xen/blkback: Check device permissions before allowing OP_DISCARD

We need to make sure that the device is not RO or that
the request is not past the number of sectors we want to
issue the DISCARD operation for.

This fixes CVE-2013-2140.

Cc: stable@vger.kernel.org
Acked-by: Jan Beulich <JBeulich@suse.com>
Acked-by: Ian Campbell <Ian.Campbell@citrix.com>
[v1: Made it pr_warn instead of pr_debug]
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

1 files changed, 12 insertions, 1 deletions

diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c
index e79ab4559233..4119bcdefd1a 100644
--- a/drivers/block/xen-blkback/blkback.c
+++ b/drivers/block/xen-blkback/blkback.c
@@ -876,7 +876,18 @@ static int dispatch_discard_io(struct xen_blkif *blkif,
         int status = BLKIF_RSP_OKAY;
         struct block_device *bdev = blkif->vbd.bdev;
         unsigned long secure;
+        struct phys_req preq;
+
+        preq.sector_number = req->u.discard.sector_number;
+        preq.nr_sects      = req->u.discard.nr_sectors;
 
+        err = xen_vbd_translate(&preq, blkif, WRITE);
+        if (err) {
+                pr_warn(DRV_PFX "access denied: DISCARD [%llu->%llu] on dev=%04x\n",
+                        preq.sector_number,
+                        preq.sector_number + preq.nr_sects, blkif->vbd.pdevice);
+                goto fail_response;
+        }
         blkif->st_ds_req++;
 
         xen_blkif_get(blkif);
@@ -887,7 +898,7 @@ static int dispatch_discard_io(struct xen_blkif *blkif,
         err = blkdev_issue_discard(bdev, req->u.discard.sector_number,
                                    req->u.discard.nr_sectors,
                                    GFP_KERNEL, secure);
-
+fail_response:
         if (err == -EOPNOTSUPP) {
                 pr_debug(DRV_PFX "discard op failed, not supported\n");
                 status = BLKIF_RSP_EOPNOTSUPP;