[kernel/f17] CVE-2013-2140 xen: blkback: insufficient permission checks for BLKIF_OP_DISCARD (rhbz 971146 971148)
Josh Boyer
jwboyer at fedoraproject.org
Wed Jun 5 20:15:06 UTC 2013
commit 3eefce94f5a0087642e9a37a16d6433cb913269a
Author: Josh Boyer <jwboyer at redhat.com>
Date: Wed Jun 5 16:10:51 2013 -0400
CVE-2013-2140 xen: blkback: insufficient permission checks for BLKIF_OP_DISCARD (rhbz 971146 971148)
kernel.spec | 11 ++++-
...-Check-device-permissions-before-allowing.patch | 54 ++++++++++++++++++++
2 files changed, 64 insertions(+), 1 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index b656bd4..aba28e9 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -54,7 +54,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
#
-%global baserelease 101
+%global baserelease 102
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@@ -751,6 +751,9 @@ Patch25025: iscsi-target-fix-heap-buffer-overflow-on-error.patch
#rhbz 964335
Patch25026: Modify-UEFI-anti-bricking-code.patch
+#CVE-2013-2140 rhbz 971146 971148
+Patch25031: xen-blkback-Check-device-permissions-before-allowing.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1456,6 +1459,9 @@ ApplyPatch iscsi-target-fix-heap-buffer-overflow-on-error.patch
#rhbz 964335
ApplyPatch Modify-UEFI-anti-bricking-code.patch
+#CVE-2013-2140 rhbz 971146 971148
+ApplyPatch xen-blkback-Check-device-permissions-before-allowing.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2307,6 +2313,9 @@ fi
# '-' | |
# '-'
%changelog
+* Wed Jun 05 2013 Josh Boyer <jwboyer at redhat.com>
+- CVE-2013-2140 xen: blkback: insufficient permission checks for BLKIF_OP_DISCARD (rhbz 971146 971148)
+
* Mon Jun 03 2013 Josh Boyer <jwboyer at redhat.com> - 3.9.4-101
- Fix UEFI anti-bricking code (rhbz 964335)
diff --git a/xen-blkback-Check-device-permissions-before-allowing.patch b/xen-blkback-Check-device-permissions-before-allowing.patch
new file mode 100644
index 0000000..933e828
--- /dev/null
+++ b/xen-blkback-Check-device-permissions-before-allowing.patch
@@ -0,0 +1,54 @@
+From e029d62efa5eb46831a9e1414468e582379b743f Mon Sep 17 00:00:00 2001
+From: Konrad Rzeszutek Wilk <konrad.wilk () oracle com>
+Date: Wed, 16 Jan 2013 11:33:52 -0500
+Subject: [PATCH] xen/blkback: Check device permissions before allowing
+ OP_DISCARD
+
+We need to make sure that the device is not RO or that
+the request is not past the number of sectors we want to
+issue the DISCARD operation for.
+
+Cc: stable () vger kernel org
+Acked-by: Jan Beulich <JBeulich () suse com>
+Acked-by: Ian Campbell <Ian.Campbell () citrix com>
+[v1: Made it pr_warn instead of pr_debug]
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk () oracle com>
+---
+ drivers/block/xen-blkback/blkback.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c
+index e79ab45..4119bcd 100644
+--- a/drivers/block/xen-blkback/blkback.c
++++ b/drivers/block/xen-blkback/blkback.c
+@@ -876,7 +876,18 @@ static int dispatch_discard_io(struct xen_blkif *blkif,
+ int status = BLKIF_RSP_OKAY;
+ struct block_device *bdev = blkif->vbd.bdev;
+ unsigned long secure;
++ struct phys_req preq;
++
++ preq.sector_number = req->u.discard.sector_number;
++ preq.nr_sects = req->u.discard.nr_sectors;
+
++ err = xen_vbd_translate(&preq, blkif, WRITE);
++ if (err) {
++ pr_warn(DRV_PFX "access denied: DISCARD [%llu->%llu] on dev=%04x\n",
++ preq.sector_number,
++ preq.sector_number + preq.nr_sects, blkif->vbd.pdevice);
++ goto fail_response;
++ }
+ blkif->st_ds_req++;
+
+ xen_blkif_get(blkif);
+@@ -887,7 +898,7 @@ static int dispatch_discard_io(struct xen_blkif *blkif,
+ err = blkdev_issue_discard(bdev, req->u.discard.sector_number,
+ req->u.discard.nr_sectors,
+ GFP_KERNEL, secure);
+-
++fail_response:
+ if (err == -EOPNOTSUPP) {
+ pr_debug(DRV_PFX "discard op failed, not supported\n");
+ status = BLKIF_RSP_EOPNOTSUPP;
+--
+1.8.1.4
+
More information about the scm-commits
mailing list