696fe.
> >
> > [Regression Potential]
> >
> > Regression potential is low. This fix simply checks if the proper
> > permission is held; the only users affected by this change will be those
> > who should not have access to rbd devices in the first place.
> >
> > [Miscellaneous]
> >
> > It's a simple cherry-pick for Focal and Bionic. The Xenial backport
> > consisted of just removing the changes for sysfs attributes that do not
> > exits in Xenial; the only affected sysfs attribute is 'refresh'.
> >
>
> Xenial still has do_rbd_add and do_rbd_remove. Only rbd_config_info_show is not
> there. Anything I am missing here?
>
> Cascardo.
You're right, I somehow missed these. I'll submit a version 2 after a
retest.
Thanks,
William Breathitt Gray
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20200925/282e6865/attachment.sig>
More information about the kernel-team
mailing list