CVE-2011-4127 possible privilege escalation via SG_IO ioctl (rhbz 769911)
This commit is contained in:
parent
aebb47b0ee
commit
94aa5a9c60
|
@ -0,0 +1,166 @@
|
|||
From 6051b3759d3d4b70d33a7be70ab6b86ed3559224 Mon Sep 17 00:00:00 2001
|
||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Date: Mon, 16 Jan 2012 17:12:58 +0100
|
||||
Subject: [PATCH 1/3] block: add and use scsi_blk_cmd_ioctl
|
||||
|
||||
Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
|
||||
|
||||
The function will then be enhanced to detect partition block devices
|
||||
and, in that case, subject the ioctls to whitelisting.
|
||||
|
||||
[ Cherry picked from 6ad62f051ef784a48a6103af289f91b5c472e955 ]
|
||||
|
||||
Cc: stable@kernel.org
|
||||
Cc: linux-scsi@vger.kernel.org
|
||||
Cc: Jens Axboe <axboe@kernel.dk>
|
||||
Cc: James Bottomley <JBottomley@parallels.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
block/scsi_ioctl.c | 7 +++++++
|
||||
drivers/block/cciss.c | 6 +++---
|
||||
drivers/block/ub.c | 3 +--
|
||||
drivers/block/virtio_blk.c | 4 ++--
|
||||
drivers/cdrom/cdrom.c | 3 +--
|
||||
drivers/ide/ide-floppy_ioctl.c | 3 +--
|
||||
drivers/scsi/sd.c | 2 +-
|
||||
include/linux/blkdev.h | 2 ++
|
||||
8 files changed, 18 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
|
||||
index 4f4230b..57ac937 100644
|
||||
--- a/block/scsi_ioctl.c
|
||||
+++ b/block/scsi_ioctl.c
|
||||
@@ -691,6 +691,13 @@ int scsi_cmd_ioctl(struct request_queue *q, struct gendisk *bd_disk, fmode_t mod
|
||||
}
|
||||
EXPORT_SYMBOL(scsi_cmd_ioctl);
|
||||
|
||||
+int scsi_cmd_blk_ioctl(struct block_device *bd, fmode_t mode,
|
||||
+ unsigned int cmd, void __user *arg)
|
||||
+{
|
||||
+ return scsi_cmd_ioctl(bd->bd_disk->queue, bd->bd_disk, mode, cmd, arg);
|
||||
+}
|
||||
+EXPORT_SYMBOL(scsi_cmd_blk_ioctl);
|
||||
+
|
||||
static int __init blk_scsi_ioctl_init(void)
|
||||
{
|
||||
blk_set_cmd_filter_defaults(&blk_default_cmd_filter);
|
||||
diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
|
||||
index c2f9b3e..1dab802 100644
|
||||
--- a/drivers/block/cciss.c
|
||||
+++ b/drivers/block/cciss.c
|
||||
@@ -1716,7 +1716,7 @@ static int cciss_ioctl(struct block_device *bdev, fmode_t mode,
|
||||
case CCISS_BIG_PASSTHRU:
|
||||
return cciss_bigpassthru(h, argp);
|
||||
|
||||
- /* scsi_cmd_ioctl handles these, below, though some are not */
|
||||
+ /* scsi_cmd_blk_ioctl handles these, below, though some are not */
|
||||
/* very meaningful for cciss. SG_IO is the main one people want. */
|
||||
|
||||
case SG_GET_VERSION_NUM:
|
||||
@@ -1727,9 +1727,9 @@ static int cciss_ioctl(struct block_device *bdev, fmode_t mode,
|
||||
case SG_EMULATED_HOST:
|
||||
case SG_IO:
|
||||
case SCSI_IOCTL_SEND_COMMAND:
|
||||
- return scsi_cmd_ioctl(disk->queue, disk, mode, cmd, argp);
|
||||
+ return scsi_cmd_blk_ioctl(bdev, mode, cmd, argp);
|
||||
|
||||
- /* scsi_cmd_ioctl would normally handle these, below, but */
|
||||
+ /* scsi_cmd_blk_ioctl would normally handle these, below, but */
|
||||
/* they aren't a good fit for cciss, as CD-ROMs are */
|
||||
/* not supported, and we don't have any bus/target/lun */
|
||||
/* which we present to the kernel. */
|
||||
diff --git a/drivers/block/ub.c b/drivers/block/ub.c
|
||||
index 0e376d4..7333b9e 100644
|
||||
--- a/drivers/block/ub.c
|
||||
+++ b/drivers/block/ub.c
|
