From: Paolo Bonzini <pbonzini@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: tj@kernel.org, pmatouse@redhat.com,
"James E.J. Bottomley" <JBottomley@parallels.com>,
linux-scsi@kernel.org, Jens Axboe <axboe@kernel.dk>
Subject: [PATCH 04/13] sg_io: resolve conflicts between commands assigned to multiple classes (CVE-2012-4542)
Date: Thu, 24 Jan 2013 16:00:40 +0100 [thread overview]
Message-ID: <1359039649-17734-5-git-send-email-pbonzini@redhat.com> (raw)
In-Reply-To: <1359039649-17734-1-git-send-email-pbonzini@redhat.com>
Some SCSI commands can be sent to disks via SG_IO even by unprivileged
users. Unfortunately, some opcodes overlap across SCSI device classes
and have different meanings for different classes. Four of them can
be used for read-only file descriptors on MMC, but should be limited to
descriptors opened for read-write on SBC:
The current bitmap of allowed commands is designed for MMC devices
(roughly, "play/burn CDs without requiring root").
- READ SUBCHANNEL <-> UNMAP (destructive, but no control on written
data)
- GET PERFORMANCE <-> ERASE (not really a problem, no one supports
ERASE anyway)
- READ DISC INFORMATION <-> XPWRITE (not commonly implemented but
most dangerous)
- PLAY AUDIO TI <-> SANITIZE (a very new command)
To fix this, the series splits the bitmap entries for these four
commands into two entries, one read-only for MMC and one read-write
for the other device classes.
Cc: "James E.J. Bottomley" <JBottomley@parallels.com>
Cc: linux-scsi@kernel.org
Cc: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
block/scsi_ioctl.c | 12 ++++++++----
1 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
index e68add2..c266546 100644
--- a/block/scsi_ioctl.c
+++ b/block/scsi_ioctl.c
@@ -181,29 +181,33 @@ static void blk_set_cmd_filter_defaults(struct blk_cmd_filter *filter)
sgio_bitmap_set(0x2E, D| W|R|O| B|K , write); // WRITE AND VERIFY(10)
sgio_bitmap_set(0x35, D| W|R|O| B|K , write); // SYNCHRONIZE CACHE(10)
sgio_bitmap_set(0x3F, D| W| O , write); // WRITE LONG(10)
+ sgio_bitmap_set(0x42, D , write); // UNMAP
+ sgio_bitmap_set(0x48, D| B , write); // SANITIZE
+ sgio_bitmap_set(0x51, D , write); // XPWRITE(10)
sgio_bitmap_set(0x8A, D|T| W| O| B , write); // WRITE(16)
sgio_bitmap_set(0xAA, D| W|R|O| C , write); // WRITE(12)
+ sgio_bitmap_set(0xAC, O , write); // ERASE(12)
sgio_bitmap_set(0xAE, D| W| O , write); // WRITE AND VERIFY(12)
sgio_bitmap_set(0xEA, D| W| O , write); // WRITE_LONG_2 ??
/* (mostly) MMC */
sgio_bitmap_set(0x23, R , read); // READ FORMAT CAPACITIES
- sgio_bitmap_set(0x42, D| R , read); // READ SUB-CHANNEL / UNMAP !!
+ sgio_bitmap_set(0x42, R , read); // READ SUB-CHANNEL
sgio_bitmap_set(0x43, R , read); // READ TOC/PMA/ATIP
sgio_bitmap_set(0x44, T| R| V , read); // READ HEADER
sgio_bitmap_set(0x45, R , read); // PLAY AUDIO(10)
sgio_bitmap_set(0x46, R , read); // GET CONFIGURATION
sgio_bitmap_set(0x47, R , read); // PLAY AUDIO MSF
- sgio_bitmap_set(0x48, D| R| B , read); // PLAY AUDIO TI / SANITIZE !!
+ sgio_bitmap_set(0x48, R , read); // PLAY AUDIO TI
sgio_bitmap_set(0x4A, R , read); // GET EVENT STATUS NOTIFICATION
sgio_bitmap_set(0x4B, R , read); // PAUSE/RESUME
sgio_bitmap_set(0x4E, R , read); // STOP PLAY/SCAN
- sgio_bitmap_set(0x51, D| R , read); // READ DISC INFORMATION / XPWRITE(10) !!
