From: Jerry Hoemann <jerry.hoemann@hpe.com>
To: ross.zwisler@linux.intel.com, rjw@rjwysocki.net, lenb@kernel.org,
dan.j.williams@intel.com, elliott@hpe.com, jmoyer@redhat.com,
krivenok.dmitry@gmail.com, linda.knippers@hpe.com
Cc: robert.moore@intel.com, lv.zheng@intel.com,
rafael.j.wysocki@intel.com, linux-nvdimm@lists.01.org,
linux-acpi@vger.kernel.org, linux-kernel@vger.kernel.org,
Jerry Hoemann <jerry.hoemann@hpe.com>
Subject: [PATCH v5 4/6] nvdimm: Fix security issue with DSM IOCTL.
Date: Wed, 6 Jan 2016 16:03:41 -0700 [thread overview]
Message-ID: <912e263c7dab19a6bcc918806c249a2929274d5f.1452121277.git.jerry.hoemann@hpe.com> (raw)
In-Reply-To: <cover.1452121277.git.jerry.hoemann@hpe.com>
In-Reply-To: <cover.1452121277.git.jerry.hoemann@hpe.com>
Code attempts to prevent certain IOCTL DSM from being called
when device is opened read only. This security feature can
be trivially overcome by changing the size portion of the
ioctl_command which isn't used.
Check only the _IOC_NR (i.e. the command).
Signed-off-by: Jerry Hoemann <jerry.hoemann@hpe.com>
---
drivers/nvdimm/bus.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/nvdimm/bus.c b/drivers/nvdimm/bus.c
index 1c81203..87fe545 100644
--- a/drivers/nvdimm/bus.c
+++ b/drivers/nvdimm/bus.c
@@ -513,10 +513,10 @@ static int __nd_ioctl(struct nvdimm_bus *nvdimm_bus, struct nvdimm *nvdimm,
/* fail write commands (when read-only) */
if (read_only)
- switch (ioctl_cmd) {
- case ND_IOCTL_VENDOR:
- case ND_IOCTL_SET_CONFIG_DATA:
- case ND_IOCTL_ARS_START:
+ switch (cmd) {
+ case ND_CMD_VENDOR:
+ case ND_CMD_SET_CONFIG_DATA:
+ case ND_CMD_ARS_START:
dev_dbg(&nvdimm_bus->dev, "'%s' command while read-only.\n",
nvdimm ? nvdimm_cmd_name(cmd)
: nvdimm_bus_cmd_name(cmd));
--
1.7.11.3
WARNING: multiple messages have this Message-ID (diff)
From: Jerry Hoemann <jerry.hoemann@hpe.com>
To: ross.zwisler@linux.intel.com, rjw@rjwysocki.net, lenb@kernel.org,
dan.j.williams@intel.com, elliott@hpe.com, jmoyer@redhat.com,
krivenok.dmitry@gmail.com, linda.knippers@hpe.com
Cc: robert.moore@intel.com, lv.zheng@intel.com,
rafael.j.wysocki@intel.com, linux-nvdimm@ml01.01.org,
linux-acpi@vger.kernel.org, linux-kernel@vger.kernel.org,
Jerry Hoemann <jerry.hoemann@hpe.com>
Subject: [PATCH v5 4/6] nvdimm: Fix security issue with DSM IOCTL.
Date: Wed, 6 Jan 2016 16:03:41 -0700 [thread overview]
Message-ID: <912e263c7dab19a6bcc918806c249a2929274d5f.1452121277.git.jerry.hoemann@hpe.com> (raw)
In-Reply-To: <cover.1452121277.git.jerry.hoemann@hpe.com>
In-Reply-To: <cover.1452121277.git.jerry.hoemann@hpe.com>
Code attempts to prevent certain IOCTL DSM from being called
when device is opened read only. This security feature can
be trivially overcome by changing the size portion of the
ioctl_command which isn't used.
Check only the _IOC_NR (i.e. the command).
