[PATCH v2 0/3] possible privilege escalation via SG_IO ioctl (CVE-2011-4127)

[PATCH v2 0/3] possible privilege escalation via SG_IO ioctl (CVE-2011-4127)

[Paolo Bonzini]

Partition block devices or LVM volumes can be sent SCSI commands via
SG_IO, which are then passed down to the underlying device; it's
been this way forever, it was mentioned in 2004 in LKML at
https://lkml.org/lkml/2004/8/12/218 and it is even documented in the
sg_dd man page:

    blk_sgio=1
              when set to 0, block devices (e.g. /dev/sda) are treated
              like normal files (i.e. read(2) and write(2) are used for
              IO). When set to 1, block devices are assumed to accept the
              SG_IO ioctl and  SCSI commands are issued for IO. [...]
              If the input or output device is a block device partition
              (e.g. /dev/sda3) then setting this option causes the
              partition information to be ignored (since access is
              directly to the underlying device).

This is problematic because "safe" SCSI commands, including READ or WRITE,
can be sent to the disk without any particular capability.  All that is
required is having a file descriptor for the block device, and permission
to send a ioctl.  However, when a user lets a program access /dev/sda2,
it still should not be able to read/write /dev/sda outside the boundaries
of that partition.

Encryption on the host is a mitigating factor, but it does not provide
a full solution.  In particular it doesn't protect against DoS (write
random data), replay attacks (reinstate old ciphertext sectors), or
writes to unencrypted areas including the MBR, the partition table, or
/boot.

The patches implement a simple global whitelist for both partitions
and partial disk mappings.  Patch 1 refactors the code to prepare for
introduction of the whitelist, while patch 2 actually implements it for
the SCSI ioctls.  Logical volumes are also affected if they have only one
target, and this target can pass ioctls to the underlying block device.
Patch 3 thus adds the whitelist to logical volumes as well.

This should be entirely independent of capabilities.  Continuing the
previous example, if the same user gives CAP_SYS_RAWIO to the program and
write access to /dev/sdb, the program should be able to send arbitrary
SCSI commands to /dev/sdb, but still should not be able to access /dev/sda
outside the boundaries of /dev/sda2.  However, for now when the program
has CAP_SYS_RAWIO the ioctls are let through (while still being logged
to dmesg).

drivers/ide/ has several ioctls that should only be restricted to the full
block device (for example HDIO_SET_*, HDIO_DRIVE_CMD, HDIO_DRIVE_TASK,
HDIO_DRIVE_RESET).  However, all of them require either CAP_SYS_ADMIN
or CAP_SYS_RAWIO, so they do not need any change given the above interim
measure.

Tested on top of 3.2 + Linus's patch to sanitize ioctl return values.

Thanks to Daniel Berrange, Milan Broz, Mike Christie, Alasdair Kergon,
Petr Matousek, Jeff Moyer, Mike Snitzer and others for help discussing
this issue.

Paolo

v1->v2:
	Added logging and temporary wildcard for CAP_SYS_RAWIO;
	added CDROM ioctls to the whitelist; return -ENOIOCTLCMD.
	No changes in patches 1 and 3.

Paolo Bonzini (3):
  block: add and use scsi_blk_cmd_ioctl
  block: fail SCSI passthrough ioctls on partition devices
  dm: do not forward ioctls from logical volumes to the underlying
    device

 block/scsi_ioctl.c             |   50 ++++++++++++++++++++++++++++++++++++++++
 drivers/block/cciss.c          |    6 ++--
 drivers/block/ub.c             |    3 +-
 drivers/block/virtio_blk.c     |    4 +-
 drivers/cdrom/cdrom.c          |    3 +-
 drivers/ide/ide-floppy_ioctl.c |    3 +-
 drivers/md/dm-flakey.c         |   11 ++++++++-
 drivers/md/dm-linear.c         |   12 ++++++++-
 drivers/md/dm-mpath.c          |    6 ++++
 drivers/scsi/sd.c              |   13 ++++++++--
 include/linux/blkdev.h         |    3 ++
 11 files changed, 98 insertions(+), 16 deletions(-)

-- 
1.7.7.1

[PATCH v2 1/3] block: add and use scsi_blk_cmd_ioctl

[Paolo Bonzini]

Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
The function will then be enhanced to detect partition block devices and,
in that case, subject the ioctls to whitelisting.

Cc: linux-scsi@vger.kernel.org
Cc: Jens Axboe <axboe@kernel.dk>
Cc: James Bottomley <JBottomley@parallels.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 block/scsi_ioctl.c             |    7 +++++++
 drivers/block/cciss.c          |    6 +++---
 drivers/block/ub.c             |    3 +--
 drivers/block/virtio_blk.c     |    4 ++--
 drivers/cdrom/cdrom.c          |    3 +--
 drivers/ide/ide-floppy_ioctl.c |    3 +--
 drivers/scsi/sd.c              |    2 +-
 include/linux/blkdev.h         |    2 ++
 8 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
index fbdf0d8..a2c11f3 100644
--- a/block/scsi_ioctl.c
+++ b/block/scsi_ioctl.c
@@ -690,6 +690,13 @@ int scsi_cmd_ioctl(struct request_queue *q, struct gendisk *bd_disk, fmode_t mod
 }
 EXPORT_SYMBOL(scsi_cmd_ioctl);
 
+int scsi_cmd_blk_ioctl(struct block_device *bd, fmode_t mode,
+		       unsigned int cmd, void __user *arg)
+{
+	return scsi_cmd_ioctl(bd->bd_disk->queue, bd->bd_disk, mode, cmd, arg);
+}
+EXPORT_SYMBOL(scsi_cmd_blk_ioctl);
+
 static int __init blk_scsi_ioctl_init(void)
 {
 	blk_set_cmd_filter_defaults(&blk_default_cmd_filter);
diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
index 587cce5..b0f553b 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -1735,7 +1735,7 @@ static int cciss_ioctl(struct block_device *bdev, fmode_t mode,
 	case CCISS_BIG_PASSTHRU:
 		return cciss_bigpassthru(h, argp);
 
-	/* scsi_cmd_ioctl handles these, below, though some are not */
+	/* scsi_cmd_blk_ioctl handles these, below, though some are not */
 	/* very meaningful for cciss.  SG_IO is the main one people want. */
 
 	case SG_GET_VERSION_NUM:
@@ -1746,9 +1746,9 @@ static int cciss_ioctl(struct block_device *bdev, fmode_t mode,
 	case SG_EMULATED_HOST:
 	case SG_IO:
 	case SCSI_IOCTL_SEND_COMMAND:
-		return scsi_cmd_ioctl(disk->queue, disk, mode, cmd, argp);
+		return scsi_cmd_blk_ioctl(bdev, mode, cmd, argp);
 
