| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 23 May 2013 15:58:23 +0200 From: Paolo Bonzini <pbonzini@...hat.com> To: linux-kernel@...r.kernel.org Cc: tj@...nel.org, stable@....org, "James E.J. Bottomley" <JBottomley@...allels.com>, linux-scsi@...r.kernel.org, Jens Axboe <axboe@...nel.dk> Subject: [PATCH v3 part1 4/4] sg_io: resolve conflicts between commands assigned to multiple classes (CVE-2012-4542) Some SCSI commands can be sent to disks via SG_IO even by unprivileged users. Unfortunately, some opcodes overlap across SCSI device classes and have different meanings for different classes. Four of them can be used for read-only file descriptors on MMC, but should be limited to descriptors opened for read-write on SBC: - READ SUBCHANNEL <-> UNMAP (destructive, but no control on written data) - GET PERFORMANCE <-> ERASE (not really a problem, no one supports ERASE anyway) - READ DISC INFORMATION <-> XPWRITE (not commonly implemented but most dangerous) - PLAY AUDIO TI <-> SANITIZE (a very new command) In addition, REPORT KEY's opcode A4h is used in SPC for SET TARGET PORT GROUPS and various other management commands, and should be blocked for everything except CD-ROMs and the like. To fix this, the series modifies the bitmap entries for these five commands. This is the smallest change that fixes this bug. Cc: stable@....org Cc: "James E.J. Bottomley" <JBottomley@...allels.com> Cc: linux-scsi@...r.kernel.org Cc: Jens Axboe <axboe@...nel.dk> Signed-off-by: Paolo Bonzini <pbonzini@...hat.com> --- block/scsi_ioctl.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c index 6e18156..7a1d9f6 100644 --- a/block/scsi_ioctl.c +++ b/block/scsi_ioctl.c @@ -199,6 +199,32 @@ static void blk_set_cmd_filter_defaults(struct blk_cmd_filter *filter) sgio_bitmap_set(GPCMD_SET_STREAMING, write); sgio_bitmap_set(GPCMD_SET_READ_AHEAD, write); #undef sgio_bitmap_set + + /* + * Treat specially those commands that have a different meaning + * for disks: READ SUBCHANNEL conflicts with UNMAP. + */ + filter->read_ok[GPCMD_READ_SUBCHANNEL] &= ~(1 << TYPE_DISK); + filter->write_ok[GPCMD_READ_SUBCHANNEL] |= (1 << TYPE_DISK); + + /* PLAY AUDIO TI conflicts with SANITIZE. */ + filter->read_ok[GPCMD_PLAY_AUDIO_TI] &= ~((1 << TYPE_DISK) | (1 << TYPE_RBC)); + filter->write_ok[GPCMD_PLAY_AUDIO_TI] |= (1 << TYPE_DISK) | (1 << TYPE_RBC); + + /* READ DISC INFORMATION conflicts with XPWRITE. */ + filter->read_ok[GPCMD_READ_DISC_INFO] &= ~(1 << TYPE_DISK); + filter->write_ok[GPCMD_READ_DISC_INFO] |= (1 << TYPE_DISK); + + /* GET PERFORMANCE conflicts with ERASE. */ + filter->read_ok[GPCMD_GET_PERFORMANCE] &= ~(1 << TYPE_MOD); + filter->write_ok[GPCMD_GET_PERFORMANCE] |= (1 << TYPE_MOD); + + /* + * REPORT KEY conflicts with many management commands under operation + * code 0xA4, enable it only for MMC devices. + */ + filter->read_ok[GPCMD_REPORT_KEY] = (1 << TYPE_ROM); + filter->write_ok[GPCMD_REPORT_KEY] = (1 << TYPE_ROM); } int blk_verify_command(struct request_queue *q, -- 1.8.1.4 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists