[kernel] CVE-2013-2140 xen: blkback: insufficient permission checks for BLKIF_OP_DISCARD (rhbz 971146 971148)

Josh Boyer jwboyer at fedoraproject.org
Wed Jun 5 20:15:21 UTC 2013 

commit 0bb05f83a2459ab4d8b89fb40a05bf374ffdace7
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Wed Jun 5 16:10:51 2013 -0400

    CVE-2013-2140 xen: blkback: insufficient permission checks for BLKIF_OP_DISCARD (rhbz 971146 971148)

 kernel.spec                                        |   11 ++++-
 ...-Check-device-permissions-before-allowing.patch |   54 ++++++++++++++++++++
 2 files changed, 64 insertions(+), 1 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index d05ea81..4c8f810 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -62,7 +62,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 1
+%global baserelease 2
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -742,6 +742,9 @@ Patch25024: intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.pa
 #rhbz 964335
 Patch25026: Modify-UEFI-anti-bricking-code.patch
 
+#CVE-2013-2140 rhbz 971146 971148
+Patch25031: xen-blkback-Check-device-permissions-before-allowing.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1427,6 +1430,9 @@ ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.pat
 #rhbz 964335
 ApplyPatch Modify-UEFI-anti-bricking-code.patch
 
+#CVE-2013-2140 rhbz 971146 971148
+ApplyPatch xen-blkback-Check-device-permissions-before-allowing.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2232,6 +2238,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Wed Jun 05 2013 Josh Boyer <jwboyer at redhat.com>
+- CVE-2013-2140 xen: blkback: insufficient permission checks for BLKIF_OP_DISCARD (rhbz 971146 971148)
+
 * Tue Jun 04 2013 Dave Jones <davej at redhat.com> - 3.10.0-0.rc4.git0.1
 - 3.10-rc4
   merged: radeon-use-max_bus-speed-to-activate-gen2-speeds.patch
diff --git a/xen-blkback-Check-device-permissions-before-allowing.patch b/xen-blkback-Check-device-permissions-before-allowing.patch
new file mode 100644
index 0000000..933e828
--- /dev/null
+++ b/xen-blkback-Check-device-permissions-before-allowing.patch
@@ -0,0 +1,54 @@
+From e029d62efa5eb46831a9e1414468e582379b743f Mon Sep 17 00:00:00 2001
+From: Konrad Rzeszutek Wilk <konrad.wilk () oracle com>
+Date: Wed, 16 Jan 2013 11:33:52 -0500
+Subject: [PATCH] xen/blkback: Check device permissions before allowing
+ OP_DISCARD
+
+We need to make sure that the device is not RO or that
+the request is not past the number of sectors we want to
+issue the DISCARD operation for.
+
+Cc: stable () vger kernel org
+Acked-by: Jan Beulich <JBeulich () suse com>
+Acked-by: Ian Campbell <Ian.Campbell () citrix com>
+[v1: Made it pr_warn instead of pr_debug]
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk () oracle com>
+---
+ drivers/block/xen-blkback/blkback.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c
+index e79ab45..4119bcd 100644
+--- a/drivers/block/xen-blkback/blkback.c
++++ b/drivers/block/xen-blkback/blkback.c
+@@ -876,7 +876,18 @@ static int dispatch_discard_io(struct xen_blkif *blkif,
+ 	int status = BLKIF_RSP_OKAY;
+ 	struct block_device *bdev = blkif->vbd.bdev;
+ 	unsigned long secure;
++	struct phys_req preq;
++
++	preq.sector_number = req->u.discard.sector_number;
++	preq.nr_sects      = req->u.discard.nr_sectors;
+ 
++	err = xen_vbd_translate(&preq, blkif, WRITE);
++	if (err) {
++		pr_warn(DRV_PFX "access denied: DISCARD [%llu->%llu] on dev=%04x\n",
++			preq.sector_number,
++			preq.sector_number + preq.nr_sects, blkif->vbd.pdevice);
++		goto fail_response;
++	}
+ 	blkif->st_ds_req++;
+ 
+ 	xen_blkif_get(blkif);
+@@ -887,7 +898,7 @@ static int dispatch_discard_io(struct xen_blkif *blkif,
+ 	err = blkdev_issue_discard(bdev, req->u.discard.sector_number,
+ 				   req->u.discard.nr_sectors,
+ 				   GFP_KERNEL, secure);
+-
++fail_response:
+ 	if (err == -EOPNOTSUPP) {
+ 		pr_debug(DRV_PFX "discard op failed, not supported\n");
+ 		status = BLKIF_RSP_EOPNOTSUPP;
+-- 
+1.8.1.4
+

More information about the scm-commits mailing list