-	/* scsi_cmd_ioctl would normally handle these, below, but */
+	/* scsi_cmd_blk_ioctl would normally handle these, below, but */
 	/* they aren't a good fit for cciss, as CD-ROMs are */
 	/* not supported, and we don't have any bus/target/lun */
 	/* which we present to the kernel. */
diff --git a/drivers/block/ub.c b/drivers/block/ub.c
index 0e376d4..7333b9e 100644
--- a/drivers/block/ub.c
+++ b/drivers/block/ub.c
@@ -1744,12 +1744,11 @@ static int ub_bd_release(struct gendisk *disk, fmode_t mode)
 static int ub_bd_ioctl(struct block_device *bdev, fmode_t mode,
     unsigned int cmd, unsigned long arg)
 {
-	struct gendisk *disk = bdev->bd_disk;
 	void __user *usermem = (void __user *) arg;
 	int ret;
 
 	mutex_lock(&ub_mutex);
-	ret = scsi_cmd_ioctl(disk->queue, disk, mode, cmd, usermem);
+	ret = scsi_cmd_blk_ioctl(bdev, mode, cmd, usermem);
 	mutex_unlock(&ub_mutex);
 
 	return ret;
diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c
index 4d0b70a..e46f2f7 100644
--- a/drivers/block/virtio_blk.c
+++ b/drivers/block/virtio_blk.c
@@ -243,8 +243,8 @@ static int virtblk_ioctl(struct block_device *bdev, fmode_t mode,
 	if (!virtio_has_feature(vblk->vdev, VIRTIO_BLK_F_SCSI))
 		return -ENOTTY;
 
-	return scsi_cmd_ioctl(disk->queue, disk, mode, cmd,
-			      (void __user *)data);
+	return scsi_cmd_blk_ioctl(bdev, mode, cmd,
+				  (void __user *)data);
 }
 
 /* We provide getgeo only to please some old bootloader/partitioning tools */
diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
index 2118211..129af31 100644
--- a/drivers/cdrom/cdrom.c
+++ b/drivers/cdrom/cdrom.c
@@ -2746,12 +2746,11 @@ int cdrom_ioctl(struct cdrom_device_info *cdi, struct block_device *bdev,
 {
 	void __user *argp = (void __user *)arg;
 	int ret;
-	struct gendisk *disk = bdev->bd_disk;
 
 	/*
 	 * Try the generic SCSI command ioctl's first.
 	 */
-	ret = scsi_cmd_ioctl(disk->queue, disk, mode, cmd, argp);
+	ret = scsi_cmd_blk_ioctl(bdev, mode, cmd, argp);
 	if (ret != -ENOTTY)
 		return ret;
 
diff --git a/drivers/ide/ide-floppy_ioctl.c b/drivers/ide/ide-floppy_ioctl.c
index d267b7a..a22ca84 100644
--- a/drivers/ide/ide-floppy_ioctl.c
+++ b/drivers/ide/ide-floppy_ioctl.c
@@ -292,8 +292,7 @@ int ide_floppy_ioctl(ide_drive_t *drive, struct block_device *bdev,
 	 * and CDROM_SEND_PACKET (legacy) ioctls
 	 */
 	if (cmd != CDROM_SEND_PACKET && cmd != SCSI_IOCTL_SEND_COMMAND)
-		err = scsi_cmd_ioctl(bdev->bd_disk->queue, bdev->bd_disk,
-				mode, cmd, argp);
+		err = scsi_cmd_blk_ioctl(bdev, mode, cmd, argp);
 
 	if (err == -ENOTTY)
 		err = generic_ide_ioctl(drive, bdev, cmd, arg);
diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
index fa3a591..ffa1c79 100644
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -1096,7 +1096,7 @@ static int sd_ioctl(struct block_device *bdev, fmode_t mode,
 			error = scsi_ioctl(sdp, cmd, p);
 			break;
 		default:
-			error = scsi_cmd_ioctl(disk->queue, disk, mode, cmd, p);
+			error = scsi_cmd_blk_ioctl(bdev, mode, cmd, p);
 			if (error != -ENOTTY)
 				break;
 			error = scsi_ioctl(sdp, cmd, p);
diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
index 94acd81..ca7b869 100644
--- a/include/linux/blkdev.h
+++ b/include/linux/blkdev.h
@@ -675,6 +675,8 @@ extern int blk_insert_cloned_request(struct request_queue *q,
 				     struct request *rq);
 extern void blk_delay_queue(struct request_queue *, unsigned long);
 extern void blk_recount_segments(struct request_queue *, struct bio *);
+extern int scsi_cmd_blk_ioctl(struct block_device *, fmode_t,
+			      unsigned int, void __user *);
 extern int scsi_cmd_ioctl(struct request_queue *, struct gendisk *, fmode_t,
 			  unsigned int, void __user *);
 extern int sg_scsi_ioctl(struct request_queue *, struct gendisk *, fmode_t,
-- 
1.7.7.1

[PATCH v2 2/3] block: fail SCSI passthrough ioctls on partition devices

[Paolo Bonzini]

Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
will pass the command to the underlying block device.  This is well-known,
but it is also a large security problem when (via Unix permissions,
ACLs, SELinux or a combination thereof) a program or user needs to be
granted access only to part of the disk.

This patch lets partitions forward a small set of harmless ioctls; others
are logged with printk so that we can see which ioctls are actually sent.
In my tests only CDROM_GET_CAPABILITY actually occurred.  Of course it
was being sent to a (partition on a) hard disk, so it would have failed
with ENOTTY and the patch isn't changing anything in practice.  Still,
I'm treating it specially to avoid spamming the logs.

In principle, this restriction should include programs running
with CAP_SYS_RAWIO.  If for example I let a program access /dev/sda2
and /dev/sdb, it still should not be able to read/write outside the
boundaries of /dev/sda2 independent of the capabilities.  However, for
now programs with CAP_SYS_RAWIO will still be allowed to send the ioctls.
Their actions will still be logged.

This patch does not affect the non-libata IDE driver.  That driver however
already tests for bd != bd->bd_contains before issuing some ioctl; it could
be restricted further to forbid these ioctls even for programs running with
CAP_SYS_ADMIN/CAP_SYS_RAWIO.

Cc: linux-scsi@vger.kernel.org
Cc: Jens Axboe <axboe@kernel.dk>
Cc: James Bottomley <JBottomley@parallels.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 block/scsi_ioctl.c     |   43 +++++++++++++++++++++++++++++++++++++++++++
 drivers/scsi/sd.c      |   11 +++++++++--
 include/linux/blkdev.h |    1 +
 3 files changed, 53 insertions(+), 2 deletions(-)

diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
index a2c11f3..bdb8489 100644
--- a/block/scsi_ioctl.c
+++ b/block/scsi_ioctl.c
@@ -24,6 +24,7 @@
 #include <linux/capability.h>
 #include <linux/completion.h>
 #include <linux/cdrom.h>
+#include <linux/ratelimit.h>
 #include <linux/slab.h>
 #include <linux/times.h>
 #include <asm/uaccess.h>
@@ -690,9 +691,53 @@ int scsi_cmd_ioctl(struct request_queue *q, struct gendisk *bd_disk, fmode_t mod
 }
 EXPORT_SYMBOL(scsi_cmd_ioctl);
 
