* FW: CVE-2011-4127 kernel: possible privilege escalation via SG_IO ioctl
@ 2011-12-22 17:25 Alasdair G Kergon
2011-12-22 18:21 ` Alasdair G Kergon
0 siblings, 1 reply; 2+ messages in thread
From: Alasdair G Kergon @ 2011-12-22 17:25 UTC (permalink / raw)
To: linux-lvm, dm-devel
----- Forwarded message from Petr Matousek <pmatouse@redhat.com> -----
Date: Thu, 22 Dec 2011 18:06:47 +0100
From: Petr Matousek <pmatouse@redhat.com>
Paolo Bonzini of Red Hat found out that the host Linux system allows
executing the SG_IO ioctl on a partition or even on an LVM volume, and
will pass the command to the underlying block device. This could be
further exploited in the in the context of virtualization, because
virtio disks support a limited form of SCSI passthrough via the SG_IO
ioctl. If virtio disk is hosted on a partition or LVM volume with
format=raw, tools such as sg_dd can be used to read and write other data
on the same disk --- even data that belongs to the host or to other
guests.
References:
https://lkml.org/lkml/2004/8/12/218
https://lkml.org/lkml/2004/8/12/260
https://bugzilla.redhat.com/show_bug.cgi?id=752375
Thanks,
--
Petr Matousek / Red Hat Security Response Team
----- End forwarded message -----
For a storage stack to be vulnerable, every layer must forward the SG_IO ioctls
to the layer below it.
Three device-mapper target types are known to do this: linear, multipath and
flakey.
If the I/O has to pass through striped, crypt, mirror or snapshot*
device-mapper target types or an md software raid layer on its route to disk,
any SG_IO will get blocked by those layers and so we believe such
configurations are not vulnerable.
Immediate mitigation (without patching your kernel/rebooting) is available with
a systemtap script mentioned in the bug if you have systemtap installed, or
alternatively by creating a patched version of LVM with:
http://www.redhat.com/archives/lvm-devel/2011-November/msg00171.html
http://sourceware.org/git/?p=lvm2.git;a=commitdiff;h=bb69784719932515baea4757dc9d61e81b825285;hp=8ec116a6b874f3575bc346e4cbd69ac5f0522160
and then setting 'use_linear_target = 0' in the 'activation' section of
lvm.conf and running lvchange --refresh on the relevant logical volumes to
convert them in-situ from the vulnerable 'linear' target type to the
not-vulnerable 'striped' target type. (A linear target works the same as a
striped target with just 1 stripe.) When you run 'dmsetup table' you should
then see 'striped' in the output where previously there was 'linear'.
A kernel patch that fixes device-mapper/LVM devices is here:
http://people.redhat.com/agk/patches/linux/editing/dm-block-sg_io-ioctls.patch
ftp://sources.redhat.com/pub/dm/patches/2.6-unstable/editing/patches/dm-block-sg_io-ioctls.patch
Alasdair
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: FW: CVE-2011-4127 kernel: possible privilege escalation via SG_IO ioctl
2011-12-22 17:25 FW: CVE-2011-4127 kernel: possible privilege escalation via SG_IO ioctl Alasdair G Kergon
@ 2011-12-22 18:21 ` Alasdair G Kergon
0 siblings, 0 replies; 2+ messages in thread
From: Alasdair G Kergon @ 2011-12-22 18:21 UTC (permalink / raw)
To: linux-lvm, dm-devel
On Thu, Dec 22, 2011 at 05:25:48PM +0000, Alasdair G Kergon wrote:
> A kernel patch that fixes device-mapper/LVM devices is here:
> http://people.redhat.com/agk/patches/linux/editing/dm-block-sg_io-ioctls.patch
> ftp://sources.redhat.com/pub/dm/patches/2.6-unstable/editing/patches/dm-block-sg_io-ioctls.patch
Complete patchset to fix this proposed here:
https://lkml.org/lkml/2011/12/22/270
Alasdair
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-12-22 18:21 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-12-22 17:25 FW: CVE-2011-4127 kernel: possible privilege escalation via SG_IO ioctl Alasdair G Kergon
2011-12-22 18:21 ` Alasdair G Kergon
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).