||||
@@ -1744,12 +1744,11 @@ static int ub_bd_release(struct gendisk *disk, fmode_t mode)
|
||||
static int ub_bd_ioctl(struct block_device *bdev, fmode_t mode,
|
||||
unsigned int cmd, unsigned long arg)
|
||||
{
|
||||
- struct gendisk *disk = bdev->bd_disk;
|
||||
void __user *usermem = (void __user *) arg;
|
||||
int ret;
|
||||
|
||||
mutex_lock(&ub_mutex);
|
||||
- ret = scsi_cmd_ioctl(disk->queue, disk, mode, cmd, usermem);
|
||||
+ ret = scsi_cmd_blk_ioctl(bdev, mode, cmd, usermem);
|
||||
mutex_unlock(&ub_mutex);
|
||||
|
||||
return ret;
|
||||
diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c
|
||||
index 079c088..5d7a934 100644
|
||||
--- a/drivers/block/virtio_blk.c
|
||||
+++ b/drivers/block/virtio_blk.c
|
||||
@@ -236,8 +236,8 @@ static int virtblk_ioctl(struct block_device *bdev, fmode_t mode,
|
||||
if (!virtio_has_feature(vblk->vdev, VIRTIO_BLK_F_SCSI))
|
||||
return -ENOTTY;
|
||||
|
||||
- return scsi_cmd_ioctl(disk->queue, disk, mode, cmd,
|
||||
- (void __user *)data);
|
||||
+ return scsi_cmd_blk_ioctl(bdev, mode, cmd,
|
||||
+ (void __user *)data);
|
||||
}
|
||||
|
||||
/* We provide getgeo only to please some old bootloader/partitioning tools */
|
||||
diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
|
||||
index f997c27..cedb231 100644
|
||||
--- a/drivers/cdrom/cdrom.c
|
||||
+++ b/drivers/cdrom/cdrom.c
|
||||
@@ -2747,12 +2747,11 @@ int cdrom_ioctl(struct cdrom_device_info *cdi, struct block_device *bdev,
|
||||
{
|
||||
void __user *argp = (void __user *)arg;
|
||||
int ret;
|
||||
- struct gendisk *disk = bdev->bd_disk;
|
||||
|
||||
/*
|
||||
* Try the generic SCSI command ioctl's first.
|
||||
*/
|
||||
- ret = scsi_cmd_ioctl(disk->queue, disk, mode, cmd, argp);
|
||||
+ ret = scsi_cmd_blk_ioctl(bdev, mode, cmd, argp);
|
||||
if (ret != -ENOTTY)
|
||||
return ret;
|
||||
|
||||
diff --git a/drivers/ide/ide-floppy_ioctl.c b/drivers/ide/ide-floppy_ioctl.c
|
||||
index d267b7a..a22ca84 100644
|
||||
--- a/drivers/ide/ide-floppy_ioctl.c
|
||||
+++ b/drivers/ide/ide-floppy_ioctl.c
|
||||
@@ -292,8 +292,7 @@ int ide_floppy_ioctl(ide_drive_t *drive, struct block_device *bdev,
|
||||
* and CDROM_SEND_PACKET (legacy) ioctls
|
||||
*/
|
||||
if (cmd != CDROM_SEND_PACKET && cmd != SCSI_IOCTL_SEND_COMMAND)
|
||||
- err = scsi_cmd_ioctl(bdev->bd_disk->queue, bdev->bd_disk,
|
||||
- mode, cmd, argp);
|
||||
+ err = scsi_cmd_blk_ioctl(bdev, mode, cmd, argp);
|
||||
|
||||
if (err == -ENOTTY)
|
||||
err = generic_ide_ioctl(drive, bdev, cmd, arg);
|
||||
diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
|
||||
index 953773c..c88885d 100644
|
||||
--- a/drivers/scsi/sd.c
|
||||
+++ b/drivers/scsi/sd.c
|
||||
@@ -1095,7 +1095,7 @@ static int sd_ioctl(struct block_device *bdev, fmode_t mode,
|
||||
error = scsi_ioctl(sdp, cmd, p);
|
||||
break;
|
||||
default:
|
||||
- error = scsi_cmd_ioctl(disk->queue, disk, mode, cmd, p);
|
||||
+ error = scsi_cmd_blk_ioctl(bdev, mode, cmd, p);
|
||||
if (error != -ENOTTY)
|
||||
break;
|
||||
error = scsi_ioctl(sdp, cmd, p);
|
||||
diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
|
||||
index 5e30b45..aa829a4 100644
|
||||
--- a/include/linux/blkdev.h
|
||||
+++ b/include/linux/blkdev.h
|
||||
@@ -675,6 +675,8 @@ extern int blk_insert_cloned_request(struct request_queue *q,
|
||||
struct request *rq);