+int scsi_verify_blk_ioctl(struct block_device *bd, unsigned int cmd)
+{
+	if (bd && bd == bd->bd_contains)
+		return 0;
+
+	/* Actually none of these is particularly useful on a partition,
+	 * but they are safe.
+	 */
+	switch (cmd) {
+	case SCSI_IOCTL_GET_IDLUN:
+	case SCSI_IOCTL_GET_BUS_NUMBER:
+	case SCSI_IOCTL_GET_PCI:
+	case SCSI_IOCTL_PROBE_HOST:
+	case SG_GET_VERSION_NUM:
+	case SG_SET_TIMEOUT:
+	case SG_GET_TIMEOUT:
+	case SG_GET_RESERVED_SIZE:
+	case SG_SET_RESERVED_SIZE:
+	case SG_EMULATED_HOST:
+		return 0;
+	case CDROM_GET_CAPABILITY:
+		/* Keep this until we remove the printk below.  udev sends it
+		 * and we do not want to spam dmesg about it.   CD-ROMs do
+		 * not have partitions, so we get here only for disks.
+		 */
+		return -ENOIOCTLCMD;
+	default:
+		break;
+	}
+
+	/* In particular, rule out all resets and host-specific ioctls.  */
+	printk_ratelimited(KERN_WARNING
+			   "sending ioctl %x to a partition!\n", cmd);
+
+	return capable(CAP_SYS_RAWIO) ? 0 : -ENOIOCTLCMD;
+}
+EXPORT_SYMBOL(scsi_verify_blk_ioctl);
+
 int scsi_cmd_blk_ioctl(struct block_device *bd, fmode_t mode,
 		       unsigned int cmd, void __user *arg)
 {
+	int ret;
+
+	ret = scsi_verify_blk_ioctl(bd, cmd);
+	if (ret < 0)
+		return ret;
+
 	return scsi_cmd_ioctl(bd->bd_disk->queue, bd->bd_disk, mode, cmd, arg);
 }
 EXPORT_SYMBOL(scsi_cmd_blk_ioctl);
diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
index ffa1c79..fd96409 100644
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -1074,6 +1074,10 @@ static int sd_ioctl(struct block_device *bdev, fmode_t mode,
 	SCSI_LOG_IOCTL(1, sd_printk(KERN_INFO, sdkp, "sd_ioctl: disk=%s, "
 				    "cmd=0x%x\n", disk->disk_name, cmd));
 
+	error = scsi_verify_blk_ioctl(bdev, cmd);
+	if (error < 0)
+		return error;
+
 	/*
 	 * If we are in the middle of error recovery, don't let anyone
 	 * else try and use this device.  Also, if error recovery fails, it
@@ -1266,6 +1270,11 @@ static int sd_compat_ioctl(struct block_device *bdev, fmode_t mode,
 			   unsigned int cmd, unsigned long arg)
 {
 	struct scsi_device *sdev = scsi_disk(bdev->bd_disk)->device;
+	int ret;
+
+	ret = scsi_verify_blk_ioctl(bdev, cmd);
+	if (ret < 0)
+		return ret;
 
 	/*
 	 * If we are in the middle of error recovery, don't let anyone
@@ -1277,8 +1286,6 @@ static int sd_compat_ioctl(struct block_device *bdev, fmode_t mode,
 		return -ENODEV;
 	       
 	if (sdev->host->hostt->compat_ioctl) {
-		int ret;
-
 		ret = sdev->host->hostt->compat_ioctl(sdev, cmd, (void __user *)arg);
 
 		return ret;
diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
index ca7b869..0ed1eb0 100644
--- a/include/linux/blkdev.h
+++ b/include/linux/blkdev.h
@@ -675,6 +675,7 @@ extern int blk_insert_cloned_request(struct request_queue *q,
 				     struct request *rq);
 extern void blk_delay_queue(struct request_queue *, unsigned long);
 extern void blk_recount_segments(struct request_queue *, struct bio *);
+extern int scsi_verify_blk_ioctl(struct block_device *, unsigned int);
 extern int scsi_cmd_blk_ioctl(struct block_device *, fmode_t,
 			      unsigned int, void __user *);
 extern int scsi_cmd_ioctl(struct request_queue *, struct gendisk *, fmode_t,
-- 
1.7.7.1

Re: [PATCH v2 2/3] block: fail SCSI passthrough ioctls on partition devices

[Linus Torvalds]

On Thu, Jan 12, 2012 at 7:01 AM, Paolo Bonzini <pbonzini@redhat.com> wrote:
> +       case CDROM_GET_CAPABILITY:
> +               /* Keep this until we remove the printk below.  udev sends it
> +                * and we do not want to spam dmesg about it.   CD-ROMs do
> +                * not have partitions, so we get here only for disks.
> +                */
> +               return -ENOIOCTLCMD;

Looks like CDROMMULTISESSION is another of these.

I get two of these:

   mount: sending ioctl 5310 to a partition!

with Fedora 14 whenever a USB stick is inserted (I changed your patch
to also print the name of the program). Let's see if anything else
pops up.

Anyway, with the changes to print out warnings and still allow it for
root, this all looked safe and nice, so they are in my tree now. I
only noticed after applying them that you hadn't marked them with 'cc:
stable@kernel.org', so we should probably point Greg at them. They are
commits

  577ebb374c78 block: add and use scsi_blk_cmd_ioctl
  0bfc96cb7722 block: fail SCSI passthrough ioctls on partition devices
  ec8013beddd7 dm: do not forward ioctls from logical volumes to the
underlying device

in my tree now.

                      Linus

Re: [PATCH v2 2/3] block: fail SCSI passthrough ioctls on partition devices

[Paolo Bonzini]

On 01/15/2012 12:43 AM, Linus Torvalds wrote:
> Anyway, with the changes to print out warnings and still allow it for
> root, this all looked safe and nice, so they are in my tree now. I
> only noticed after applying them that you hadn't marked them with 'cc:
> stable@kernel.org', so we should probably point Greg at them. They are
> commits
>
>    577ebb374c78 block: add and use scsi_blk_cmd_ioctl
>    0bfc96cb7722 block: fail SCSI passthrough ioctls on partition devices
>    ec8013beddd7 dm: do not forward ioctls from logical volumes to the
> underlying device
>
> in my tree now.

I'll tweak them myself for stable based on what you committed, so that 
they do not require your ENOTTY/ENOIOCTLCMD change (i.e. with the uglier 
v1 implementation).

Thanks very much.

Paolo

Re: [PATCH v2 2/3] block: fail SCSI passthrough ioctls on partition devices

[Ben Hutchings]

[-- Attachment #1: Type: text/plain, Size: 1080 bytes --]

On Mon, 2012-01-16 at 09:51 +0100, Paolo Bonzini wrote:
> On 01/15/2012 12:43 AM, Linus Torvalds wrote:
> > Anyway, with the changes to print out warnings and still allow it for
> > root, this all looked safe and nice, so they are in my tree now. I
> > only noticed after applying them that you hadn't marked them with 'cc:
> > stable@kernel.org', so we should probably point Greg at them. They are
> > commits
> >
> >    577ebb374c78 block: add and use scsi_blk_cmd_ioctl
> >    0bfc96cb7722 block: fail SCSI passthrough ioctls on partition devices
> >    ec8013beddd7 dm: do not forward ioctls from logical volumes to the
> > underlying device
> >
> > in my tree now.
> 
> I'll tweak them myself for stable based on what you committed, so that 
> they do not require your ENOTTY/ENOIOCTLCMD change (i.e. with the uglier 
> v1 implementation).
> 
> Thanks very much.

Paolo, I've just done this for Debian's stable kernel based on 2.6.32.
I'll send them as a follow-up to this.

Ben.

-- 
Ben Hutchings
When in doubt, use brute force. - Ken Thompson

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 828 bytes --]

[PATCH stable 1/4] kernel.h: add printk_ratelimited and pr_<level>_rl

[Ben Hutchings]

From: Joe Perches <joe@perches.com>

commit 8a64f336bc1d4aa203b138d29d5a9c414a9fbb47 upstream.

Add a printk_ratelimited statement expression macro that uses a per-call
ratelimit_state so that multiple subsystems output messages are not
suppressed by a global __ratelimit state.

[akpm@linux-foundation.org: coding-style fixes]
[akpm@linux-foundation.org: s/_rl/_ratelimited/g]
Signed-off-by: Joe Perches <joe@perches.com>
Cc: Naohiro Ooiwa <nooiwa@miraclelinux.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
This is a prerequisite for patch 3.

