[kernel] r18743 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Feb 27 01:13:10 UTC 2012
Author: dannf
Date: Mon Feb 27 01:13:09 2012
New Revision: 18743
Log:
* Restrict ioctl forwarding on partitions and logical volumes (CVE-2011-4127)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/block-add-and-use-scsi_blk_cmd_ioctl.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/block-fail-SCSI-passthrough-ioctls-on-partition-devices.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/dm-do-not-forward-ioctls-from-logical-volumes-to-the-underlying-device.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/27lenny1
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Sun Feb 26 18:30:56 2012 (r18742)
+++ dists/lenny-security/linux-2.6/debian/changelog Mon Feb 27 01:13:09 2012 (r18743)
@@ -11,6 +11,7 @@
* hfs: add sanity check for file name length (CVE-2011-4330)
* [powerpc] oprofile: Handle events that raise an exception without
overflowing (CVE-2011-4347)
+ * Restrict ioctl forwarding on partitions and logical volumes (CVE-2011-4127)
-- dann frazier <dannf at debian.org> Fri, 06 Jan 2012 21:15:07 -0700
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/block-add-and-use-scsi_blk_cmd_ioctl.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/block-add-and-use-scsi_blk_cmd_ioctl.patch Mon Feb 27 01:13:09 2012 (r18743)
@@ -0,0 +1,159 @@
+From: Paolo Bonzini <pbonzini at redhat.com>
+Date: Thu, 12 Jan 2012 15:01:27 +0000 (+0100)
+Subject: block: add and use scsi_blk_cmd_ioctl
+X-Git-Tag: v2.6.27.60~3
+X-Git-Url: https://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-stable.git;a=commitdiff_plain;h=7d064959836f6ab504b80a6ad858ed14aa0bb7a0
+
+block: add and use scsi_blk_cmd_ioctl
+
+commit 577ebb374c78314ac4617242f509e2f5e7156649 upstream.
+
+Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
+
+The function will then be enhanced to detect partition block devices
+and, in that case, subject the ioctls to whitelisting.
+
+Cc: linux-scsi at vger.kernel.org
+Cc: Jens Axboe <axboe at kernel.dk>
+Cc: James Bottomley <JBottomley at parallels.com>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+[bwh: Backport to 2.6.32 - adjust context]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+[wt: slightly changed the interface to match 2.6.27's scsi_cmd_ioctl()
+ which still needs the file pointer but has no mode parameter].
+
+Signed-off-by: Willy Tarreau <w at 1wt.eu>
+[dannf: backported to Debian's 2.6.26]
+---
+
+diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
+index 29c6b82..1b2dbab 100644
+--- a/block/scsi_ioctl.c
++++ b/block/scsi_ioctl.c
+@@ -676,3 +676,11 @@ int scsi_cmd_ioctl(struct file *file, struct request_queue *q,
+ }
+
+ EXPORT_SYMBOL(scsi_cmd_ioctl);
++
++int scsi_cmd_blk_ioctl(struct file *file, struct block_device *bd,
++ unsigned int cmd, void __user *arg)
++{
++ return scsi_cmd_ioctl(file, bd->bd_disk->queue, bd->bd_disk, cmd, arg);
++}
++EXPORT_SYMBOL(scsi_cmd_blk_ioctl);
++
+diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
+index 8ac9563..d7f2125 100644
+--- a/drivers/block/cciss.c
++++ b/drivers/block/cciss.c
+@@ -1230,7 +1230,7 @@ static int cciss_ioctl(struct inode *inode, struct file *filep,
+ return status;
+ }
+
+- /* scsi_cmd_ioctl handles these, below, though some are not */
++ /* scsi_cmd_blk_ioctl handles these, below, though some are not */
+ /* very meaningful for cciss. SG_IO is the main one people want. */
+
+ case SG_GET_VERSION_NUM:
+@@ -1241,9 +1241,9 @@ static int cciss_ioctl(struct inode *inode, struct file *filep,
