[kernel/f16] Add back a set of patches that were erroneously dropped during the rebase

Josh Boyer jwboyer at fedoraproject.org
Tue Jan 24 15:57:50 UTC 2012 

commit b652ddfbcbd290c65a78da8f68a9ede7f431f3c9
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Tue Jan 24 10:54:25 2012 -0500

    Add back a set of patches that were erroneously dropped during the rebase

 01-block-add-and-use-scsi_blk_cmd_ioctl.patch      |   24 ++--
 ...SCSI-passthrough-ioctls-on-partition-devs.patch |  165 ++++++++++++++++++++
 ...ont-fwd-ioctls-from-LVs-to-underlying-dev.patch |    4 +-
 kernel.spec                                        |   12 ++-
 4 files changed, 190 insertions(+), 15 deletions(-)
---
diff --git a/01-block-add-and-use-scsi_blk_cmd_ioctl.patch b/01-block-add-and-use-scsi_blk_cmd_ioctl.patch
index fdf4c50..259bf69 100644
--- a/01-block-add-and-use-scsi_blk_cmd_ioctl.patch
+++ b/01-block-add-and-use-scsi_blk_cmd_ioctl.patch
@@ -1,4 +1,4 @@
-From 6051b3759d3d4b70d33a7be70ab6b86ed3559224 Mon Sep 17 00:00:00 2001
+From a7f3cbff409dde86b6bded8978f71bc193022427 Mon Sep 17 00:00:00 2001
 From: Paolo Bonzini <pbonzini at redhat.com>
 Date: Mon, 16 Jan 2012 17:12:58 +0100
 Subject: [PATCH 1/3] block: add and use scsi_blk_cmd_ioctl
@@ -28,10 +28,10 @@ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
  8 files changed, 18 insertions(+), 12 deletions(-)
 
 diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
-index 4f4230b..57ac937 100644
+index fbdf0d8..a2c11f3 100644
 --- a/block/scsi_ioctl.c
 +++ b/block/scsi_ioctl.c
-@@ -691,6 +691,13 @@ int scsi_cmd_ioctl(struct request_queue *q, struct gendisk *bd_disk, fmode_t mod
+@@ -690,6 +690,13 @@ int scsi_cmd_ioctl(struct request_queue *q, struct gendisk *bd_disk, fmode_t mod
  }
  EXPORT_SYMBOL(scsi_cmd_ioctl);
  
@@ -46,10 +46,10 @@ index 4f4230b..57ac937 100644
  {
  	blk_set_cmd_filter_defaults(&blk_default_cmd_filter);
 diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
-index c2f9b3e..1dab802 100644
+index 587cce5..b0f553b 100644
 --- a/drivers/block/cciss.c
 +++ b/drivers/block/cciss.c
-@@ -1716,7 +1716,7 @@ static int cciss_ioctl(struct block_device *bdev, fmode_t mode,
+@@ -1735,7 +1735,7 @@ static int cciss_ioctl(struct block_device *bdev, fmode_t mode,
  	case CCISS_BIG_PASSTHRU:
  		return cciss_bigpassthru(h, argp);
  
@@ -58,7 +58,7 @@ index c2f9b3e..1dab802 100644
  	/* very meaningful for cciss.  SG_IO is the main one people want. */
  
  	case SG_GET_VERSION_NUM:
-@@ -1727,9 +1727,9 @@ static int cciss_ioctl(struct block_device *bdev, fmode_t mode,
+@@ -1746,9 +1746,9 @@ static int cciss_ioctl(struct block_device *bdev, fmode_t mode,
  	case SG_EMULATED_HOST:
  	case SG_IO:
  	case SCSI_IOCTL_SEND_COMMAND:
@@ -89,10 +89,10 @@ index 0e376d4..7333b9e 100644
  
  	return ret;
 diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c
-index 079c088..5d7a934 100644
+index 4d0b70a..e46f2f7 100644
 --- a/drivers/block/virtio_blk.c
 +++ b/drivers/block/virtio_blk.c
-@@ -236,8 +236,8 @@ static int virtblk_ioctl(struct block_device *bdev, fmode_t mode,
+@@ -243,8 +243,8 @@ static int virtblk_ioctl(struct block_device *bdev, fmode_t mode,
  	if (!virtio_has_feature(vblk->vdev, VIRTIO_BLK_F_SCSI))
  		return -ENOTTY;
  