+ sgio_bitmap_set(0x51, R , read); // READ DISC INFORMATION
sgio_bitmap_set(0x52, R , read); // READ TRACK INFORMATION
sgio_bitmap_set(0x5C, R , read); // READ BUFFER CAPACITY
sgio_bitmap_set(0xA4, R , read); // REPORT KEY
- sgio_bitmap_set(0xAC, R|O , read); // GET PERFORMANCE / ERASE !!
+ sgio_bitmap_set(0xAC, R , read); // GET PERFORMANCE
sgio_bitmap_set(0xAD, R , read); // READ DVD STRUCTURE
sgio_bitmap_set(0xB9, R , read); // READ CD MSF
sgio_bitmap_set(0xBA, R , read); // SCAN
--
1.7.1
next prev parent reply other threads:[~2013-01-24 15:08 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-24 15:00 [PATCH 00/13] Corrections and customization of the SG_IO command whitelist (CVE-2012-4542) Paolo Bonzini
2013-01-24 15:00 ` [PATCH 01/13] sg_io: pass request_queue to blk_verify_command Paolo Bonzini
2013-01-24 22:34 ` Tejun Heo
2013-01-24 15:00 ` [PATCH 02/13] sg_io: reorganize list of allowed commands Paolo Bonzini
2013-01-24 22:42 ` Tejun Heo
2013-01-24 22:49 ` Tejun Heo
2013-01-24 22:58 ` Tejun Heo
2013-01-25 10:01 ` Paolo Bonzini
2013-01-25 17:13 ` Tejun Heo
2013-01-25 17:26 ` Paolo Bonzini
2013-01-24 15:00 ` [PATCH 03/13] sg_io: use different default filters for each device class Paolo Bonzini
2013-01-24 15:00 ` Paolo Bonzini [this message]
2013-01-24 15:00 ` [PATCH 05/13] sg_io: whitelist a few more commands for rare & obsolete device types Paolo Bonzini
2013-01-24 15:00 ` [PATCH 06/13] sg_io: whitelist a few more commands for multimedia devices Paolo Bonzini
2013-01-24 22:55 ` Tejun Heo
2013-01-25 9:26 ` Paolo Bonzini
2013-01-25 17:04 ` Tejun Heo
2013-01-25 17:16 ` Paolo Bonzini
2013-01-25 17:28 ` Tejun Heo
2013-01-25 17:57 ` Paolo Bonzini
2013-01-25 18:13 ` Tejun Heo
2013-01-25 18:47 ` Paolo Bonzini
2013-01-25 19:01 ` Tejun Heo
2013-01-25 22:32 ` Paolo Bonzini
2013-01-25 22:41 ` Tejun Heo
2013-01-25 23:32 ` Paolo Bonzini
2013-01-25 23:47 ` Tejun Heo
2013-01-26 10:18 ` Paolo Bonzini
2013-01-24 15:00 ` [PATCH 07/13] sg_io: whitelist a few more commands for media changers Paolo Bonzini
2013-01-24 15:00 ` [PATCH 08/13] sg_io: whitelist a few more commands for tapes Paolo Bonzini
2013-01-24 15:00 ` [PATCH 09/13] sg_io: whitelist a few more commands for disks Paolo Bonzini
2013-01-24 15:00 ` [PATCH 10/13] sg_io: whitelist a few obsolete commands Paolo Bonzini
2013-01-24 15:00 ` [PATCH 11/13] sg_io: add list of commands that were in the consulted list but are disabled Paolo Bonzini
2013-01-24 15:00 ` [PATCH 12/13] sg_io: remove remnants of sysfs SG_IO filters Paolo Bonzini
2013-01-24 15:00 ` [PATCH 13/13] sg_io: introduce unpriv_sgio queue flag Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1359039649-17734-5-git-send-email-pbonzini@redhat.com \
--to=pbonzini@redhat.com \
--cc=JBottomley@parallels.com \
--cc=axboe@kernel.dk \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@kernel.org \
--cc=pmatouse@redhat.com \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).