+ case SG_EMULATED_HOST:
+ case SG_IO:
+ case SCSI_IOCTL_SEND_COMMAND:
+- return scsi_cmd_ioctl(filep, disk->queue, disk, cmd, argp);
++ return scsi_cmd_blk_ioctl(filep, bdev, cmd, argp);
+
+- /* scsi_cmd_ioctl would normally handle these, below, but */
++ /* scsi_cmd_blk_ioctl would normally handle these, below, but */
+ /* they aren't a good fit for cciss, as CD-ROMs are */
+ /* not supported, and we don't have any bus/target/lun */
+ /* which we present to the kernel. */
+diff --git a/drivers/block/ub.c b/drivers/block/ub.c
+index 3a281ef..a05a76f 100644
+--- a/drivers/block/ub.c
++++ b/drivers/block/ub.c
+@@ -1729,10 +1729,9 @@ static int ub_bd_release(struct inode *inode, struct file *filp)
+ static int ub_bd_ioctl(struct inode *inode, struct file *filp,
+ unsigned int cmd, unsigned long arg)
+ {
+- struct gendisk *disk = inode->i_bdev->bd_disk;
+ void __user *usermem = (void __user *) arg;
+
+- return scsi_cmd_ioctl(filp, disk->queue, disk, cmd, usermem);
++ return scsi_cmd_blk_ioctl(filp, inode->i_bdev, cmd, usermem);
+ }
+
+ /*
+diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c
+index 141c0e7..6e763d0 100644
+--- a/drivers/block/virtio_blk.c
++++ b/drivers/block/virtio_blk.c
+@@ -149,8 +149,7 @@ static void do_virtblk_request(struct request_queue *q)
+ static int virtblk_ioctl(struct inode *inode, struct file *filp,
+ unsigned cmd, unsigned long data)
+ {
+- return scsi_cmd_ioctl(filp, inode->i_bdev->bd_disk->queue,
+- inode->i_bdev->bd_disk, cmd,
++ return scsi_cmd_blk_ioctl(filp, inode->i_bdev, cmd,
+ (void __user *)data);
+ }
+
+diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
+index 69f26eb..262808b 100644
+--- a/drivers/cdrom/cdrom.c
++++ b/drivers/cdrom/cdrom.c
+@@ -2766,12 +2766,11 @@ int cdrom_ioctl(struct file * file, struct cdrom_device_info *cdi,
+ {
+ void __user *argp = (void __user *)arg;
+ int ret;
+- struct gendisk *disk = ip->i_bdev->bd_disk;
+
+ /*
+ * Try the generic SCSI command ioctl's first.
+ */
+- ret = scsi_cmd_ioctl(file, disk->queue, disk, cmd, argp);
++ ret = scsi_cmd_blk_ioctl(file, ip->i_bdev, cmd, argp);
+ if (ret != -ENOTTY)
+ return ret;
+
+diff --git a/drivers/ide/ide-floppy.c b/drivers/ide/ide-floppy.c
+index f05fbc2..8dcff31 100644
+--- a/drivers/ide/ide-floppy.c
++++ b/drivers/ide/ide-floppy.c
+@@ -1562,8 +1562,7 @@ static int idefloppy_ioctl(struct inode *inode, struct file *file,
+ * and CDROM_SEND_PACKET (legacy) ioctls
+ */
+ if (cmd != CDROM_SEND_PACKET && cmd != SCSI_IOCTL_SEND_COMMAND)
+- err = scsi_cmd_ioctl(file, bdev->bd_disk->queue,
+- bdev->bd_disk, cmd, argp);
++ err = scsi_cmd_blk_ioctl(file, bdev, cmd, argp);
+ else
+ err = -ENOTTY;
+
+diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
+index 01cefbb..0df5754 100644
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -729,7 +729,7 @@ static int sd_ioctl(struct inode * inode, struct file * filp,
+ case SCSI_IOCTL_GET_BUS_NUMBER:
+ return scsi_ioctl(sdp, cmd, p);
+ default:
+- error = scsi_cmd_ioctl(filp, disk->queue, disk, cmd, p);
++ error = scsi_cmd_blk_ioctl(filp, bdev, cmd, p);
+ if (error != -ENOTTY)
+ return error;
+ }
+diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
+index 024ee49..7242514 100644
+--- a/include/linux/blkdev.h
++++ b/include/linux/blkdev.h
+@@ -633,6 +633,8 @@ extern int blk_remove_plug(struct request_queue *);
+ extern void blk_recount_segments(struct request_queue *, struct bio *);
+ extern int scsi_cmd_ioctl(struct file *, struct request_queue *,
