diff options
author | Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> | 2013-01-16 11:33:52 -0500 |
---|---|---|
committer | Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> | 2013-06-07 17:05:55 -0400 |
commit | 604c499cbbcc3d5fe5fb8d53306aa0fae1990109 (patch) | |
tree | ab604a42d397957a3aeb55c343d59648d6332c30 | |
parent | 7c4d7d710f7eb499ec483f25acc28b53adaa3260 (diff) |
xen/blkback: Check device permissions before allowing OP_DISCARD
We need to make sure that the device is not RO or that
the request is not past the number of sectors we want to
issue the DISCARD operation for.
This fixes CVE-2013-2140.
Cc: stable@vger.kernel.org
Acked-by: Jan Beulich <JBeulich@suse.com>
Acked-by: Ian Campbell <Ian.Campbell@citrix.com>
[v1: Made it pr_warn instead of pr_debug]
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-rw-r--r-- | drivers/block/xen-blkback/blkback.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c index e79ab4559233..4119bcdefd1a 100644 --- a/drivers/block/xen-blkback/blkback.c +++ b/drivers/block/xen-blkback/blkback.c | |||
@@ -876,7 +876,18 @@ static int dispatch_discard_io(struct xen_blkif *blkif, | |||
876 | int status = BLKIF_RSP_OKAY; | 876 | int status = BLKIF_RSP_OKAY; |
877 | struct block_device *bdev = blkif->vbd.bdev; | 877 | struct block_device *bdev = blkif->vbd.bdev; |
878 | unsigned long secure; | 878 | unsigned long secure; |
879 | struct phys_req preq; | ||
880 | |||
881 | preq.sector_number = req->u.discard.sector_number; | ||
882 | preq.nr_sects = req->u.discard.nr_sectors; | ||
879 | 883 | ||
884 | err = xen_vbd_translate(&preq, blkif, WRITE); | ||
885 | if (err) { | ||
886 | pr_warn(DRV_PFX "access denied: DISCARD [%llu->%llu] on dev=%04x\n", | ||
887 | preq.sector_number, | ||
888 | preq.sector_number + preq.nr_sects, blkif->vbd.pdevice); | ||
889 | goto fail_response; | ||
890 | } | ||
880 | blkif->st_ds_req++; | 891 | blkif->st_ds_req++; |
881 | 892 | ||
882 | xen_blkif_get(blkif); | 893 | xen_blkif_get(blkif); |
@@ -887,7 +898,7 @@ static int dispatch_discard_io(struct xen_blkif *blkif, | |||
887 | err = blkdev_issue_discard(bdev, req->u.discard.sector_number, | 898 | err = blkdev_issue_discard(bdev, req->u.discard.sector_number, |
888 | req->u.discard.nr_sectors, | 899 | req->u.discard.nr_sectors, |
889 | GFP_KERNEL, secure); | 900 | GFP_KERNEL, secure); |
890 | 901 | fail_response: | |
891 | if (err == -EOPNOTSUPP) { | 902 | if (err == -EOPNOTSUPP) { |
892 | pr_debug(DRV_PFX "discard op failed, not supported\n"); | 903 | pr_debug(DRV_PFX "discard op failed, not supported\n"); |
893 | status = BLKIF_RSP_EOPNOTSUPP; | 904 | status = BLKIF_RSP_EOPNOTSUPP; |