@@ -136,10 +136,10 @@ index d267b7a..a22ca84 100644
  	if (err == -ENOTTY)
  		err = generic_ide_ioctl(drive, bdev, cmd, arg);
 diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
-index 953773c..c88885d 100644
+index fa3a591..ffa1c79 100644
 --- a/drivers/scsi/sd.c
 +++ b/drivers/scsi/sd.c
-@@ -1095,7 +1095,7 @@ static int sd_ioctl(struct block_device *bdev, fmode_t mode,
+@@ -1096,7 +1096,7 @@ static int sd_ioctl(struct block_device *bdev, fmode_t mode,
  			error = scsi_ioctl(sdp, cmd, p);
  			break;
  		default:
@@ -149,7 +149,7 @@ index 953773c..c88885d 100644
  				break;
  			error = scsi_ioctl(sdp, cmd, p);
 diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
-index 5e30b45..aa829a4 100644
+index 94acd81..ca7b869 100644
 --- a/include/linux/blkdev.h
 +++ b/include/linux/blkdev.h
 @@ -675,6 +675,8 @@ extern int blk_insert_cloned_request(struct request_queue *q,
@@ -162,5 +162,5 @@ index 5e30b45..aa829a4 100644
  			  unsigned int, void __user *);
  extern int sg_scsi_ioctl(struct request_queue *, struct gendisk *, fmode_t,
 -- 
-1.7.7.5
+1.7.7.6
 