+ struct gendisk *, unsigned int, void __user *);
++extern int scsi_cmd_blk_ioctl(struct file *, struct block_device *,
++ unsigned int, void __user *);
+ extern int sg_scsi_ioctl(struct file *, struct request_queue *,
+ struct gendisk *, struct scsi_ioctl_command __user *);
+
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/block-fail-SCSI-passthrough-ioctls-on-partition-devices.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/block-fail-SCSI-passthrough-ioctls-on-partition-devices.patch Mon Feb 27 01:13:09 2012 (r18743)
@@ -0,0 +1,161 @@
+From: Paolo Bonzini <pbonzini at redhat.com>
+Date: Tue, 17 Jan 2012 04:07:02 +0000 (+0000)
+Subject: block: fail SCSI passthrough ioctls on partition devices
+X-Git-Tag: v2.6.27.60~2
+X-Git-Url: https://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-stable.git;a=commitdiff_plain;h=4d6fe88a64e3bbaf5df110044af3046a41c3f37b
+
+block: fail SCSI passthrough ioctls on partition devices
+
+commit 0bfc96cb77224736dfa35c3c555d37b3646ef35e upstream.
+
+[ Changes with respect to 3.3: return -ENOTTY from scsi_verify_blk_ioctl
+ and -ENOIOCTLCMD from sd_compat_ioctl. ]
+
+Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
+will pass the command to the underlying block device. This is
+well-known, but it is also a large security problem when (via Unix
+permissions, ACLs, SELinux or a combination thereof) a program or user
+needs to be granted access only to part of the disk.
+
+This patch lets partitions forward a small set of harmless ioctls;
+others are logged with printk so that we can see which ioctls are
+actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
+Of course it was being sent to a (partition on a) hard disk, so it would
+have failed with ENOTTY and the patch isn't changing anything in
+practice. Still, I'm treating it specially to avoid spamming the logs.
+
+In principle, this restriction should include programs running with
+CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
+/dev/sdb, it still should not be able to read/write outside the
+boundaries of /dev/sda2 independent of the capabilities. However, for
+now programs with CAP_SYS_RAWIO will still be allowed to send the
+ioctls. Their actions will still be logged.
+
+This patch does not affect the non-libata IDE driver. That driver
+however already tests for bd != bd->bd_contains before issuing some
+ioctl; it could be restricted further to forbid these ioctls even for
+programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
+
+Cc: linux-scsi at vger.kernel.org
+Cc: Jens Axboe <axboe at kernel.dk>
+Cc: James Bottomley <JBottomley at parallels.com>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+[ Make it also print the command name when warning - Linus ]
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: Backport to 2.6.32 - ENOIOCTLCMD does not get converted to
+ ENOTTY, so we must return ENOTTY directly]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+
+Signed-off-by: Willy Tarreau <w at 1wt.eu>
+[dannf: backported to Debian's 2.6.26]
+---
+
+diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
+index 1b2dbab..8476f16 100644
+--- a/block/scsi_ioctl.c
++++ b/block/scsi_ioctl.c
+@@ -677,9 +677,55 @@ int scsi_cmd_ioctl(struct file *file, struct request_queue *q,
+
+ EXPORT_SYMBOL(scsi_cmd_ioctl);
+
++int scsi_verify_blk_ioctl(struct block_device *bd, unsigned int cmd)
++{
++ if (bd && bd == bd->bd_contains)
++ return 0;
++
++ /* Actually none of these is particularly useful on a partition,
++ * but they are safe.
