From 0bb05f83a2459ab4d8b89fb40a05bf374ffdace7 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 5 Jun 2013 16:10:51 -0400 Subject: [PATCH] CVE-2013-2140 xen: blkback: insufficient permission checks for BLKIF_OP_DISCARD (rhbz 971146 971148) --- kernel.spec | 11 +++- ...k-device-permissions-before-allowing.patch | 54 +++++++++++++++++++ 2 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 xen-blkback-Check-device-permissions-before-allowing.patch diff --git a/kernel.spec b/kernel.spec index d05ea81ec..4c8f81017 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 1 +%global baserelease 2 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -742,6 +742,9 @@ Patch25024: intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.pa #rhbz 964335 Patch25026: Modify-UEFI-anti-bricking-code.patch +#CVE-2013-2140 rhbz 971146 971148 +Patch25031: xen-blkback-Check-device-permissions-before-allowing.patch + # END OF PATCH DEFINITIONS %endif @@ -1427,6 +1430,9 @@ ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.pat #rhbz 964335 ApplyPatch Modify-UEFI-anti-bricking-code.patch +#CVE-2013-2140 rhbz 971146 971148 +ApplyPatch xen-blkback-Check-device-permissions-before-allowing.patch + # END OF PATCH APPLICATIONS %endif @@ -2232,6 +2238,9 @@ fi # ||----w | # || || %changelog +* Wed Jun 05 2013 Josh Boyer +- CVE-2013-2140 xen: blkback: insufficient permission checks for BLKIF_OP_DISCARD (rhbz 971146 971148) + * Tue Jun 04 2013 Dave Jones - 3.10.0-0.rc4.git0.1 - 3.10-rc4 merged: radeon-use-max_bus-speed-to-activate-gen2-speeds.patch diff --git a/xen-blkback-Check-device-permissions-before-allowing.patch b/xen-blkback-Check-device-permissions-before-allowing.patch new file mode 100644 index 000000000..933e82890 --- /dev/null +++ b/xen-blkback-Check-device-permissions-before-allowing.patch @@ -0,0 +1,54 @@ +From e029d62efa5eb46831a9e1414468e582379b743f Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk +Date: Wed, 16 Jan 2013 11:33:52 -0500 +Subject: [PATCH] xen/blkback: Check device permissions before allowing + OP_DISCARD + +We need to make sure that the device is not RO or that +the request is not past the number of sectors we want to +issue the DISCARD operation for. + +Cc: stable () vger kernel org +Acked-by: Jan Beulich +Acked-by: Ian Campbell +[v1: Made it pr_warn instead of pr_debug] +Signed-off-by: Konrad Rzeszutek Wilk +--- + drivers/block/xen-blkback/blkback.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c +index e79ab45..4119bcd 100644 +--- a/drivers/block/xen-blkback/blkback.c ++++ b/drivers/block/xen-blkback/blkback.c +@@ -876,7 +876,18 @@ static int dispatch_discard_io(struct xen_blkif *blkif, + int status = BLKIF_RSP_OKAY; + struct block_device *bdev = blkif->vbd.bdev; + unsigned long secure; ++ struct phys_req preq; ++ ++ preq.sector_number = req->u.discard.sector_number; ++ preq.nr_sects = req->u.discard.nr_sectors; + ++ err = xen_vbd_translate(&preq, blkif, WRITE); ++ if (err) { ++ pr_warn(DRV_PFX "access denied: DISCARD [%llu->%llu] on dev=%04x\n", ++ preq.sector_number, ++ preq.sector_number + preq.nr_sects, blkif->vbd.pdevice); ++ goto fail_response; ++ } + blkif->st_ds_req++; + + xen_blkif_get(blkif); +@@ -887,7 +898,7 @@ static int dispatch_discard_io(struct xen_blkif *blkif, + err = blkdev_issue_discard(bdev, req->u.discard.sector_number, + req->u.discard.nr_sectors, + GFP_KERNEL, secure); +- ++fail_response: + if (err == -EOPNOTSUPP) { + pr_debug(DRV_PFX "discard op failed, not supported\n"); + status = BLKIF_RSP_EOPNOTSUPP; +-- +1.8.1.4 +