From: Paolo Bonzini <pbonzini@redhat.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-kernel@vger.kernel.org, security@kernel.org,
pmatouse@redhat.com, agk@redhat.com, jbottomley@parallels.com,
mchristi@redhat.com, msnitzer@redhat.com
Subject: Re: [PATCH 2/3] block: fail SCSI passthrough ioctls on partition devices
Date: Thu, 22 Dec 2011 20:18:01 +0100 [thread overview]
Message-ID: <4EF38269.7080804@redhat.com> (raw)
In-Reply-To: <CA+55aFzAo5hjCkKe1aaHgyCYc6RYRb8tf+zPTUwO6R8WWd9T-Q@mail.gmail.com>
On 12/22/2011 07:37 PM, Linus Torvalds wrote:
> On Thu, Dec 22, 2011 at 10:02 AM, Paolo Bonzini<pbonzini@redhat.com> wrote:
>> Linux allows executing the SG_IO ioctl on a partition or even on an
>> LVM volume, and will pass the command to the underlying block device.
>> This is well-known, but it is also a large security problem when (via
>> Unix permissions, ACLs, SELinux or a combination thereof) a program or
>> user needs to be granted access to a particular partition or logical
>> volume but not to the full device.
>
> So who actually *does* this in practice?
Virtualization, as explained in the cover letter.
>> + /* In particular, rule out all resets and host-specific ioctls. */
>> + return -ENOTTY;
>
> This kind of crazy needs to go away.
What crazy? It's not a permission problem. Sending a SCSI command to a
partition makes no sense. A permission problem implies that somehow you
should be able to fix it by granting additional permissions, which is
not the case here.
> If it's a permission problem, state that. Don't turn it into ENOTTY that then:
>
>> + return ret == -ENOTTY ? -ENOIOCTLCMD : ret;
>
> gets turned into another random error number.
That's existing craziness of the compat_ioctl mechanism:
/* Most of the generic ioctls are handled in the normal fallback path.
This assumes the blkdev's low level compat_ioctl always returns
ENOIOCTLCMD for unknown ioctls. */
The logic is quite intricate:
1. process generic block layer ioctls that require compat handling
(compat_blkdev_ioctl)
2. process device-specific ioctls that require special 32-on-64
handling, whose implementation is outside block/ (sd_compat_ioctl).
3. process device-specific ioctls that require special 32-on-64
handling, whose implementation is in block/compat_ioctl.c
(compat_blkdev_driver_ioctl).
4. fallback to the normal ioctl implementation for ioctls that do not
require 32-on-64 (__blkdev_driver_ioctl).
If I return ENOTTY (or EPERM for that matter: anything but ENOIOCTLCMD),
then I rule out execution of steps 3 and especially 4. This means
32-on-64 systems will get ENOTTY for BLKGETSIZE64 and will fail to boot.
Paolo
next prev parent reply other threads:[~2011-12-22 19:18 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-22 18:02 [PATCH 0/3] possible privilege escalation via SG_IO ioctl (CVE-2011-4127) Paolo Bonzini
2011-12-22 18:02 ` [PATCH 1/3] block: add and use scsi_blk_cmd_ioctl Paolo Bonzini
2011-12-22 18:02 ` [PATCH 2/3] block: fail SCSI passthrough ioctls on partition devices Paolo Bonzini
2011-12-22 18:37 ` Linus Torvalds
2011-12-22 19:11 ` Willy Tarreau
2011-12-22 19:18 ` Paolo Bonzini [this message]
2011-12-22 19:44 ` Linus Torvalds
2011-12-22 20:23 ` Paolo Bonzini
2011-12-22 20:52 ` Linus Torvalds
2011-12-22 22:08 ` Paolo Bonzini
2011-12-22 22:25 ` Linus Torvalds
2011-12-22 23:48 ` Alasdair G Kergon
2011-12-23 0:07 ` Linus Torvalds
2011-12-23 6:26 ` Willy Tarreau
2011-12-23 9:22 ` Linus Torvalds
2011-12-23 9:45 ` Willy Tarreau
2011-12-23 14:15 ` Paolo Bonzini
2011-12-23 22:46 ` Linus Torvalds
2012-01-05 13:18 ` Paolo Bonzini
2012-01-05 16:16 ` Linus Torvalds
2012-01-05 16:40 ` Paolo Bonzini
2012-01-05 17:04 ` Linus Torvalds
2012-01-05 17:26 ` Paolo Bonzini
2012-01-05 23:49 ` Linus Torvalds
2011-12-26 1:41 ` Daniel Barkalow
2011-12-23 0:17 ` H. Peter Anvin
2011-12-22 18:02 ` [PATCH 3/3] dm: do not forward ioctls from logical volumes to the underlying device Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4EF38269.7080804@redhat.com \
--to=pbonzini@redhat.com \
--cc=agk@redhat.com \
--cc=jbottomley@parallels.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mchristi@redhat.com \
--cc=msnitzer@redhat.com \
--cc=pmatouse@redhat.com \
--cc=security@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.