diff --git a/debian/changelog b/debian/changelog index daf273c26..c16073141 100644 --- a/debian/changelog +++ b/debian/changelog @@ -45,6 +45,8 @@ linux (3.10.1-1) UNRELEASED; urgency=low * udeb: Add ath6kl_usb and mwifiex_usb to nic-wireless-modules * udeb: Add pm80xx (previously pm8001) and virtio_scsi to scsi-extra-modules * Set ABI to 1 + * xen/blkback: Check device permissions before allowing OP_DISCARD + (CVE-2013-2140) -- Ben Hutchings Mon, 01 Jul 2013 00:58:08 +0100 diff --git a/debian/patches/bugfix/all/xen-blkback-Check-device-permissions-before-allowing.patch b/debian/patches/bugfix/all/xen-blkback-Check-device-permissions-before-allowing.patch new file mode 100644 index 000000000..3d823853e --- /dev/null +++ b/debian/patches/bugfix/all/xen-blkback-Check-device-permissions-before-allowing.patch @@ -0,0 +1,52 @@ +From: Konrad Rzeszutek Wilk +Date: Wed, 16 Jan 2013 11:33:52 -0500 +Subject: xen/blkback: Check device permissions before allowing OP_DISCARD +Origin: https://git.kernel.org/cgit/linux/kernel/git/konrad/xen.git/commit?id=604c499cbbcc3d5fe5fb8d53306aa0fae1990109 + +We need to make sure that the device is not RO or that +the request is not past the number of sectors we want to +issue the DISCARD operation for. + +This fixes CVE-2013-2140. + +Cc: stable@vger.kernel.org +Acked-by: Jan Beulich +Acked-by: Ian Campbell +[v1: Made it pr_warn instead of pr_debug] +Signed-off-by: Konrad Rzeszutek Wilk +--- + drivers/block/xen-blkback/blkback.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c +index e79ab45..4119bcd 100644 +--- a/drivers/block/xen-blkback/blkback.c ++++ b/drivers/block/xen-blkback/blkback.c +@@ -876,7 +876,18 @@ static int dispatch_discard_io(struct xen_blkif *blkif, + int status = BLKIF_RSP_OKAY; + struct block_device *bdev = blkif->vbd.bdev; + unsigned long secure; ++ struct phys_req preq; ++ ++ preq.sector_number = req->u.discard.sector_number; ++ preq.nr_sects = req->u.discard.nr_sectors; + ++ err = xen_vbd_translate(&preq, blkif, WRITE); ++ if (err) { ++ pr_warn(DRV_PFX "access denied: DISCARD [%llu->%llu] on dev=%04x\n", ++ preq.sector_number, ++ preq.sector_number + preq.nr_sects, blkif->vbd.pdevice); ++ goto fail_response; ++ } + blkif->st_ds_req++; + + xen_blkif_get(blkif); +@@ -887,7 +898,7 @@ static int dispatch_discard_io(struct xen_blkif *blkif, + err = blkdev_issue_discard(bdev, req->u.discard.sector_number, + req->u.discard.nr_sectors, + GFP_KERNEL, secure); +- ++fail_response: + if (err == -EOPNOTSUPP) { + pr_debug(DRV_PFX "discard op failed, not supported\n"); + status = BLKIF_RSP_EOPNOTSUPP; diff --git a/debian/patches/series b/debian/patches/series index 7aefc2b44..fc32c10f9 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -104,3 +104,4 @@ bugfix/all/alx-fix-MAC-address-alignment-problem.patch bugfix/all/alx-fix-ethtool-support-code.patch bugfix/all/alx-remove-WoL-support.patch bugfix/all/alx-fix-lockdep-annotation.patch +bugfix/all/xen-blkback-Check-device-permissions-before-allowing.patch