diff --git a/02-block-fail-SCSI-passthrough-ioctls-on-partition-devs.patch b/02-block-fail-SCSI-passthrough-ioctls-on-partition-devs.patch
new file mode 100644
index 0000000..ce3e50a
--- /dev/null
+++ b/02-block-fail-SCSI-passthrough-ioctls-on-partition-devs.patch
@@ -0,0 +1,165 @@
+From 51c6b870e10bbf60ee6a115216cfa7549addfce0 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini at redhat.com>
+Date: Mon, 16 Jan 2012 17:12:59 +0100
+Subject: [PATCH 2/3] block: fail SCSI passthrough ioctls on partition devices
+
+Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
+will pass the command to the underlying block device.  This is
+well-known, but it is also a large security problem when (via Unix
+permissions, ACLs, SELinux or a combination thereof) a program or user
+needs to be granted access only to part of the disk.
+
+This patch lets partitions forward a small set of harmless ioctls;
+others are logged with printk so that we can see which ioctls are
+actually sent.  In my tests only CDROM_GET_CAPABILITY actually occurred.
+Of course it was being sent to a (partition on a) hard disk, so it would
+have failed with ENOTTY and the patch isn't changing anything in
+practice.  Still, I'm treating it specially to avoid spamming the logs.
+
+In principle, this restriction should include programs running with
+CAP_SYS_RAWIO.  If for example I let a program access /dev/sda2 and
+/dev/sdb, it still should not be able to read/write outside the
+boundaries of /dev/sda2 independent of the capabilities.  However, for
+now programs with CAP_SYS_RAWIO will still be allowed to send the
+ioctls.  Their actions will still be logged.
+
+This patch does not affect the non-libata IDE driver.  That driver
+however already tests for bd != bd->bd_contains before issuing some
+ioctl; it could be restricted further to forbid these ioctls even for
+programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
+
+[ Cherry picked from 3ed4e7ba4be8c72051d87dcb2dec279d97a18d41
+
+  Changes with respect to 3.3: return -ENOTTY from scsi_verify_blk_ioctl
+  and -ENOIOCTLCMD from sd_compat_ioctl. ]
+
+Cc: stable at kernel.org
+Cc: linux-scsi at vger.kernel.org
+Cc: Jens Axboe <axboe at kernel.dk>
+Cc: James Bottomley <JBottomley at parallels.com>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+[ Make it also print the command name when warning - Linus ]
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ block/scsi_ioctl.c     |   45 +++++++++++++++++++++++++++++++++++++++++++++
+ drivers/scsi/sd.c      |   11 +++++++++--
+ include/linux/blkdev.h |    1 +
+ 3 files changed, 55 insertions(+), 2 deletions(-)
+
+diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
+index a2c11f3..688be8a 100644
+--- a/block/scsi_ioctl.c
++++ b/block/scsi_ioctl.c
+@@ -24,6 +24,7 @@
+ #include <linux/capability.h>
+ #include <linux/completion.h>
+ #include <linux/cdrom.h>
++#include <linux/ratelimit.h>
+ #include <linux/slab.h>
+ #include <linux/times.h>
+ #include <asm/uaccess.h>
+@@ -690,9 +691,53 @@ int scsi_cmd_ioctl(struct request_queue *q, struct gendisk *bd_disk, fmode_t mod
+ }
+ EXPORT_SYMBOL(scsi_cmd_ioctl);
+ 
++int scsi_verify_blk_ioctl(struct block_device *bd, unsigned int cmd)
++{
++	if (bd && bd == bd->bd_contains)
++		return 0;
++
++	/* Actually none of these is particularly useful on a partition,
++	 * but they are safe.
++	 */
++	switch (cmd) {
++	case SCSI_IOCTL_GET_IDLUN:
++	case SCSI_IOCTL_GET_BUS_NUMBER:
++	case SCSI_IOCTL_GET_PCI:
++	case SCSI_IOCTL_PROBE_HOST:
++	case SG_GET_VERSION_NUM:
++	case SG_SET_TIMEOUT:
++	case SG_GET_TIMEOUT:
++	case SG_GET_RESERVED_SIZE:
++	case SG_SET_RESERVED_SIZE:
++	case SG_EMULATED_HOST:
++		return 0;
++	case CDROM_GET_CAPABILITY:
++		/* Keep this until we remove the printk below.  udev sends it
++		 * and we do not want to spam dmesg about it.   CD-ROMs do
++		 * not have partitions, so we get here only for disks.
++		 */
++		return -ENOTTY;
++	default:
++		break;
++	}
++
++	/* In particular, rule out all resets and host-specific ioctls.  */
++	printk_ratelimited(KERN_WARNING
++			   "%s: sending ioctl %x to a partition!\n", current->comm, cmd);
++
++	return capable(CAP_SYS_RAWIO) ? 0 : -ENOTTY;
++}
++EXPORT_SYMBOL(scsi_verify_blk_ioctl);
++
+ int scsi_cmd_blk_ioctl(struct block_device *bd, fmode_t mode,
+ 		       unsigned int cmd, void __user *arg)
+ {
++	int ret;
++
++	ret = scsi_verify_blk_ioctl(bd, cmd);
++	if (ret < 0)
++		return ret;
++
+ 	return scsi_cmd_ioctl(bd->bd_disk->queue, bd->bd_disk, mode, cmd, arg);
+ }
+ EXPORT_SYMBOL(scsi_cmd_blk_ioctl);
+diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
+index ffa1c79..4b63c73 100644
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -1074,6 +1074,10 @@ static int sd_ioctl(struct block_device *bdev, fmode_t mode,
+ 	SCSI_LOG_IOCTL(1, sd_printk(KERN_INFO, sdkp, "sd_ioctl: disk=%s, "
+ 				    "cmd=0x%x\n", disk->disk_name, cmd));
+ 
++	error = scsi_verify_blk_ioctl(bdev, cmd);
++	if (error < 0)
++		return error;
++
+ 	/*
+ 	 * If we are in the middle of error recovery, don't let anyone
+ 	 * else try and use this device.  Also, if error recovery fails, it
+@@ -1266,6 +1270,11 @@ static int sd_compat_ioctl(struct block_device *bdev, fmode_t mode,
+ 			   unsigned int cmd, unsigned long arg)
+ {
+ 	struct scsi_device *sdev = scsi_disk(bdev->bd_disk)->device;
++	int ret;
++
++	ret = scsi_verify_blk_ioctl(bdev, cmd);
++	if (ret < 0)
++		return -ENOIOCTLCMD;
+ 
+ 	/*
+ 	 * If we are in the middle of error recovery, don't let anyone
+@@ -1277,8 +1286,6 @@ static int sd_compat_ioctl(struct block_device *bdev, fmode_t mode,
+ 		return -ENODEV;
+ 	       
+ 	if (sdev->host->hostt->compat_ioctl) {
+-		int ret;
+-
+ 		ret = sdev->host->hostt->compat_ioctl(sdev, cmd, (void __user *)arg);
+ 
+ 		return ret;
+diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
+index ca7b869..0ed1eb0 100644
+--- a/include/linux/blkdev.h
++++ b/include/linux/blkdev.h
+@@ -675,6 +675,7 @@ extern int blk_insert_cloned_request(struct request_queue *q,
+ 				     struct request *rq);
+ extern void blk_delay_queue(struct request_queue *, unsigned long);
+ extern void blk_recount_segments(struct request_queue *, struct bio *);
++extern int scsi_verify_blk_ioctl(struct block_device *, unsigned int);
+ extern int scsi_cmd_blk_ioctl(struct block_device *, fmode_t,
+ 			      unsigned int, void __user *);
+ extern int scsi_cmd_ioctl(struct request_queue *, struct gendisk *, fmode_t,
+-- 
+1.7.7.6
+
diff --git a/03-dm-dont-fwd-ioctls-from-LVs-to-underlying-dev.patch b/03-dm-dont-fwd-ioctls-from-LVs-to-underlying-dev.patch
index 129edd9..e132550 100644
--- a/03-dm-dont-fwd-ioctls-from-LVs-to-underlying-dev.patch
+++ b/03-dm-dont-fwd-ioctls-from-LVs-to-underlying-dev.patch
@@ -1,4 +1,4 @@
-From bf50a5715cac3b85f3bd33f184f7c031debabe0b Mon Sep 17 00:00:00 2001
+From 0d18592f2fcd3891e5955362565ea12d0846bf9f Mon Sep 17 00:00:00 2001
 From: Paolo Bonzini <pbonzini at redhat.com>
 Date: Mon, 16 Jan 2012 17:13:00 +0100
 Subject: [PATCH 3/3] dm: do not forward ioctls from logical volumes to the
@@ -87,5 +87,5 @@ index 5e0090e..801d92d 100644
  }
  
