From: Jerry Hoemann <jerry.hoemann@hpe.com> To: ross.zwisler@linux.intel.com, rjw@rjwysocki.net, lenb@kernel.org, dan.j.williams@intel.com, elliott@hpe.com, jmoyer@redhat.com, krivenok.dmitry@gmail.com, linda.knippers@hpe.com Cc: robert.moore@intel.com, lv.zheng@intel.com, rafael.j.wysocki@intel.com, linux-nvdimm@lists.01.org, linux-acpi@vger.kernel.org, linux-kernel@vger.kernel.org, Jerry Hoemann <jerry.hoemann@hpe.com> Subject: [PATCH v5 4/6] nvdimm: Fix security issue with DSM IOCTL. Date: Wed, 6 Jan 2016 16:03:41 -0700 [thread overview] Message-ID: <912e263c7dab19a6bcc918806c249a2929274d5f.1452121277.git.jerry.hoemann@hpe.com> (raw) In-Reply-To: <cover.1452121277.git.jerry.hoemann@hpe.com> In-Reply-To: <cover.1452121277.git.jerry.hoemann@hpe.com> Code attempts to prevent certain IOCTL DSM from being called when device is opened read only. This security feature can be trivially overcome by changing the size portion of the ioctl_command which isn't used. Check only the _IOC_NR (i.e. the command). Signed-off-by: Jerry Hoemann <jerry.hoemann@hpe.com> --- drivers/nvdimm/bus.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/nvdimm/bus.c b/drivers/nvdimm/bus.c index 1c81203..87fe545 100644 --- a/drivers/nvdimm/bus.c +++ b/drivers/nvdimm/bus.c @@ -513,10 +513,10 @@ static int __nd_ioctl(struct nvdimm_bus *nvdimm_bus, struct nvdimm *nvdimm, /* fail write commands (when read-only) */ if (read_only) - switch (ioctl_cmd) { - case ND_IOCTL_VENDOR: - case ND_IOCTL_SET_CONFIG_DATA: - case ND_IOCTL_ARS_START: + switch (cmd) { + case ND_CMD_VENDOR: + case ND_CMD_SET_CONFIG_DATA: + case ND_CMD_ARS_START: dev_dbg(&nvdimm_bus->dev, "'%s' command while read-only.\n", nvdimm ? nvdimm_cmd_name(cmd) : nvdimm_bus_cmd_name(cmd)); -- 1.7.11.3
WARNING: multiple messages have this Message-ID (diff)
From: Jerry Hoemann <jerry.hoemann@hpe.com> To: ross.zwisler@linux.intel.com, rjw@rjwysocki.net, lenb@kernel.org, dan.j.williams@intel.com, elliott@hpe.com, jmoyer@redhat.com, krivenok.dmitry@gmail.com, linda.knippers@hpe.com Cc: robert.moore@intel.com, lv.zheng@intel.com, rafael.j.wysocki@intel.com, linux-nvdimm@ml01.01.org, linux-acpi@vger.kernel.org, linux-kernel@vger.kernel.org, Jerry Hoemann <jerry.hoemann@hpe.com> Subject: [PATCH v5 4/6] nvdimm: Fix security issue with DSM IOCTL. Date: Wed, 6 Jan 2016 16:03:41 -0700 [thread overview] Message-ID: <912e263c7dab19a6bcc918806c249a2929274d5f.1452121277.git.jerry.hoemann@hpe.com> (raw) In-Reply-To: <cover.1452121277.git.jerry.hoemann@hpe.com> In-Reply-To: <cover.1452121277.git.jerry.hoemann@hpe.com> Code attempts to prevent certain IOCTL DSM from being called when device is opened read only. This security feature can be trivially overcome by changing the size portion of the ioctl_command which isn't used. Check only the _IOC_NR (i.e. the command). Signed-off-by: Jerry Hoemann <jerry.hoemann@hpe.com> --- drivers/nvdimm/bus.