aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>2013-01-16 11:33:52 -0500
committerKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>2013-06-07 17:05:55 -0400
commit604c499cbbcc3d5fe5fb8d53306aa0fae1990109 (patch)
treeab604a42d397957a3aeb55c343d59648d6332c30
parent7c4d7d710f7eb499ec483f25acc28b53adaa3260 (diff)
xen/blkback: Check device permissions before allowing OP_DISCARD
We need to make sure that the device is not RO or that the request is not past the number of sectors we want to issue the DISCARD operation for. This fixes CVE-2013-2140. Cc: stable@vger.kernel.org Acked-by: Jan Beulich <JBeulich@suse.com> Acked-by: Ian Campbell <Ian.Campbell@citrix.com> [v1: Made it pr_warn instead of pr_debug] Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
-rw-r--r--drivers/block/xen-blkback/blkback.c13
1 files changed, 12 insertions, 1 deletions
diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c
index e79ab4559233..4119bcdefd1a 100644
--- a/drivers/block/xen-blkback/blkback.c
+++ b/drivers/block/xen-blkback/blkback.c
@@ -876,7 +876,18 @@ static int dispatch_discard_io(struct xen_blkif *blkif,
876 int status = BLKIF_RSP_OKAY; 876 int status = BLKIF_RSP_OKAY;
877 struct block_device *bdev = blkif->vbd.bdev; 877 struct block_device *bdev = blkif->vbd.bdev;
878 unsigned long secure; 878 unsigned long secure;
879 struct phys_req preq;
880
881 preq.sector_number = req->u.discard.sector_number;
882 preq.nr_sects = req->u.discard.nr_sectors;
879 883
884 err = xen_vbd_translate(&preq, blkif, WRITE);
885 if (err) {
886 pr_warn(DRV_PFX "access denied: DISCARD [%llu->%llu] on dev=%04x\n",
887 preq.sector_number,
888 preq.sector_number + preq.nr_sects, blkif->vbd.pdevice);
889 goto fail_response;
890 }
880 blkif->st_ds_req++; 891 blkif->st_ds_req++;
881 892
882 xen_blkif_get(blkif); 893 xen_blkif_get(blkif);
@@ -887,7 +898,7 @@ static int dispatch_discard_io(struct xen_blkif *blkif,
887 err = blkdev_issue_discard(bdev, req->u.discard.sector_number, 898 err = blkdev_issue_discard(bdev, req->u.discard.sector_number,
888 req->u.discard.nr_sectors, 899 req->u.discard.nr_sectors,
889 GFP_KERNEL, secure); 900 GFP_KERNEL, secure);
890 901fail_response:
891 if (err == -EOPNOTSUPP) { 902 if (err == -EOPNOTSUPP) {
892 pr_debug(DRV_PFX "discard op failed, not supported\n"); 903 pr_debug(DRV_PFX "discard op failed, not supported\n");
893 status = BLKIF_RSP_EOPNOTSUPP; 904 status = BLKIF_RSP_EOPNOTSUPP;