Ben.

 include/linux/kernel.h |   44 ++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 44 insertions(+), 0 deletions(-)

diff --git a/include/linux/kernel.h b/include/linux/kernel.h
index f4e3184..1221fe4 100644
--- a/include/linux/kernel.h
+++ b/include/linux/kernel.h
@@ -407,6 +407,50 @@ static inline char *pack_hex_byte(char *buf, u8 byte)
 #endif
 
 /*
+ * ratelimited messages with local ratelimit_state,
+ * no local ratelimit_state used in the !PRINTK case
+ */
+#ifdef CONFIG_PRINTK
+#define printk_ratelimited(fmt, ...)  ({		\
+	static struct ratelimit_state _rs = {		\
+		.interval = DEFAULT_RATELIMIT_INTERVAL, \
+		.burst = DEFAULT_RATELIMIT_BURST,       \
+	};                                              \
+							\
+	if (!__ratelimit(&_rs))                         \
+		printk(fmt, ##__VA_ARGS__);		\
+})
+#else
+/* No effect, but we still get type checking even in the !PRINTK case: */
+#define printk_ratelimited printk
+#endif
+
+#define pr_emerg_ratelimited(fmt, ...) \
+	printk_ratelimited(KERN_EMERG pr_fmt(fmt), ##__VA_ARGS__)
+#define pr_alert_ratelimited(fmt, ...) \
+	printk_ratelimited(KERN_ALERT pr_fmt(fmt), ##__VA_ARGS__)
+#define pr_crit_ratelimited(fmt, ...) \
+	printk_ratelimited(KERN_CRIT pr_fmt(fmt), ##__VA_ARGS__)
+#define pr_err_ratelimited(fmt, ...) \
+	printk_ratelimited(KERN_ERR pr_fmt(fmt), ##__VA_ARGS__)
+#define pr_warning_ratelimited(fmt, ...) \
+	printk_ratelimited(KERN_WARNING pr_fmt(fmt), ##__VA_ARGS__)
+#define pr_notice_ratelimited(fmt, ...) \
+	printk_ratelimited(KERN_NOTICE pr_fmt(fmt), ##__VA_ARGS__)
+#define pr_info_ratelimited(fmt, ...) \
+	printk_ratelimited(KERN_INFO pr_fmt(fmt), ##__VA_ARGS__)
+/* no pr_cont_ratelimited, don't do that... */
+/* If you are writing a driver, please use dev_dbg instead */
+#if defined(DEBUG)
+#define pr_debug_ratelimited(fmt, ...) \
+	printk_ratelimited(KERN_DEBUG pr_fmt(fmt), ##__VA_ARGS__)
+#else
+#define pr_debug_ratelimited(fmt, ...) \
+	({ if (0) printk_ratelimited(KERN_DEBUG pr_fmt(fmt), \
+				     ##__VA_ARGS__); 0; })
+#endif
+
+/*
  * General tracing related utility functions - trace_printk(),
  * tracing_on/tracing_off and tracing_start()/tracing_stop
  *
-- 
1.7.8.2

[PATCH stable 2/4] block: add and use scsi_blk_cmd_ioctl

[Ben Hutchings]

From: Paolo Bonzini <pbonzini@redhat.com>

commit 577ebb374c78314ac4617242f509e2f5e7156649 upstream.

Introduce a wrapper around scsi_cmd_ioctl that takes a block device.

The function will then be enhanced to detect partition block devices
and, in that case, subject the ioctls to whitelisting.

Cc: linux-scsi@vger.kernel.org
Cc: Jens Axboe <axboe@kernel.dk>
Cc: James Bottomley <JBottomley@parallels.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backport to 2.6.32 - adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 block/scsi_ioctl.c             |    7 +++++++
 drivers/block/cciss.c          |    6 +++---
 drivers/block/ub.c             |    3 +--
 drivers/block/virtio_blk.c     |    4 ++--
 drivers/cdrom/cdrom.c          |    3 +--
 drivers/ide/ide-floppy_ioctl.c |    3 +--
 drivers/scsi/sd.c              |    2 +-
 include/linux/blkdev.h         |    2 ++
 8 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
index 1d5a780..114ee29 100644
--- a/block/scsi_ioctl.c
+++ b/block/scsi_ioctl.c
@@ -689,6 +689,13 @@ int scsi_cmd_ioctl(struct request_queue *q, struct gendisk *bd_disk, fmode_t mod
 }
 EXPORT_SYMBOL(scsi_cmd_ioctl);
 
+int scsi_cmd_blk_ioctl(struct block_device *bd, fmode_t mode,
+		       unsigned int cmd, void __user *arg)
+{
+	return scsi_cmd_ioctl(bd->bd_disk->queue, bd->bd_disk, mode, cmd, arg);
+}
+EXPORT_SYMBOL(scsi_cmd_blk_ioctl);
+
 int __init blk_scsi_ioctl_init(void)
 {
 	blk_set_cmd_filter_defaults(&blk_default_cmd_filter);
diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
index ca9c548..68b90d9 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -1583,7 +1583,7 @@ static int cciss_ioctl(struct block_device *bdev, fmode_t mode,
 			return status;
 		}
 
-	/* scsi_cmd_ioctl handles these, below, though some are not */
+	/* scsi_cmd_blk_ioctl handles these, below, though some are not */
 	/* very meaningful for cciss.  SG_IO is the main one people want. */
 
 	case SG_GET_VERSION_NUM:
@@ -1594,9 +1594,9 @@ static int cciss_ioctl(struct block_device *bdev, fmode_t mode,
 	case SG_EMULATED_HOST:
 	case SG_IO:
 	case SCSI_IOCTL_SEND_COMMAND:
-		return scsi_cmd_ioctl(disk->queue, disk, mode, cmd, argp);
+		return scsi_cmd_blk_ioctl(bdev, mode, cmd, argp);
 
-	/* scsi_cmd_ioctl would normally handle these, below, but */
+	/* scsi_cmd_blk_ioctl would normally handle these, below, but */
 	/* they aren't a good fit for cciss, as CD-ROMs are */
 	/* not supported, and we don't have any bus/target/lun */
 	/* which we present to the kernel. */
diff --git a/drivers/block/ub.c b/drivers/block/ub.c
index c739b20..c6ac1b2 100644
--- a/drivers/block/ub.c
+++ b/drivers/block/ub.c
@@ -1726,10 +1726,9 @@ static int ub_bd_release(struct gendisk *disk, fmode_t mode)
 static int ub_bd_ioctl(struct block_device *bdev, fmode_t mode,
     unsigned int cmd, unsigned long arg)
 {
-	struct gendisk *disk = bdev->bd_disk;
 	void __user *usermem = (void __user *) arg;
 
-	return scsi_cmd_ioctl(disk->queue, disk, mode, cmd, usermem);
+	return scsi_cmd_blk_ioctl(bdev, mode, cmd, usermem);
 }
 
 /*
diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c
index 51042f0ba7..44d019b 100644
--- a/drivers/block/virtio_blk.c
+++ b/drivers/block/virtio_blk.c
@@ -200,8 +200,8 @@ static int virtblk_ioctl(struct block_device *bdev, fmode_t mode,
 	if (!virtio_has_feature(vblk->vdev, VIRTIO_BLK_F_SCSI))
 		return -ENOTTY;
 
-	return scsi_cmd_ioctl(disk->queue, disk, mode, cmd,
-			      (void __user *)data);
+	return scsi_cmd_blk_ioctl(bdev, mode, cmd,
+				  (void __user *)data);
 }
 
