From: Douglas Gilbert <dgilbert@interlog.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: linux-kernel@vger.kernel.org, Tejun Heo <tj@kernel.org>,
"James E.J. Bottomley" <JBottomley@parallels.com>,
linux-scsi@vger.kernel.org, Jens Axboe <axboe@kernel.dk>
Subject: Re: [PATCH v2 00/14] Corrections and customization of the SG_IO command whitelist (CVE-2012-4542)
Date: Wed, 13 Feb 2013 10:35:09 -0500 [thread overview]
Message-ID: <511BB2AD.4000605@interlog.com> (raw)
In-Reply-To: <511B4F95.1050404@redhat.com>
On 13-02-13 03:32 AM, Paolo Bonzini wrote:
> Il 06/02/2013 16:15, Paolo Bonzini ha scritto:
>> This series regards the whitelist that is used for the SG_IO ioctl. This
>> whitelist has three problems:
>>
>> * the bitmap of allowed commands is designed for MMC devices (roughly,
>> "play/burn CDs without requiring root") but some opcodes overlap across SCSI
>> device classes and have different meanings for different classes.
>>
>> * also because the bitmap of allowed commands is designed for MMC devices
>> only, some commands are missing even though they are generally useful and
>> not insecure. At least not more insecure than anything else you can
>> do if you have access to /dev/sdX or /dev/stX nodes.
>>
>> * the whitelist can be disabled per-process but not per-disk. In addition,
>> the required capability (CAP_SYS_RAWIO) gives access to a range of other
>> resources, enough to make it insecure.
>>
>> The series corrects these problems. Patches 1-4 solve the first problem,
>> which also has an assigned CVE, by using different bitmaps for the various
>> device classes. Patches 5-11 solve the second by adding more commands
>> to the bitmaps. Patches 12 and 13 solve the third, and were already
>> posted but ignored by the maintainers despite multiple pings.
>>
>> Note: checkpatch hates the formatting of the command table. I know about this,
>> and ensured that there are no errors in the rest of the code. The current
>> formatting is IMHO quite handy, and roughly based on the files available
>> from the SCSI standard body.
>>
>> Ok for the next merge window?
>>
>> Paolo
>>
>> v1->v2: remove 2 MMC commands and 6 SBC commands (see patches 6 and 9
>> for details). Added patch 14 and added a few more scanner
>> commands based on SANE (scanners are not whitelisted by default,
>> also were not in v1, but this makes it possible to opt into the
>> whitelist out of paranoia). Removed C++ comments. Removed the
>> large #if 0'd list of commands that the kernel does not pass
>> though. Marked blk_set_cmd_filter_defaults as __init.
>>
>>
>> Paolo Bonzini (14):
>> sg_io: pass request_queue to blk_verify_command
>> sg_io: reorganize list of allowed commands
>> sg_io: use different default filters for each device class
>> sg_io: resolve conflicts between commands assigned to multiple
>> classes (CVE-2012-4542)
>> sg_io: whitelist a few more commands for rare & obsolete device types
>> sg_io: whitelist another command for multimedia devices
>> sg_io: whitelist a few more commands for media changers
>> sg_io: whitelist a few more commands for tapes
>> sg_io: whitelist a few more commands for disks
>> sg_io: whitelist a few obsolete commands
>> sg_io: mark blk_set_cmd_filter_defaults as __init
>> sg_io: remove remnants of sysfs SG_IO filters
>> sg_io: introduce unpriv_sgio queue flag
>> sg_io: use unpriv_sgio to disable whitelisting for scanners
>>
>> Documentation/block/queue-sysfs.txt | 8 +
>> block/blk-sysfs.c | 33 +++
>> block/bsg.c | 2 +-
>> block/scsi_ioctl.c | 369 ++++++++++++++++++++++++++---------
>> drivers/scsi/scsi_scan.c | 14 ++-
>> drivers/scsi/sg.c | 6 +-
>> include/linux/blkdev.h | 8 +-
>> include/linux/genhd.h | 9 -
>> include/scsi/scsi.h | 3 +
>> 9 files changed, 344 insertions(+), 108 deletions(-)
>>
>
> Ping? I'm not even sure what tree this should host these patches...
You are whitelisting SCSI commands so obviously the SCSI tree
and the patch spills over into the block tree.
Can't see much point in ack-ing the sg changes since most
of the action is at higher levels.
The question I have is what existing code will this change
break (and will I being getting emails from peeved
developers)?
Is 8 lines of documentation changes enough? My guess is
that SG_IO ioctl pass-through users will be tripped up
and it won't be obvious to them to look at
Documentation/block/queue-sysfs.txt
for enlightenment; especially if they are using a char
device node from the bsg, sg or st drivers to issue SG_IO.