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/nvdimm/bus.c b/drivers/nvdimm/bus.c index 1c81203..87fe545 100644 --- a/drivers/nvdimm/bus.c +++ b/drivers/nvdimm/bus.c @@ -513,10 +513,10 @@ static int __nd_ioctl(struct nvdimm_bus *nvdimm_bus, struct nvdimm *nvdimm, /* fail write commands (when read-only) */ if (read_only) - switch (ioctl_cmd) { - case ND_IOCTL_VENDOR: - case ND_IOCTL_SET_CONFIG_DATA: - case ND_IOCTL_ARS_START: + switch (cmd) { + case ND_CMD_VENDOR: + case ND_CMD_SET_CONFIG_DATA: + case ND_CMD_ARS_START: dev_dbg(&nvdimm_bus->dev, "'%s' command while read-only.\n", nvdimm ? nvdimm_cmd_name(cmd) : nvdimm_bus_cmd_name(cmd)); -- 1.7.11.3
next prev parent reply other threads:[~2016-01-06 23:03 UTC|newest] Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top 2016-01-06 23:03 [PATCH v5 0/6] nvdimm: Add an IOCTL pass thru for DSM calls Jerry Hoemann 2016-01-06 23:03 ` Jerry Hoemann 2016-01-06 23:03 ` [PATCH v5 1/6] ACPI / util: Fix acpi_evaluate_dsm() argument type Jerry Hoemann 2016-01-06 23:03 ` Jerry Hoemann 2016-01-08 0:07 ` Rafael J. Wysocki 2016-01-08 0:07 ` Rafael J. Wysocki 2016-01-06 23:03 ` [PATCH v5 2/6] nvdimm: Clean-up access mode check Jerry Hoemann 2016-01-06 23:03 ` Jerry Hoemann 2016-01-06 23:03 ` [PATCH v5 3/6] nvdimm: Add wrapper for IOCTL pass thru Jerry Hoemann 2016-01-06 23:03 ` Jerry Hoemann 2016-01-06 23:03 ` Jerry Hoemann [this message] 2016-01-06 23:03 ` [PATCH v5 4/6] nvdimm: Fix security issue with DSM IOCTL Jerry Hoemann 2016-01-06 23:03 ` [PATCH v5 5/6] nvdimm: Increase max envelope size for IOCTL Jerry Hoemann 2016-01-06 23:03 ` Jerry Hoemann 2016-01-06 23:03 ` [PATCH v5 6/6] nvdimm: Add IOCTL pass thru functions Jerry Hoemann 2016-01-06 23:03 ` Jerry Hoemann 2016-01-06 23:58 ` [PATCH v5 0/6] nvdimm: Add an IOCTL pass thru for DSM calls Dan Williams 2016-01-06 23:58 ` Dan Williams 2016-01-11 0:03 ` Dan Williams 2016-01-11 0:03 ` Dan Williams 2016-01-12 1:32 ` Jerry Hoemann 2016-01-12 1:32 ` Jerry Hoemann 2016-01-12 18:55 ` Dan Williams 2016-01-12 18:55 ` Dan Williams
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=912e263c7dab19a6bcc918806c249a2929274d5f.1452121277.git.jerry.hoemann@hpe.com \ --to=jerry.hoemann@hpe.com \ --cc=dan.j.williams@intel.com \ --cc=elliott@hpe.com \ --cc=jmoyer@redhat.com \ --cc=krivenok.dmitry@gmail.com \ --cc=lenb@kernel.org \ --cc=linda.knippers@hpe.com \ --cc=linux-acpi@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-nvdimm@lists.01.org \ --cc=lv.zheng@intel.com \ --cc=rafael.j.wysocki@intel.com \ --cc=rjw@rjwysocki.net \ --cc=robert.moore@intel.com \ --cc=ross.zwisler@linux.intel.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.