 /* We provide getgeo only to please some old bootloader/partitioning tools */
diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
index 614da5b..59cccc9 100644
--- a/drivers/cdrom/cdrom.c
+++ b/drivers/cdrom/cdrom.c
@@ -2684,12 +2684,11 @@ int cdrom_ioctl(struct cdrom_device_info *cdi, struct block_device *bdev,
 {
 	void __user *argp = (void __user *)arg;
 	int ret;
-	struct gendisk *disk = bdev->bd_disk;
 
 	/*
 	 * Try the generic SCSI command ioctl's first.
 	 */
-	ret = scsi_cmd_ioctl(disk->queue, disk, mode, cmd, argp);
+	ret = scsi_cmd_blk_ioctl(bdev, mode, cmd, argp);
 	if (ret != -ENOTTY)
 		return ret;
 
diff --git a/drivers/ide/ide-floppy_ioctl.c b/drivers/ide/ide-floppy_ioctl.c
index 9c22882..05f024c 100644
--- a/drivers/ide/ide-floppy_ioctl.c
+++ b/drivers/ide/ide-floppy_ioctl.c
@@ -287,8 +287,7 @@ int ide_floppy_ioctl(ide_drive_t *drive, struct block_device *bdev,
 	 * and CDROM_SEND_PACKET (legacy) ioctls
 	 */
 	if (cmd != CDROM_SEND_PACKET && cmd != SCSI_IOCTL_SEND_COMMAND)
-		err = scsi_cmd_ioctl(bdev->bd_disk->queue, bdev->bd_disk,
-				mode, cmd, argp);
+		err = scsi_cmd_blk_ioctl(bdev, mode, cmd, argp);
 
 	if (err == -ENOTTY)
 		err = generic_ide_ioctl(drive, bdev, cmd, arg);
diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
index 568d363..2dd1b73 100644
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -838,7 +838,7 @@ static int sd_ioctl(struct block_device *bdev, fmode_t mode,
 		case SCSI_IOCTL_GET_BUS_NUMBER:
 			return scsi_ioctl(sdp, cmd, p);
 		default:
-			error = scsi_cmd_ioctl(disk->queue, disk, mode, cmd, p);
+			error = scsi_cmd_blk_ioctl(bdev, mode, cmd, p);
 			if (error != -ENOTTY)
 				return error;
 	}
diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
index a06bfab..63070ad 100644
--- a/include/linux/blkdev.h
+++ b/include/linux/blkdev.h
@@ -777,6 +777,8 @@ extern void blk_plug_device(struct request_queue *);
 extern void blk_plug_device_unlocked(struct request_queue *);
 extern int blk_remove_plug(struct request_queue *);
 extern void blk_recount_segments(struct request_queue *, struct bio *);
+extern int scsi_cmd_blk_ioctl(struct block_device *, fmode_t,
+			      unsigned int, void __user *);
 extern int scsi_cmd_ioctl(struct request_queue *, struct gendisk *, fmode_t,
 			  unsigned int, void __user *);
 extern int sg_scsi_ioctl(struct request_queue *, struct gendisk *, fmode_t,
-- 
1.7.8.2

[PATCH stable 3/4] block: fail SCSI passthrough ioctls on partition devices

[Ben Hutchings]

From: Paolo Bonzini <pbonzini@redhat.com>

commit 0bfc96cb77224736dfa35c3c555d37b3646ef35e upstream.

Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
will pass the command to the underlying block device.  This is
well-known, but it is also a large security problem when (via Unix
permissions, ACLs, SELinux or a combination thereof) a program or user
needs to be granted access only to part of the disk.

This patch lets partitions forward a small set of harmless ioctls;
others are logged with printk so that we can see which ioctls are
actually sent.  In my tests only CDROM_GET_CAPABILITY actually occurred.
Of course it was being sent to a (partition on a) hard disk, so it would
have failed with ENOTTY and the patch isn't changing anything in
practice.  Still, I'm treating it specially to avoid spamming the logs.

In principle, this restriction should include programs running with
CAP_SYS_RAWIO.  If for example I let a program access /dev/sda2 and
/dev/sdb, it still should not be able to read/write outside the
boundaries of /dev/sda2 independent of the capabilities.  However, for
now programs with CAP_SYS_RAWIO will still be allowed to send the
ioctls.  Their actions will still be logged.

This patch does not affect the non-libata IDE driver.  That driver
however already tests for bd != bd->bd_contains before issuing some
ioctl; it could be restricted further to forbid these ioctls even for
programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.

Cc: linux-scsi@vger.kernel.org
Cc: Jens Axboe <axboe@kernel.dk>
Cc: James Bottomley <JBottomley@parallels.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[ Make it also print the command name when warning - Linus ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backport to 2.6.32 - ENOIOCTLCMD does not get converted to
 ENOTTY, so we must return ENOTTY directly]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 block/scsi_ioctl.c     |   45 +++++++++++++++++++++++++++++++++++++++++++++
 drivers/scsi/sd.c      |   11 +++++++++--
 include/linux/blkdev.h |    1 +
 3 files changed, 55 insertions(+), 2 deletions(-)

diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
index 114ee29..2be0a97 100644
--- a/block/scsi_ioctl.c
+++ b/block/scsi_ioctl.c
@@ -24,6 +24,7 @@
 #include <linux/capability.h>
 #include <linux/completion.h>
 #include <linux/cdrom.h>
+#include <linux/ratelimit.h>
 #include <linux/slab.h>
 #include <linux/times.h>
 #include <asm/uaccess.h>
@@ -689,9 +690,53 @@ int scsi_cmd_ioctl(struct request_queue *q, struct gendisk *bd_disk, fmode_t mod
 }
 EXPORT_SYMBOL(scsi_cmd_ioctl);
 
+int scsi_verify_blk_ioctl(struct block_device *bd, unsigned int cmd)
+{
+	if (bd && bd == bd->bd_contains)
+		return 0;
+
+	/* Actually none of these is particularly useful on a partition,
+	 * but they are safe.
+	 */
+	switch (cmd) {
+	case SCSI_IOCTL_GET_IDLUN:
+	case SCSI_IOCTL_GET_BUS_NUMBER:
+	case SCSI_IOCTL_GET_PCI:
+	case SCSI_IOCTL_PROBE_HOST:
+	case SG_GET_VERSION_NUM:
+	case SG_SET_TIMEOUT:
+	case SG_GET_TIMEOUT:
+	case SG_GET_RESERVED_SIZE:
+	case SG_SET_RESERVED_SIZE:
+	case SG_EMULATED_HOST:
+		return 0;
+	case CDROM_GET_CAPABILITY:
+		/* Keep this until we remove the printk below.  udev sends it
+		 * and we do not want to spam dmesg about it.   CD-ROMs do
+		 * not have partitions, so we get here only for disks.
+		 */
+		return -ENOTTY;
+	default:
+		break;
+	}
+
+	/* In particular, rule out all resets and host-specific ioctls.  */
+	printk_ratelimited(KERN_WARNING
+			   "%s: sending ioctl %x to a partition!\n", current->comm, cmd);
+
+	return capable(CAP_SYS_RAWIO) ? 0 : -ENOTTY;
+}
+EXPORT_SYMBOL(scsi_verify_blk_ioctl);
+
 int scsi_cmd_blk_ioctl(struct block_device *bd, fmode_t mode,
 		       unsigned int cmd, void __user *arg)
 {
+	int ret;
+
+	ret = scsi_verify_blk_ioctl(bd, cmd);
+	if (ret < 0)
+		return ret;
+
 	return scsi_cmd_ioctl(bd->bd_disk->queue, bd->bd_disk, mode, cmd, arg);
 }
 EXPORT_SYMBOL(scsi_cmd_blk_ioctl);
diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
index 2dd1b73..fd8145f 100644
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -817,6 +817,10 @@ static int sd_ioctl(struct block_device *bdev, fmode_t mode,
 	SCSI_LOG_IOCTL(1, printk("sd_ioctl: disk=%s, cmd=0x%x\n",
 						disk->disk_name, cmd));
 
