diff options
author | Josh Boyer <jwboyer@redhat.com> | 2013-06-05 16:10:51 -0400 |
---|---|---|
committer | Josh Boyer <jwboyer@redhat.com> | 2013-06-05 16:14:31 -0400 |
commit | 0bb05f83a2459ab4d8b89fb40a05bf374ffdace7 (patch) | |
tree | cf96eac7ff02c068f36cd4d8f88cf83989fee942 /xen-blkback-Check-device-permissions-before-allowing.patch | |
parent | bc6523eec2d2bc64fe0705620dea34fa383f3bcf (diff) | |
download | kernel-0bb05f83a2459ab4d8b89fb40a05bf374ffdace7.tar.gz kernel-0bb05f83a2459ab4d8b89fb40a05bf374ffdace7.tar.xz kernel-0bb05f83a2459ab4d8b89fb40a05bf374ffdace7.zip |
CVE-2013-2140 xen: blkback: insufficient permission checks for BLKIF_OP_DISCARD (rhbz 971146 971148)
Diffstat (limited to 'xen-blkback-Check-device-permissions-before-allowing.patch')
-rw-r--r-- | xen-blkback-Check-device-permissions-before-allowing.patch | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/xen-blkback-Check-device-permissions-before-allowing.patch b/xen-blkback-Check-device-permissions-before-allowing.patch new file mode 100644 index 000000000..933e82890 --- /dev/null +++ b/xen-blkback-Check-device-permissions-before-allowing.patch @@ -0,0 +1,54 @@ +From e029d62efa5eb46831a9e1414468e582379b743f Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk <konrad.wilk () oracle com> +Date: Wed, 16 Jan 2013 11:33:52 -0500 +Subject: [PATCH] xen/blkback: Check device permissions before allowing + OP_DISCARD + +We need to make sure that the device is not RO or that +the request is not past the number of sectors we want to +issue the DISCARD operation for. + +Cc: stable () vger kernel org +Acked-by: Jan Beulich <JBeulich () suse com> +Acked-by: Ian Campbell <Ian.Campbell () citrix com> +[v1: Made it pr_warn instead of pr_debug] +Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk () oracle com> +--- + drivers/block/xen-blkback/blkback.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c +index e79ab45..4119bcd 100644 +--- a/drivers/block/xen-blkback/blkback.c ++++ b/drivers/block/xen-blkback/blkback.c +@@ -876,7 +876,18 @@ static int dispatch_discard_io(struct xen_blkif *blkif, + int status = BLKIF_RSP_OKAY; + struct block_device *bdev = blkif->vbd.bdev; + unsigned long secure; ++ struct phys_req preq; ++ ++ preq.sector_number = req->u.discard.sector_number; ++ preq.nr_sects = req->u.discard.nr_sectors; + ++ err = xen_vbd_translate(&preq, blkif, WRITE); ++ if (err) { ++ pr_warn(DRV_PFX "access denied: DISCARD [%llu->%llu] on dev=%04x\n", ++ preq.sector_number, ++ preq.sector_number + preq.nr_sects, blkif->vbd.pdevice); ++ goto fail_response; ++ } + blkif->st_ds_req++; + + xen_blkif_get(blkif); +@@ -887,7 +898,7 @@ static int dispatch_discard_io(struct xen_blkif *blkif, + err = blkdev_issue_discard(bdev, req->u.discard.sector_number, + req->u.discard.nr_sectors, + GFP_KERNEL, secure); +- ++fail_response: + if (err == -EOPNOTSUPP) { + pr_debug(DRV_PFX "discard op failed, not supported\n"); + status = BLKIF_RSP_EOPNOTSUPP; +-- +1.8.1.4 + |