lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4EF38269.7080804@redhat.com>
Date:	Thu, 22 Dec 2011 20:18:01 +0100
From:	Paolo Bonzini <pbonzini@...hat.com>
To:	Linus Torvalds <torvalds@...ux-foundation.org>
CC:	linux-kernel@...r.kernel.org, security@...nel.org,
	pmatouse@...hat.com, agk@...hat.com, jbottomley@...allels.com,
	mchristi@...hat.com, msnitzer@...hat.com
Subject: Re: [PATCH 2/3] block: fail SCSI passthrough ioctls on partition
 devices

On 12/22/2011 07:37 PM, Linus Torvalds wrote:
> On Thu, Dec 22, 2011 at 10:02 AM, Paolo Bonzini<pbonzini@...hat.com>  wrote:
>> Linux allows executing the SG_IO ioctl on a partition or even on an
>> LVM volume, and will pass the command to the underlying block device.
>> This is well-known, but it is also a large security problem when (via
>> Unix permissions, ACLs, SELinux or a combination thereof) a program or
>> user needs to be granted access to a particular partition or logical
>> volume but not to the full device.
>
> So who actually *does* this in practice?

Virtualization, as explained in the cover letter.

>> +       /* In particular, rule out all resets and host-specific ioctls.  */
>> +       return -ENOTTY;
>
> This kind of crazy needs to go away.

What crazy?  It's not a permission problem.  Sending a SCSI command to a 
partition makes no sense.  A permission problem implies that somehow you 
should be able to fix it by granting additional permissions, which is 
not the case here.

> If it's a permission problem, state that. Don't turn it into ENOTTY that then:
>
>> +               return ret == -ENOTTY ? -ENOIOCTLCMD : ret;
>
> gets turned into another random error number.

That's existing craziness of the compat_ioctl mechanism:

/* Most of the generic ioctls are handled in the normal fallback path.
    This assumes the blkdev's low level compat_ioctl always returns
    ENOIOCTLCMD for unknown ioctls. */

The logic is quite intricate:

1. process generic block layer ioctls that require compat handling 
(compat_blkdev_ioctl)

2. process device-specific ioctls that require special 32-on-64 
handling, whose implementation is outside block/ (sd_compat_ioctl).

3. process device-specific ioctls that require special 32-on-64 
handling, whose implementation is in block/compat_ioctl.c 
(compat_blkdev_driver_ioctl).

4. fallback to the normal ioctl implementation for ioctls that do not 
require 32-on-64 (__blkdev_driver_ioctl).

If I return ENOTTY (or EPERM for that matter: anything but ENOIOCTLCMD), 
then I rule out execution of steps 3 and especially 4.  This means 
32-on-64 systems will get ENOTTY for BLKGETSIZE64 and will fail to boot.

Paolo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