+	error = scsi_verify_blk_ioctl(bdev, cmd);
+	if (error < 0)
+		return error;
+
 	/*
 	 * If we are in the middle of error recovery, don't let anyone
 	 * else try and use this device.  Also, if error recovery fails, it
@@ -996,6 +1000,11 @@ static int sd_compat_ioctl(struct block_device *bdev, fmode_t mode,
 			   unsigned int cmd, unsigned long arg)
 {
 	struct scsi_device *sdev = scsi_disk(bdev->bd_disk)->device;
+	int ret;
+
+	ret = scsi_verify_blk_ioctl(bdev, cmd);
+	if (ret < 0)
+		return ret;
 
 	/*
 	 * If we are in the middle of error recovery, don't let anyone
@@ -1007,8 +1016,6 @@ static int sd_compat_ioctl(struct block_device *bdev, fmode_t mode,
 		return -ENODEV;
 	       
 	if (sdev->host->hostt->compat_ioctl) {
-		int ret;
-
 		ret = sdev->host->hostt->compat_ioctl(sdev, cmd, (void __user *)arg);
 
 		return ret;
diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
index 63070ad..5eb6cb0 100644
--- a/include/linux/blkdev.h
+++ b/include/linux/blkdev.h
@@ -777,6 +777,7 @@ extern void blk_plug_device(struct request_queue *);
 extern void blk_plug_device_unlocked(struct request_queue *);
 extern int blk_remove_plug(struct request_queue *);
 extern void blk_recount_segments(struct request_queue *, struct bio *);
+extern int scsi_verify_blk_ioctl(struct block_device *, unsigned int);
 extern int scsi_cmd_blk_ioctl(struct block_device *, fmode_t,
 			      unsigned int, void __user *);
 extern int scsi_cmd_ioctl(struct request_queue *, struct gendisk *, fmode_t,
-- 
1.7.8.2

Re: [PATCH stable 3/4] block: fail SCSI passthrough ioctls on partition devices

[Paolo Bonzini]

On 01/17/2012 05:07 AM, Ben Hutchings wrote:
> Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org>
> [bwh: Backport to 2.6.32 - ENOIOCTLCMD does not get converted to
>   ENOTTY, so we must return ENOTTY directly]
> Signed-off-by: Ben Hutchings<ben@decadent.org.uk>

Have you tested 32-on-64?  I already did this change in the version for 
3.2 stable, but sd_compat_ioctl has to keep ENOIOCTLCMD:

> [ Cherry picked from 3ed4e7ba4be8c72051d87dcb2dec279d97a18d41
>
>   Changes with respect to 3.3: return -ENOTTY from scsi_verify_blk_ioctl
>   and -ENOIOCTLCMD from sd_compat_ioctl. ]

Paolo

Re: [PATCH stable 3/4] block: fail SCSI passthrough ioctls on partition devices

[Ben Hutchings]

[-- Attachment #1: Type: text/plain, Size: 1059 bytes --]

On Tue, 2012-01-17 at 10:55 +0100, Paolo Bonzini wrote:
> On 01/17/2012 05:07 AM, Ben Hutchings wrote:
> > Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org>
> > [bwh: Backport to 2.6.32 - ENOIOCTLCMD does not get converted to
> >   ENOTTY, so we must return ENOTTY directly]
> > Signed-off-by: Ben Hutchings<ben@decadent.org.uk>
> 
> Have you tested 32-on-64?  I already did this change in the version for 
> 3.2 stable, but sd_compat_ioctl has to keep ENOIOCTLCMD:

Not specifically...

> > [ Cherry picked from 3ed4e7ba4be8c72051d87dcb2dec279d97a18d41
> >
> >   Changes with respect to 3.3: return -ENOTTY from scsi_verify_blk_ioctl
> >   and -ENOIOCTLCMD from sd_compat_ioctl. ]

But in 2.6.32, compat_sys_ioctl will end up returning EINVAL rather than
ENOTTY for an unhandled ioctl number.  Also, since we're denying ioctls
for security reasons rather than because we don't know how to handle
them, I don't think there's any harm in doing this.

Ben.

-- 
Ben Hutchings
When in doubt, use brute force. - Ken Thompson

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 828 bytes --]

Re: [PATCH stable 3/4] block: fail SCSI passthrough ioctls on partition devices

[Paolo Bonzini]

On 01/18/2012 05:47 AM, Ben Hutchings wrote:
> >     Changes with respect to 3.3: return -ENOTTY from scsi_verify_blk_ioctl
> >     and -ENOIOCTLCMD from sd_compat_ioctl. ]
>
> But in 2.6.32, compat_sys_ioctl will end up returning EINVAL rather than
> ENOTTY for an unhandled ioctl number.

No, it won't.  The ioctl will percolate up the non-compat path and then 
sd_ioctl will return ENOTTY.

> Also, since we're denying ioctls
> for security reasons rather than because we don't know how to handle
> them, I don't think there's any harm in doing this.

There is harm.  You'll be blacklisting also the standard block device 
ioctls, and those won't work on 32-on-64 anymore.  A system with 32-bit 
userland will likely not boot anymore.  This is also somewhat exchanged 
in my original exchange with Linus.

Paolo

Re: [PATCH stable 3/4] block: fail SCSI passthrough ioctls on partition devices

[Ben Hutchings]

[-- Attachment #1: Type: text/plain, Size: 1217 bytes --]

On Wed, 2012-01-18 at 10:00 +0100, Paolo Bonzini wrote:
> On 01/18/2012 05:47 AM, Ben Hutchings wrote:
> > >     Changes with respect to 3.3: return -ENOTTY from scsi_verify_blk_ioctl
> > >     and -ENOIOCTLCMD from sd_compat_ioctl. ]
> >
> > But in 2.6.32, compat_sys_ioctl will end up returning EINVAL rather than
> > ENOTTY for an unhandled ioctl number.
> 
> No, it won't.  The ioctl will percolate up the non-compat path and then 
> sd_ioctl will return ENOTTY.

Ah, yes.

> > Also, since we're denying ioctls
> > for security reasons rather than because we don't know how to handle
> > them, I don't think there's any harm in doing this.
> 
> There is harm.  You'll be blacklisting also the standard block device 
> ioctls, and those won't work on 32-on-64 anymore.  A system with 32-bit 
> userland will likely not boot anymore.

It does (yes, I tested that myself now).  The standard block device
ioctls are handled without calling the driver's compat_ioctl.

> This is also somewhat exchanged in my original exchange with Linus.

Anyway, I agree that it is not necessary to differ from mainline here.

Ben.

-- 
Ben Hutchings
When in doubt, use brute force. - Ken Thompson


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 828 bytes --]

Re: [PATCH stable 3/4] block: fail SCSI passthrough ioctls on partition devices

[Paolo Bonzini]

On 01/18/2012 05:04 PM, Ben Hutchings wrote:
> >  There is harm.  You'll be blacklisting also the standard block device
> >  ioctls, and those won't work on 32-on-64 anymore.  A system with 32-bit
> >  userland will likely not boot anymore.
>
> It does (yes, I tested that myself now).  The standard block device
> ioctls are handled without calling the driver's compat_ioctl.