++ */
++ switch (cmd) {
++ case SCSI_IOCTL_GET_IDLUN:
++ case SCSI_IOCTL_GET_BUS_NUMBER:
++ case SCSI_IOCTL_GET_PCI:
++ case SCSI_IOCTL_PROBE_HOST:
++ case SG_GET_VERSION_NUM:
++ case SG_SET_TIMEOUT:
++ case SG_GET_TIMEOUT:
++ case SG_GET_RESERVED_SIZE:
++ case SG_SET_RESERVED_SIZE:
++ case SG_EMULATED_HOST:
++ return 0;
++ case CDROM_GET_CAPABILITY:
++ /* Keep this until we remove the printk below. udev sends it
++ * and we do not want to spam dmesg about it. CD-ROMs do
++ * not have partitions, so we get here only for disks.
++ */
++ return -ENOTTY;
++ default:
++ break;
++ }
++
++ /* In particular, rule out all resets and host-specific ioctls. */
++ if (printk_ratelimit())
++ printk(KERN_WARNING
++ "%s: sending ioctl %x to a partition!\n", current->comm, cmd);
++
++ return capable(CAP_SYS_RAWIO) ? 0 : -ENOTTY;
++}
++EXPORT_SYMBOL(scsi_verify_blk_ioctl);
++
++
+ int scsi_cmd_blk_ioctl(struct file *file, struct block_device *bd,
+ unsigned int cmd, void __user *arg)
+ {
++ int ret;
++
++ ret = scsi_verify_blk_ioctl(bd, cmd);
++ if (ret < 0)
++ return ret;
++
+ return scsi_cmd_ioctl(file, bd->bd_disk->queue, bd->bd_disk, cmd, arg);
+ }
+ EXPORT_SYMBOL(scsi_cmd_blk_ioctl);
+diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
+index 0df5754..8a493b9 100644
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -709,6 +709,10 @@ static int sd_ioctl(struct inode * inode, struct file * filp,
+ SCSI_LOG_IOCTL(1, printk("sd_ioctl: disk=%s, cmd=0x%x\n",
+ disk->disk_name, cmd));
+
++ error = scsi_verify_blk_ioctl(bdev, cmd);
++ if (error < 0)
++ return error;
++
+ /*
+ * If we are in the middle of error recovery, don't let anyone
+ * else try and use this device. Also, if error recovery fails, it
+@@ -887,6 +891,11 @@ static long sd_compat_ioctl(struct file *file, unsigned int cmd, unsigned long a
+ struct block_device *bdev = file->f_path.dentry->d_inode->i_bdev;
+ struct gendisk *disk = bdev->bd_disk;
+ struct scsi_device *sdev = scsi_disk(disk)->device;
++ int ret;
++
++ ret = scsi_verify_blk_ioctl(bdev, cmd);
++ if (ret < 0)
++ return -ENOIOCTLCMD;
+
+ /*
+ * If we are in the middle of error recovery, don't let anyone
+@@ -898,8 +907,6 @@ static long sd_compat_ioctl(struct file *file, unsigned int cmd, unsigned long a
+ return -ENODEV;
+
+ if (sdev->host->hostt->compat_ioctl) {
+- int ret;
+-
+ ret = sdev->host->hostt->compat_ioctl(sdev, cmd, (void __user *)arg);
+
+ return ret;
+diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
+index 7242514..d598e95 100644
+--- a/include/linux/blkdev.h
++++ b/include/linux/blkdev.h
+@@ -631,6 +631,7 @@ extern void blk_requeue_request(struct request_queue *, struct request *);
+ extern void blk_plug_device(struct request_queue *);
+ extern int blk_remove_plug(struct request_queue *);
+ extern void blk_recount_segments(struct request_queue *, struct bio *);
++extern int scsi_verify_blk_ioctl(struct block_device *, unsigned int);
+ extern int scsi_cmd_ioctl(struct file *, struct request_queue *,
+ struct gendisk *, unsigned int, void __user *);
+ extern int scsi_cmd_blk_ioctl(struct file *, struct block_device *,
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/dm-do-not-forward-ioctls-from-logical-volumes-to-the-underlying-device.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/dm-do-not-forward-ioctls-from-logical-volumes-to-the-underlying-device.patch Mon Feb 27 01:13:09 2012 (r18743)
@@ -0,0 +1,70 @@
+From: Paolo Bonzini <pbonzini at redhat.com>
+Date: Tue, 17 Jan 2012 04:07:31 +0000 (+0000)
+Subject: dm: do not forward ioctls from logical volumes to the underlying device
+X-Git-Tag: v2.6.27.60~1
+X-Git-Url: https://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-stable.git;a=commitdiff_plain;h=8eca6dc41431c18b75ccdc2f04df589ddca4e0dc
+
+dm: do not forward ioctls from logical volumes to the underlying device
+
+commit ec8013beddd717d1740cfefb1a9b900deef85462 upstream.
