aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlan Cox <alan@lxorguk.ukuu.org.uk>2007-11-07 18:58:10 -0500
committerJames Bottomley <James.Bottomley@HansenPartnership.com>2008-01-23 12:29:27 -0500
commitd496f94d22d1491ffb25f4000e85f7a4ecf7f2c4 (patch)
tree54a897343e8a66ce6c0f7b92a4d55ab8822e86ff
parent3ace426f9575dd112252d72baaee4554fcb2e450 (diff)
[SCSI] aacraid: fix security weakness
Actually there are several but one is trivially fixed 1. FSACTL_GET_NEXT_ADAPTER_FIB ioctl does not lock dev->fib_list but needs to 2. Ditto for FSACTL_CLOSE_GET_ADAPTER_FIB 3. It is possible to construct an attack via the SRB ioctls where the user obtains assorted elevated privileges. Various approaches are possible, the trivial ones being things like writing to the raw media via scsi commands and the swap image of other executing programs with higher privileges. So the ioctls should be CAP_SYS_RAWIO - at least all the FIB manipulating ones. This is a bandaid fix for #3 but probably the ioctls should grow their own capable checks. The other two bugs need someone competent in that driver to fix them. Signed-off-by: Alan Cox <alan@redhat.com> Signed-off-by: Mark Salyzyn <aacraid@adaptec.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
-rw-r--r--drivers/scsi/aacraid/linit.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/scsi/aacraid/linit.c b/drivers/scsi/aacraid/linit.c
index 0523cc6d895c..143e4c16b079 100644
--- a/drivers/scsi/aacraid/linit.c
+++ b/drivers/scsi/aacraid/linit.c
@@ -517,6 +517,8 @@ static struct device_attribute *aac_dev_attrs[] = {
517static int aac_ioctl(struct scsi_device *sdev, int cmd, void __user * arg) 517static int aac_ioctl(struct scsi_device *sdev, int cmd, void __user * arg)
518{ 518{
519 struct aac_dev *dev = (struct aac_dev *)sdev->host->hostdata; 519 struct aac_dev *dev = (struct aac_dev *)sdev->host->hostdata;
520 if (!capable(CAP_SYS_RAWIO))
521 return -EPERM;
520 return aac_do_ioctl(dev, cmd, arg); 522 return aac_do_ioctl(dev, cmd, arg);
521} 523}
522 524