What about the non-compat path when done by non-root?

* Does BLKROSET still return EACCES when run by non-root and without 
CAP_SYS_ADMIN?  I suspect your patch is changing it to EINVAL.

* Does BLKFLSBUF work when run by non-root but with CAP_SYS_ADMIN?

Paolo

Re: [PATCH stable 3/4] block: fail SCSI passthrough ioctls on partition devices

[Greg KH]

On Tue, Jan 24, 2012 at 01:56:10PM +0100, Paolo Bonzini wrote:
> On 01/18/2012 05:04 PM, Ben Hutchings wrote:
> >>  There is harm.  You'll be blacklisting also the standard block device
> >>  ioctls, and those won't work on 32-on-64 anymore.  A system with 32-bit
> >>  userland will likely not boot anymore.
> >
> >It does (yes, I tested that myself now).  The standard block device
> >ioctls are handled without calling the driver's compat_ioctl.
> 
> What about the non-compat path when done by non-root?
> 
> * Does BLKROSET still return EACCES when run by non-root and without
> CAP_SYS_ADMIN?  I suspect your patch is changing it to EINVAL.
> 
> * Does BLKFLSBUF work when run by non-root but with CAP_SYS_ADMIN?

I'm confused here as well.

Can someone please send me the proper patch that I need to apply to
resolve this issue on the 2.6.32.y kernel?

thanks,

greg k-h

Re: [PATCH stable 3/4] block: fail SCSI passthrough ioctls on partition devices

[Greg KH]

On Wed, Jan 25, 2012 at 04:19:26PM -0800, Greg KH wrote:
> On Tue, Jan 24, 2012 at 01:56:10PM +0100, Paolo Bonzini wrote:
> > On 01/18/2012 05:04 PM, Ben Hutchings wrote:
> > >>  There is harm.  You'll be blacklisting also the standard block device
> > >>  ioctls, and those won't work on 32-on-64 anymore.  A system with 32-bit
> > >>  userland will likely not boot anymore.
> > >
> > >It does (yes, I tested that myself now).  The standard block device
> > >ioctls are handled without calling the driver's compat_ioctl.
> > 
> > What about the non-compat path when done by non-root?
> > 
> > * Does BLKROSET still return EACCES when run by non-root and without
> > CAP_SYS_ADMIN?  I suspect your patch is changing it to EINVAL.
> > 
> > * Does BLKFLSBUF work when run by non-root but with CAP_SYS_ADMIN?
> 
> I'm confused here as well.
> 
> Can someone please send me the proper patch that I need to apply to
> resolve this issue on the 2.6.32.y kernel?

Ok, I think I've queued up the correct ones, please let me know if I
messed something up.

thanks,

greg k-h

[PATCH stable 4/4] dm: do not forward ioctls from logical volumes to the underlying device

[Ben Hutchings]

From: Paolo Bonzini <pbonzini@redhat.com>

commit ec8013beddd717d1740cfefb1a9b900deef85462 upstream.

A logical volume can map to just part of underlying physical volume.
In this case, it must be treated like a partition.

Based on a patch from Alasdair G Kergon.

Cc: Alasdair G Kergon <agk@redhat.com>
Cc: dm-devel@redhat.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backport to 2.6.32 - drop change to drivers/md/dm-flakey.c]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/md/dm-linear.c |   12 +++++++++++-
 drivers/md/dm-mpath.c  |    6 ++++++
 2 files changed, 17 insertions(+), 1 deletions(-)

diff --git a/drivers/md/dm-linear.c b/drivers/md/dm-linear.c
index 82f7d6e..7ab302d 100644
--- a/drivers/md/dm-linear.c
+++ b/drivers/md/dm-linear.c
@@ -116,7 +116,17 @@ static int linear_ioctl(struct dm_target *ti, unsigned int cmd,
 			unsigned long arg)
 {
 	struct linear_c *lc = (struct linear_c *) ti->private;
-	return __blkdev_driver_ioctl(lc->dev->bdev, lc->dev->mode, cmd, arg);
+	struct dm_dev *dev = lc->dev;
+	int r = 0;
+
+	/*
+	 * Only pass ioctls through if the device sizes match exactly.
+	 */
+	if (lc->start ||
+	    ti->len != i_size_read(dev->bdev->bd_inode) >> SECTOR_SHIFT)
+		r = scsi_verify_blk_ioctl(NULL, cmd);
+
+	return r ? : __blkdev_driver_ioctl(dev->bdev, dev->mode, cmd, arg);
 }
 
 static int linear_merge(struct dm_target *ti, struct bvec_merge_data *bvm,
diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c
index b03cd39..4ec5fe2 100644
--- a/drivers/md/dm-mpath.c
+++ b/drivers/md/dm-mpath.c
@@ -1464,6 +1464,12 @@ static int multipath_ioctl(struct dm_target *ti, unsigned int cmd,
 
 	spin_unlock_irqrestore(&m->lock, flags);
 
+	/*
+	 * Only pass ioctls through if the device sizes match exactly.
+	 */
+	if (!r && ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT)
+		r = scsi_verify_blk_ioctl(NULL, cmd);
+
 	return r ? : __blkdev_driver_ioctl(bdev, mode, cmd, arg);
 }
 
-- 
1.7.8.2

Re: [PATCH v2 2/3] block: fail SCSI passthrough ioctls on partition devices

[Greg KH]

On Sat, Jan 14, 2012 at 03:43:01PM -0800, Linus Torvalds wrote:
> On Thu, Jan 12, 2012 at 7:01 AM, Paolo Bonzini <pbonzini@redhat.com> wrote:
> > +       case CDROM_GET_CAPABILITY:
> > +               /* Keep this until we remove the printk below.  udev sends it
> > +                * and we do not want to spam dmesg about it.   CD-ROMs do
> > +                * not have partitions, so we get here only for disks.
> > +                */
> > +               return -ENOIOCTLCMD;
> 
> Looks like CDROMMULTISESSION is another of these.
> 
> I get two of these:
> 
>    mount: sending ioctl 5310 to a partition!
> 
> with Fedora 14 whenever a USB stick is inserted (I changed your patch
> to also print the name of the program). Let's see if anything else
> pops up.
> 
> Anyway, with the changes to print out warnings and still allow it for
> root, this all looked safe and nice, so they are in my tree now. I
> only noticed after applying them that you hadn't marked them with 'cc:
> stable@kernel.org', so we should probably point Greg at them. They are
> commits
> 
>   577ebb374c78 block: add and use scsi_blk_cmd_ioctl
>   0bfc96cb7722 block: fail SCSI passthrough ioctls on partition devices
>   ec8013beddd7 dm: do not forward ioctls from logical volumes to the
> underlying device
> 
> in my tree now.

Thanks, I've queued them all up for the 3.2 and 3.0-stable trees.

greg k-h

[PATCH v2 3/3] dm: do not forward ioctls from logical volumes to the underlying device

[Paolo Bonzini]

A logical volume can map to just part of underlying physical volume.
In this case, it must be treated like a partition.

Based on a patch from Alasdair G Kergon.