+
+A logical volume can map to just part of underlying physical volume.
+In this case, it must be treated like a partition.
+
+Based on a patch from Alasdair G Kergon.
+
+Cc: Alasdair G Kergon <agk at redhat.com>
+Cc: dm-devel at redhat.com
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: Backport to 2.6.32 - drop change to drivers/md/dm-flakey.c]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+
+Signed-off-by: Willy Tarreau <w at 1wt.eu>
+[dannf: adjusted to apply to Debian's 2.6.26]
+---
+
+diff --git a/drivers/md/dm-linear.c b/drivers/md/dm-linear.c
+index 17753d8..20a7e83 100644
+--- a/drivers/md/dm-linear.c
++++ b/drivers/md/dm-linear.c
+@@ -106,12 +106,20 @@ static int linear_ioctl(struct dm_target *ti, struct inode *inode,
+ struct block_device *bdev = lc->dev->bdev;
+ struct file fake_file = {};
+ struct dentry fake_dentry = {};
++ int r = 0;
+
+ fake_file.f_mode = lc->dev->mode;
+ fake_file.f_path.dentry = &fake_dentry;
+ fake_dentry.d_inode = bdev->bd_inode;
+
+- return blkdev_driver_ioctl(bdev->bd_inode, &fake_file, bdev->bd_disk, cmd, arg);
++ /*
++ * Only pass ioctls through if the device sizes match exactly.
++ */
++ if (lc->start ||
++ ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT)
++ r = scsi_verify_blk_ioctl(NULL, cmd);
++
++ return r ? : blkdev_driver_ioctl(bdev->bd_inode, &fake_file, bdev->bd_disk, cmd, arg);
+ }
+
+ static struct target_type linear_target = {
+diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c
+index e7ee59e..69ccb52 100644
+--- a/drivers/md/dm-mpath.c
++++ b/drivers/md/dm-mpath.c
+@@ -1376,6 +1376,12 @@ static int multipath_ioctl(struct dm_target *ti, struct inode *inode,
+
+ spin_unlock_irqrestore(&m->lock, flags);
+
++ /*
++ * Only pass ioctls through if the device sizes match exactly.
++ */
++ if (!r && ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT)
++ r = scsi_verify_blk_ioctl(NULL, cmd);
++
+ return r ? : blkdev_driver_ioctl(bdev->bd_inode, &fake_file,
+ bdev->bd_disk, cmd, arg);
+ }
Modified: dists/lenny-security/linux-2.6/debian/patches/series/27lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/27lenny1 Sun Feb 26 18:30:56 2012 (r18742)
+++ dists/lenny-security/linux-2.6/debian/patches/series/27lenny1 Mon Feb 27 01:13:09 2012 (r18743)
@@ -8,3 +8,6 @@
+ bugfix/all/jbd,jb2-validate-sb-s_first-in-journal_get_superblock.patch
+ bugfix/all/hfs-add-sanity-check-for-file-name-length.patch
+ bugfix/powerpc/oprofile-handle-events-that-raise-an-exception-without-overflowing.patch
++ bugfix/all/block-add-and-use-scsi_blk_cmd_ioctl.patch
++ bugfix/all/block-fail-SCSI-passthrough-ioctls-on-partition-devices.patch
++ bugfix/all/dm-do-not-forward-ioctls-from-logical-volumes-to-the-underlying-device.patch
More information about the Kernel-svn-changes
mailing list