aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlan Cox <alan@lxorguk.ukuu.org.uk>2007-11-07 18:58:10 -0500
committerJames Bottomley <James.Bottomley@HansenPartnership.com>2007-11-11 18:35:48 -0500
commit5f78e89b5f7041895c4820be5c000792243b634f (patch)
tree77e077ea2c470dd0c8c40434ca8b8134f81264b4
parente6096963d2125294f736df4fc37f4226d0b4d178 (diff)
[SCSI] aacraid: fix security weakness
Actually there are several but one is trivially fixed 1. FSACTL_GET_NEXT_ADAPTER_FIB ioctl does not lock dev->fib_list but needs to 2. Ditto for FSACTL_CLOSE_GET_ADAPTER_FIB 3. It is possible to construct an attack via the SRB ioctls where the user obtains assorted elevated privileges. Various approaches are possible, the trivial ones being things like writing to the raw media via scsi commands and the swap image of other executing programs with higher privileges. So the ioctls should be CAP_SYS_RAWIO - at least all the FIB manipulating ones. This is a bandaid fix for #3 but probably the ioctls should grow their own capable checks. The other two bugs need someone competent in that driver to fix them. Signed-off-by: Alan Cox <alan@redhat.com> Acked-by: Mark Salyzyn <mark_salyzyn@adaptec.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
-rw-r--r--drivers/scsi/aacraid/linit.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/scsi/aacraid/linit.c b/drivers/scsi/aacraid/linit.c
index 53061bceaad8..9dd331bc29b0 100644
--- a/drivers/scsi/aacraid/linit.c
+++ b/drivers/scsi/aacraid/linit.c
@@ -636,7 +636,7 @@ static int aac_cfg_open(struct inode *inode, struct file *file)
636static int aac_cfg_ioctl(struct inode *inode, struct file *file, 636static int aac_cfg_ioctl(struct inode *inode, struct file *file,
637 unsigned int cmd, unsigned long arg) 637 unsigned int cmd, unsigned long arg)
638{ 638{
639 if (!capable(CAP_SYS_ADMIN)) 639 if (!capable(CAP_SYS_RAWIO))
640 return -EPERM; 640 return -EPERM;
641 return aac_do_ioctl(file->private_data, cmd, (void __user *)arg); 641 return aac_do_ioctl(file->private_data, cmd, (void __user *)arg);
642} 642}
@@ -691,7 +691,7 @@ static int aac_compat_ioctl(struct scsi_device *sdev, int cmd, void __user *arg)
691 691
692static long aac_compat_cfg_ioctl(struct file *file, unsigned cmd, unsigned long arg) 692static long aac_compat_cfg_ioctl(struct file *file, unsigned cmd, unsigned long arg)
693{ 693{
694 if (!capable(CAP_SYS_ADMIN)) 694 if (!capable(CAP_SYS_RAWIO))
695 return -EPERM; 695 return -EPERM;
696 return aac_compat_do_ioctl((struct aac_dev *)file->private_data, cmd, arg); 696 return aac_compat_do_ioctl((struct aac_dev *)file->private_data, cmd, arg);
697} 697}