 -- 
-1.7.7.5
+1.7.7.6
 
diff --git a/kernel.spec b/kernel.spec
index 952be2b..c254a99 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -54,7 +54,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 3
+%global baserelease 4
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -781,6 +781,10 @@ Patch21074: KVM-x86-fix-missing-checks-in-syscall-emulation.patch
 #rhbz 728740
 Patch21076: rtl8192cu-Fix-WARNING-on-suspend-resume.patch
 
+Patch21077: 01-block-add-and-use-scsi_blk_cmd_ioctl.patch
+Patch21078: 02-block-fail-SCSI-passthrough-ioctls-on-partition-devs.patch
+Patch21079: 03-dm-dont-fwd-ioctls-from-LVs-to-underlying-dev.patch
+
 #rhbz752176
 Patch21080: sysfs-msi-irq-per-device.patch
 
@@ -1492,6 +1496,11 @@ ApplyPatch KVM-x86-fix-missing-checks-in-syscall-emulation.patch
 #rhbz 728740
 ApplyPatch rtl8192cu-Fix-WARNING-on-suspend-resume.patch
 
+#rhbz 769911
+ApplyPatch 01-block-add-and-use-scsi_blk_cmd_ioctl.patch
+ApplyPatch 02-block-fail-SCSI-passthrough-ioctls-on-partition-devs.patch
+ApplyPatch 03-dm-dont-fwd-ioctls-from-LVs-to-underlying-dev.patch
+
 #rhbz 782686
 ApplyPatch procfs-parse-mount-options.patch
 ApplyPatch procfs-add-hidepid-and-gid-mount-options.patch
@@ -2288,6 +2297,7 @@ fi
 %changelog
 * Tue Jan 24 2012 Josh Boyer <jwboyer at redhat.com>
 - Re-enable the ARCMSR module (rhbz 784287)
+- Add back a set of patches that were erroneously dropped during the rebase
 
 * Mon Jan 23 2012 Josh Boyer <jwboyer at redhat.com> 3.2.1-3
 - Fix oops in iwlwifi/iwlagn driver (rhbz 766071)

More information about the scm-commits mailing list