[PATCH] CVE fix for xen-blkback allowing DISCARD operations on read-only disks.

xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] CVE fix for xen-blkback allowing DISCARD operations on read-only disks.
@ 2013-06-05 19:54 Konrad Rzeszutek Wilk
  2013-06-05 19:54 ` [PATCH] xen/blkback: Check device permissions before allowing OP_DISCARD Konrad Rzeszutek Wilk
  0 siblings, 1 reply; 2+ messages in thread
From: Konrad Rzeszutek Wilk @ 2013-06-05 19:54 UTC (permalink / raw)
  To: axboe, linux-kernel; +Cc: xen-devel

Please put the following patch:
 [PATCH] xen/blkback: Check device permissions before allowing

in your tree for Linus. It fixes CVE-2013-2140.

The bug is that if a system admin provides a disk (which supports
the discard aka TRIM or SCSI UNMAP) to a guest as read-only - there
are no checks done. Which means that the OS can destroy the data.

The likehood of somebody using 'ro' disks I think is small - but
there is probably one person who does it and would be unhappy that
a guest OS can destroy the underlaying data.

^ permalink raw reply	[flat|nested] 2+ messages in thread

* [PATCH] xen/blkback: Check device permissions before allowing OP_DISCARD
  2013-06-05 19:54 [PATCH] CVE fix for xen-blkback allowing DISCARD operations on read-only disks Konrad Rzeszutek Wilk
@ 2013-06-05 19:54 ` Konrad Rzeszutek Wilk
  0 siblings, 0 replies; 2+ messages in thread
From: Konrad Rzeszutek Wilk @ 2013-06-05 19:54 UTC (permalink / raw)
  To: axboe, linux-kernel; +Cc: xen-devel, Konrad Rzeszutek Wilk, stable

We need to make sure that the device is not RO or that
the request is not past the number of sectors we want to
issue the DISCARD operation for.

This fixes CVE-2013-2140.

Cc: stable@vger.kernel.org
Acked-by: Jan Beulich <JBeulich@suse.com>
Acked-by: Ian Campbell <Ian.Campbell@citrix.com>
[v1: Made it pr_warn instead of pr_debug]
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
---
 drivers/block/xen-blkback/blkback.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c
index eea2c69..11ca405 100644
--- a/drivers/block/xen-blkback/blkback.c
+++ b/drivers/block/xen-blkback/blkback.c
@@ -881,7 +881,18 @@ static int dispatch_discard_io(struct xen_blkif *blkif,
 	int status = BLKIF_RSP_OKAY;
 	struct block_device *bdev = blkif->vbd.bdev;
 	unsigned long secure;
+	struct phys_req preq;
+
+	preq.sector_number = req->u.discard.sector_number;
+	preq.nr_sects      = req->u.discard.nr_sectors;
 
+	err = xen_vbd_translate(&preq, blkif, WRITE);
+	if (err) {
+		pr_warn(DRV_PFX "access denied: DISCARD [%llu->%llu] on dev=%04x\n",
+			preq.sector_number,
+			preq.sector_number + preq.nr_sects, blkif->vbd.pdevice);
+		goto fail_response;
+	}
 	blkif->st_ds_req++;
 
 	xen_blkif_get(blkif);
@@ -892,7 +903,7 @@ static int dispatch_discard_io(struct xen_blkif *blkif,
 	err = blkdev_issue_discard(bdev, req->u.discard.sector_number,
 				   req->u.discard.nr_sectors,
 				   GFP_KERNEL, secure);
-
+fail_response:
 	if (err == -EOPNOTSUPP) {
 		pr_debug(DRV_PFX "discard op failed, not supported\n");
 		status = BLKIF_RSP_EOPNOTSUPP;
-- 
1.8.1.4

^ permalink raw reply related	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2013-06-05 19:54 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-06-05 19:54 [PATCH] CVE fix for xen-blkback allowing DISCARD operations on read-only disks Konrad Rzeszutek Wilk
2013-06-05 19:54 ` [PATCH] xen/blkback: Check device permissions before allowing OP_DISCARD Konrad Rzeszutek Wilk

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).