All of lore.kernel.org
 help / color / mirror / Atom feed
From: Paolo Bonzini <pbonzini@redhat.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Willy Tarreau <w@1wt.eu>,
	linux-kernel@vger.kernel.org, security@kernel.org,
	pmatouse@redhat.com, agk@redhat.com, jbottomley@parallels.com,
	mchristi@redhat.com, msnitzer@redhat.com,
	Christoph Hellwig <hch@lst.de>
Subject: Re: [PATCH 2/3] block: fail SCSI passthrough ioctls on partition devices
Date: Thu, 05 Jan 2012 14:18:42 +0100	[thread overview]
Message-ID: <4F05A332.1060600@redhat.com> (raw)
In-Reply-To: <CA+55aFy=7wGzQv76dirJ=ZjeNdbKVKDRCLA323orsE13GcKvwQ@mail.gmail.com>

On 12/23/2011 11:46 PM, Linus Torvalds wrote:
> It sounds like people didn't even*think*  of the potential issues this
> patch can bring.  I'd absolutely be insane to apply them for -rc7.

Fair enough, I obviously cannot say they aren't intrusive.

Anyway, I set to change the patches to use ENOIOCTLCMD.  I did some
research and found the following commit:

commit d9ecdea7ed7467db32ec160f4eca46c279255606
Author: Christoph Hellwig <hch@lst.de>
Date:   Sat Jun 20 21:29:41 2009 +0200

    virtio_blk: ioctl return value fix
    
    Block driver ioctl methods must return ENOTTY and not -ENOIOCTLCMD if
    they expect the block layer to handle generic ioctls.
    
    This triggered a BLKROSET failure in xfsqa #200.
    
    Signed-off-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

which indeed matches the current code in block/ioctl.c:

	case BLKROSET:
		ret = __blkdev_driver_ioctl(bdev, mode, cmd, arg);
		/* -EINVAL to handle old uncorrected drivers */
		if (ret != -EINVAL && ret != -ENOTTY)
			return ret;
		if (!capable(CAP_SYS_ADMIN))
			return -EACCES;
		if (get_user(n, (int __user *)(arg)))
			return -EFAULT;
		set_device_ro(bdev, n);
		return 0;

Hence, changing scsi_verify_blk_ioctl to return ENOIOCTLCMD is not
really possible.  I can make it return a boolean value, but I do not
like it: does true mean "pass this ioctl" or "forbid this ioctl"?

Would you apply the patches as they are or do you want me to squash in
something like this?

diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
index a6bedfe..bb94c88 100644
--- a/block/scsi_ioctl.c
+++ b/block/scsi_ioctl.c
@@ -710,6 +710,14 @@ int scsi_verify_blk_ioctl(struct block_device *bd, unsigned int cmd)
 	case SG_SET_RESERVED_SIZE:
 	case SG_EMULATED_HOST:
 		return 0;
+
+	case CDROMEJECT:
+		/* This is also unsafe for partition devices, but
+		 * "eject /mnt/usb-drive" invokes it.  Warn about it
+		 * and keep backwards compatibility.  */
+		printk_ratelimited(KERN_WARNING
+				   "sending CDROMEJECT ioctl to a partition\n");
+		return 0;
 	default:
 		break;
 	}

... perhaps allowing it only for CAP_SYS_RAWIO?

Paolo

  reply	other threads:[~2012-01-05 13:18 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-12-22 18:02 [PATCH 0/3] possible privilege escalation via SG_IO ioctl (CVE-2011-4127) Paolo Bonzini
2011-12-22 18:02 ` [PATCH 1/3] block: add and use scsi_blk_cmd_ioctl Paolo Bonzini
2011-12-22 18:02 ` [PATCH 2/3] block: fail SCSI passthrough ioctls on partition devices Paolo Bonzini
2011-12-22 18:37   ` Linus Torvalds
2011-12-22 19:11     ` Willy Tarreau
2011-12-22 19:18     ` Paolo Bonzini
2011-12-22 19:44       ` Linus Torvalds
2011-12-22 20:23         ` Paolo Bonzini
2011-12-22 20:52           ` Linus Torvalds
2011-12-22 22:08             ` Paolo Bonzini
2011-12-22 22:25               ` Linus Torvalds
2011-12-22 23:48                 ` Alasdair G Kergon
2011-12-23  0:07                   ` Linus Torvalds
2011-12-23  6:26                     ` Willy Tarreau
2011-12-23  9:22                       ` Linus Torvalds
2011-12-23  9:45                         ` Willy Tarreau
2011-12-23 14:15                         ` Paolo Bonzini
2011-12-23 22:46                           ` Linus Torvalds
2012-01-05 13:18                             ` Paolo Bonzini [this message]
2012-01-05 16:16                               ` Linus Torvalds
2012-01-05 16:40                                 ` Paolo Bonzini
2012-01-05 17:04                                   ` Linus Torvalds
2012-01-05 17:26                                     ` Paolo Bonzini
2012-01-05 23:49                               ` Linus Torvalds
2011-12-26  1:41                       ` Daniel Barkalow
2011-12-23  0:17                 ` H. Peter Anvin
2011-12-22 18:02 ` [PATCH 3/3] dm: do not forward ioctls from logical volumes to the underlying device Paolo Bonzini

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4F05A332.1060600@redhat.com \
    --to=pbonzini@redhat.com \
    --cc=agk@redhat.com \
    --cc=hch@lst.de \
    --cc=jbottomley@parallels.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mchristi@redhat.com \
    --cc=msnitzer@redhat.com \
    --cc=pmatouse@redhat.com \
    --cc=security@kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=w@1wt.eu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.