diff mbox

[Precise,CVE-2013-2140,1/1] xen/blkback: Check device permissions before allowing OP_DISCARD

Message ID 1382522130-12413-2-git-send-email-luis.henriques@canonical.com
State New
Headers show

Commit Message

Luis Henriques Oct. 23, 2013, 9:55 a.m. UTC 
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

BugLink: http://bugs.launchpad.net/bugs/1091187

CVE-2013-2140

We need to make sure that the device is not RO or that
the request is not past the number of sectors we want to
issue the DISCARD operation for.

This fixes CVE-2013-2140.

Cc: stable@vger.kernel.org
Acked-by: Jan Beulich <JBeulich@suse.com>
Acked-by: Ian Campbell <Ian.Campbell@citrix.com>
[v1: Made it pr_warn instead of pr_debug]
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
(back ported from commit 604c499cbbcc3d5fe5fb8d53306aa0fae1990109)
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 drivers/block/xen-blkback/blkback.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

Comments

Seth Forshee Oct. 23, 2013, 12:30 p.m. UTC | #1
Stefan Bader Oct. 23, 2013, 7:30 p.m. UTC | #2
diff mbox

Patch

diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c
index 2232b85..8cac42f 100644
--- a/drivers/block/xen-blkback/blkback.c
+++ b/drivers/block/xen-blkback/blkback.c
@@ -666,8 +666,18 @@  static int dispatch_rw_block_io(struct xen_blkif *blkif,
 	}
 
 	preq.dev           = req->handle;
-	preq.sector_number = req->u.rw.sector_number;
-	preq.nr_sects      = 0;
+	if (operation == REQ_DISCARD) {
+		/*
+		 * It's safe to initialise preq.nr_sects here because the
+		 * 'for' loop below won't iterate as req->nr_segments = 0
+		 * (see blkif_queue_request)
+		 */
+		preq.sector_number = req->u.discard.sector_number;
+		preq.nr_sects      = req->u.discard.nr_sectors;
+	} else {
+		preq.sector_number = req->u.rw.sector_number;
+		preq.nr_sects      = 0;
+	}
 
 	pending_req->blkif     = blkif;
 	pending_req->id        = req->id;