Cc: Alasdair G Kergon <agk@redhat.com>
Cc: dm-devel@redhat.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 drivers/md/dm-flakey.c |   11 ++++++++++-
 drivers/md/dm-linear.c |   12 +++++++++++-
 drivers/md/dm-mpath.c  |    6 ++++++
 3 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/drivers/md/dm-flakey.c b/drivers/md/dm-flakey.c
index f84c080..9fb18c1 100644
--- a/drivers/md/dm-flakey.c
+++ b/drivers/md/dm-flakey.c
@@ -368,8 +368,17 @@ static int flakey_status(struct dm_target *ti, status_type_t type,
 static int flakey_ioctl(struct dm_target *ti, unsigned int cmd, unsigned long arg)
 {
 	struct flakey_c *fc = ti->private;
+	struct dm_dev *dev = fc->dev;
+	int r = 0;
 
-	return __blkdev_driver_ioctl(fc->dev->bdev, fc->dev->mode, cmd, arg);
+	/*
+	 * Only pass ioctls through if the device sizes match exactly.
+	 */
+	if (fc->start ||
+	    ti->len != i_size_read(dev->bdev->bd_inode) >> SECTOR_SHIFT)
+		r = scsi_verify_blk_ioctl(NULL, cmd);
+
+	return r ? : __blkdev_driver_ioctl(dev->bdev, dev->mode, cmd, arg);
 }
 
 static int flakey_merge(struct dm_target *ti, struct bvec_merge_data *bvm,
diff --git a/drivers/md/dm-linear.c b/drivers/md/dm-linear.c
index 3921e3b..9728839 100644
--- a/drivers/md/dm-linear.c
+++ b/drivers/md/dm-linear.c
@@ -116,7 +116,17 @@ static int linear_ioctl(struct dm_target *ti, unsigned int cmd,
 			unsigned long arg)
 {
 	struct linear_c *lc = (struct linear_c *) ti->private;
-	return __blkdev_driver_ioctl(lc->dev->bdev, lc->dev->mode, cmd, arg);
+	struct dm_dev *dev = lc->dev;
+	int r = 0;
+
+	/*
+	 * Only pass ioctls through if the device sizes match exactly.
+	 */
+	if (lc->start ||
+	    ti->len != i_size_read(dev->bdev->bd_inode) >> SECTOR_SHIFT)
+		r = scsi_verify_blk_ioctl(NULL, cmd);
+
+	return r ? : __blkdev_driver_ioctl(dev->bdev, dev->mode, cmd, arg);
 }
 
 static int linear_merge(struct dm_target *ti, struct bvec_merge_data *bvm,
diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c
index 5e0090e..801d92d 100644
--- a/drivers/md/dm-mpath.c
+++ b/drivers/md/dm-mpath.c
@@ -1520,6 +1520,12 @@ static int multipath_ioctl(struct dm_target *ti, unsigned int cmd,
 
 	spin_unlock_irqrestore(&m->lock, flags);
 
+	/*
+	 * Only pass ioctls through if the device sizes match exactly.
+	 */
+	if (!r && ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT)
+		r = scsi_verify_blk_ioctl(NULL, cmd);
+
 	return r ? : __blkdev_driver_ioctl(bdev, mode, cmd, arg);
 }
 
-- 
1.7.7.1

Re: [PATCH v2 0/3] possible privilege escalation via SG_IO ioctl (CVE-2011-4127)

[Douglas Gilbert]

On 12-01-12 10:01 AM, Paolo Bonzini wrote:
> Partition block devices or LVM volumes can be sent SCSI commands via
> SG_IO, which are then passed down to the underlying device; it's
> been this way forever, it was mentioned in 2004 in LKML at
> https://lkml.org/lkml/2004/8/12/218 and it is even documented in the
> sg_dd man page:
>
>      blk_sgio=1
>                when set to 0, block devices (e.g. /dev/sda) are treated
>                like normal files (i.e. read(2) and write(2) are used for
>                IO). When set to 1, block devices are assumed to accept the
>                SG_IO ioctl and  SCSI commands are issued for IO. [...]
>                If the input or output device is a block device partition
>                (e.g. /dev/sda3) then setting this option causes the
>                partition information to be ignored (since access is
>                directly to the underlying device).

The ability to use the SG_IO ioctl on a block device was added at
the start of the lk 2.6 series. It should have been restricted to
non-partition block device nodes (e.g. allowed on /dev/sda,
disallowed on /dev/sda3).

The successor to sg_dd is called ddpt which will abort a copy when
the pass-through (requested by "iflag=pt") is used on a partition
node:

# ddpt if=/dev/sda3 iflag=pt bs=512 of=/dev/null count=1
 >> warning: Size of input block device is different from pt size.
 >> Pass-through on block partition can give unexpected offsets.
 >> Abort copy, use iflag=force to override.

ddpt is ported to FreeBSD and Win32. The ability to call a pass-through
on a partition node is a Linux specific problem.

> This is problematic because "safe" SCSI commands, including READ or WRITE,
> can be sent to the disk without any particular capability.  All that is
> required is having a file descriptor for the block device, and permission
> to send a ioctl.  However, when a user lets a program access /dev/sda2,
> it still should not be able to read/write /dev/sda outside the boundaries
> of that partition.
>
> Encryption on the host is a mitigating factor, but it does not provide
> a full solution.  In particular it doesn't protect against DoS (write
> random data), replay attacks (reinstate old ciphertext sectors), or
> writes to unencrypted areas including the MBR, the partition table, or
> /boot.
>
> The patches implement a simple global whitelist for both partitions
> and partial disk mappings.  Patch 1 refactors the code to prepare for
> introduction of the whitelist, while patch 2 actually implements it for
> the SCSI ioctls.  Logical volumes are also affected if they have only one
> target, and this target can pass ioctls to the underlying block device.
> Patch 3 thus adds the whitelist to logical volumes as well.
>
> This should be entirely independent of capabilities.  Continuing the
> previous example, if the same user gives CAP_SYS_RAWIO to the program and
> write access to /dev/sdb, the program should be able to send arbitrary
> SCSI commands to /dev/sdb, but still should not be able to access /dev/sda
> outside the boundaries of /dev/sda2.  However, for now when the program
> has CAP_SYS_RAWIO the ioctls are let through (while still being logged
> to dmesg).
>
> drivers/ide/ has several ioctls that should only be restricted to the full
> block device (for example HDIO_SET_*, HDIO_DRIVE_CMD, HDIO_DRIVE_TASK,
> HDIO_DRIVE_RESET).  However, all of them require either CAP_SYS_ADMIN
> or CAP_SYS_RAWIO, so they do not need any change given the above interim
> measure.
>
> Tested on top of 3.2 + Linus's patch to sanitize ioctl return values.

Is that a fixed version of patch at the end of this post:
     http://marc.info/?l=linux-kernel&m=132578310403616&w=2
The fix being
   s/ENOIOCTLCMD/-ENOIOCTLCMD/
in is_unrecognized_ioctl() ?

If not could you post the patch you are referring to the linux-scsi
list. Also could you post "PATCH v2 3/3 ..." to this list as well so
we have a complete set?

Doug Gilbert

Re: [PATCH v2 0/3] possible privilege escalation via SG_IO ioctl (CVE-2011-4127)

[Paolo Bonzini]

On 01/16/2012 02:04 AM, Douglas Gilbert wrote:
>>
>>
>> Tested on top of 3.2 + Linus's patch to sanitize ioctl return values.
>
> Is that a fixed version of patch at the end of this post:
> http://marc.info/?l=linux-kernel&m=132578310403616&w=2
> The fix being
>    s/ENOIOCTLCMD/-ENOIOCTLCMD/
> in is_unrecognized_ioctl() ?

Yes.  I cherry-picked it from Linus's tree.

> Also could you post "PATCH v2 3/3 ..." to this list as well so
> we have a complete set?

FWIW, 3/3 only touches LVM.

Paolo