Doug Gilbert
next prev parent reply other threads:[~2013-02-13 15:35 UTC|newest]
Thread overview: 73+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-06 15:15 [PATCH v2 00/14] Corrections and customization of the SG_IO command whitelist (CVE-2012-4542) Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 01/14] sg_io: pass request_queue to blk_verify_command Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 02/14] sg_io: reorganize list of allowed commands Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 03/14] sg_io: use different default filters for each device class Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 04/14] sg_io: resolve conflicts between commands assigned to multiple classes (CVE-2012-4542) Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 05/14] sg_io: whitelist a few more commands for rare & obsolete device types Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 06/14] sg_io: whitelist another command for multimedia devices Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 07/14] sg_io: whitelist a few more commands for media changers Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 08/14] sg_io: whitelist a few more commands for tapes Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 09/14] sg_io: whitelist a few more commands for disks Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 10/14] sg_io: whitelist a few obsolete commands Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 11/14] sg_io: mark blk_set_cmd_filter_defaults as __init Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 12/14] sg_io: remove remnants of sysfs SG_IO filters Paolo Bonzini
2013-02-06 15:16 ` [PATCH v2 13/14] sg_io: introduce unpriv_sgio queue flag Paolo Bonzini
2013-02-06 15:16 ` [PATCH v2 14/14] sg_io: use unpriv_sgio to disable whitelisting for scanners Paolo Bonzini
2013-02-13 8:32 ` [PATCH v2 00/14] Corrections and customization of the SG_IO command whitelist (CVE-2012-4542) Paolo Bonzini
2013-02-13 15:35 ` Douglas Gilbert [this message]
2013-02-13 15:48 ` Paolo Bonzini
2013-02-20 16:12 ` Paolo Bonzini
2013-03-22 22:30 ` PING^2 " Paolo Bonzini
2013-04-04 18:18 ` PING^3 " Paolo Bonzini
2013-04-17 12:26 ` PING^4 aka The Jon Corbet Effect " Paolo Bonzini
2013-04-27 13:31 ` PING^5 aka New ways to attract attentions " Paolo Bonzini
2013-05-06 20:43 ` PING^6 " Paolo Bonzini
2013-05-22 6:35 ` PING^7 (was Re: [PATCH v2 00/14] Corrections and customization of the SG_IO command whitelist (CVE-2012-4542)) Paolo Bonzini
2013-05-22 9:32 ` Tejun Heo
2013-05-22 9:53 ` Paolo Bonzini
2013-05-22 10:02 ` Tejun Heo
2013-05-22 10:23 ` Paolo Bonzini
2013-05-22 12:07 ` James Bottomley
2013-05-22 14:07 ` Paolo Bonzini
2013-05-22 16:31 ` Paolo Bonzini
2013-05-22 13:41 ` Tejun Heo
2013-05-22 14:12 ` Paolo Bonzini
2013-05-22 14:30 ` Tejun Heo
2013-05-22 15:00 ` Paolo Bonzini
2013-05-22 19:30 ` Tejun Heo
2013-05-22 21:18 ` Paolo Bonzini
2013-05-22 22:17 ` Tejun Heo
2013-05-23 0:54 ` Tejun Heo
2013-05-23 7:45 ` Paolo Bonzini
2013-05-23 9:02 ` Tejun Heo
2013-05-23 9:47 ` Paolo Bonzini
2013-05-24 1:44 ` Tejun Heo
2013-05-24 7:13 ` Paolo Bonzini
2013-05-24 8:02 ` Tejun Heo
2013-05-24 8:31 ` Paolo Bonzini
2013-05-24 9:07 ` Tejun Heo
2013-05-24 9:45 ` Paolo Bonzini
2013-05-24 22:20 ` Tejun Heo
2013-05-25 4:35 ` James Bottomley
2013-05-25 5:27 ` Christoph Hellwig
2013-05-25 7:05 ` Paolo Bonzini
2013-05-25 7:11 ` Christoph Hellwig
2013-05-25 7:21 ` Paolo Bonzini
2013-06-21 11:57 ` Christoph Hellwig
2013-05-25 8:37 ` Tejun Heo
2013-05-25 11:14 ` Paolo Bonzini
2013-05-25 12:48 ` Tejun Heo
2013-05-25 12:56 ` Paolo Bonzini
2013-05-22 15:03 ` Theodore Ts'o
2013-05-22 15:53 ` Paolo Bonzini
2013-05-22 16:32 ` Martin K. Petersen
2013-05-22 17:00 ` Paolo Bonzini
2013-05-22 18:11 ` Theodore Ts'o
2013-05-22 19:37 ` Paolo Bonzini
2013-05-22 20:19 ` Theodore Ts'o
2013-05-22 20:36 ` Paolo Bonzini
2013-05-25 3:54 ` Vladislav Bolkhovitin
2013-05-28 20:25 ` Martin K. Petersen
2013-05-29 6:12 ` Vladislav Bolkhovitin
2013-05-22 20:39 ` Tejun Heo
2013-05-22 21:12 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=511BB2AD.4000605@interlog.com \
--to=dgilbert@interlog.com \
--cc=JBottomley@parallels.com \
--cc=axboe@kernel.dk \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).