Signed-off-by: Jerry Hoemann <jerry.hoemann@hpe.com>
---
drivers/nvdimm/bus.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/nvdimm/bus.c b/drivers/nvdimm/bus.c
index 1c81203..87fe545 100644
--- a/drivers/nvdimm/bus.c
+++ b/drivers/nvdimm/bus.c
@@ -513,10 +513,10 @@ static int __nd_ioctl(struct nvdimm_bus *nvdimm_bus, struct nvdimm *nvdimm,
/* fail write commands (when read-only) */
if (read_only)
- switch (ioctl_cmd) {
- case ND_IOCTL_VENDOR:
- case ND_IOCTL_SET_CONFIG_DATA:
- case ND_IOCTL_ARS_START:
+ switch (cmd) {
+ case ND_CMD_VENDOR:
+ case ND_CMD_SET_CONFIG_DATA:
+ case ND_CMD_ARS_START:
dev_dbg(&nvdimm_bus->dev, "'%s' command while read-only.\n",
nvdimm ? nvdimm_cmd_name(cmd)
: nvdimm_bus_cmd_name(cmd));
--
1.7.11.3
next prev parent reply other threads:[~2016-01-06 23:03 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-06 23:03 [PATCH v5 0/6] nvdimm: Add an IOCTL pass thru for DSM calls Jerry Hoemann
2016-01-06 23:03 ` Jerry Hoemann
2016-01-06 23:03 ` [PATCH v5 1/6] ACPI / util: Fix acpi_evaluate_dsm() argument type Jerry Hoemann
2016-01-06 23:03 ` Jerry Hoemann
2016-01-08 0:07 ` Rafael J. Wysocki
2016-01-08 0:07 ` Rafael J. Wysocki
2016-01-06 23:03 ` [PATCH v5 2/6] nvdimm: Clean-up access mode check Jerry Hoemann
2016-01-06 23:03 ` Jerry Hoemann
2016-01-06 23:03 ` [PATCH v5 3/6] nvdimm: Add wrapper for IOCTL pass thru Jerry Hoemann
2016-01-06 23:03 ` Jerry Hoemann
2016-01-06 23:03 ` Jerry Hoemann [this message]
2016-01-06 23:03 ` [PATCH v5 4/6] nvdimm: Fix security issue with DSM IOCTL Jerry Hoemann
2016-01-06 23:03 ` [PATCH v5 5/6] nvdimm: Increase max envelope size for IOCTL Jerry Hoemann
2016-01-06 23:03 ` Jerry Hoemann
2016-01-06 23:03 ` [PATCH v5 6/6] nvdimm: Add IOCTL pass thru functions Jerry Hoemann
2016-01-06 23:03 ` Jerry Hoemann
2016-01-06 23:58 ` [PATCH v5 0/6] nvdimm: Add an IOCTL pass thru for DSM calls Dan Williams
2016-01-06 23:58 ` Dan Williams
2016-01-11 0:03 ` Dan Williams
2016-01-11 0:03 ` Dan Williams
2016-01-12 1:32 ` Jerry Hoemann
2016-01-12 1:32 ` Jerry Hoemann
2016-01-12 18:55 ` Dan Williams
2016-01-12 18:55 ` Dan Williams
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=912e263c7dab19a6bcc918806c249a2929274d5f.1452121277.git.jerry.hoemann@hpe.com \
--to=jerry.hoemann@hpe.com \
--cc=dan.j.williams@intel.com \
--cc=elliott@hpe.com \
--cc=jmoyer@redhat.com \
--cc=krivenok.dmitry@gmail.com \
--cc=lenb@kernel.org \
--cc=linda.knippers@hpe.com \
--cc=linux-acpi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nvdimm@lists.01.org \
--cc=lv.zheng@intel.com \
--cc=rafael.j.wysocki@intel.com \
--cc=rjw@rjwysocki.net \
--cc=robert.moore@intel.com \
--cc=ross.zwisler@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.