|
||||
extern void blk_delay_queue(struct request_queue *, unsigned long);
|
||||
extern void blk_recount_segments(struct request_queue *, struct bio *);
|
||||
+extern int scsi_cmd_blk_ioctl(struct block_device *, fmode_t,
|
||||
+ unsigned int, void __user *);
|
||||
extern int scsi_cmd_ioctl(struct request_queue *, struct gendisk *, fmode_t,
|
||||
unsigned int, void __user *);
|
||||
extern int sg_scsi_ioctl(struct request_queue *, struct gendisk *, fmode_t,
|
||||
--
|
||||
1.7.7.5
|
||||
|
|
@ -0,0 +1,165 @@
|
|||
From e773daff833c61e0ce22d62b7d1bb7b82f4222d0 Mon Sep 17 00:00:00 2001
|
||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Date: Mon, 16 Jan 2012 17:12:59 +0100
|
||||
Subject: [PATCH 2/3] block: fail SCSI passthrough ioctls on partition devices
|
||||
|
||||
Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
|
||||
will pass the command to the underlying block device. This is
|
||||
well-known, but it is also a large security problem when (via Unix
|
||||
permissions, ACLs, SELinux or a combination thereof) a program or user
|
||||
needs to be granted access only to part of the disk.
|
||||
|
||||
This patch lets partitions forward a small set of harmless ioctls;
|
||||
others are logged with printk so that we can see which ioctls are
|
||||
actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
|
||||
Of course it was being sent to a (partition on a) hard disk, so it would
|
||||
have failed with ENOTTY and the patch isn't changing anything in
|
||||
practice. Still, I'm treating it specially to avoid spamming the logs.
|
||||
|
||||
In principle, this restriction should include programs running with
|
||||
CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
|
||||
/dev/sdb, it still should not be able to read/write outside the
|
||||
boundaries of /dev/sda2 independent of the capabilities. However, for
|
||||
now programs with CAP_SYS_RAWIO will still be allowed to send the
|
||||
ioctls. Their actions will still be logged.
|
||||
|
||||
This patch does not affect the non-libata IDE driver. That driver
|
||||
however already tests for bd != bd->bd_contains before issuing some
|
||||
ioctl; it could be restricted further to forbid these ioctls even for
|
||||
programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
|
||||
|
||||
[ Cherry picked from 3ed4e7ba4be8c72051d87dcb2dec279d97a18d41
|
||||
|
||||
Changes with respect to 3.3: return -ENOTTY from scsi_verify_blk_ioctl
|
||||
and -ENOIOCTLCMD from sd_compat_ioctl. ]
|
||||
|
||||
Cc: stable@kernel.org
|
||||
Cc: linux-scsi@vger.kernel.org
|
||||
Cc: Jens Axboe <axboe@kernel.dk>
|
||||
Cc: James Bottomley <JBottomley@parallels.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
[ Make it also print the command name when warning - Linus ]
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
block/scsi_ioctl.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
|
||||
drivers/scsi/sd.c | 11 +++++++++--
|
||||
include/linux/blkdev.h | 1 +
|
||||
3 files changed, 55 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
|
||||
index 57ac937..5ef1f4c 100644
|
||||
--- a/block/scsi_ioctl.c
|
||||
+++ b/block/scsi_ioctl.c
|
||||
@@ -24,6 +24,7 @@
|
||||
#include <linux/capability.h>
|
||||
#include <linux/completion.h>
|
||||
#include <linux/cdrom.h>
|
||||
+#include <linux/ratelimit.h>
|
||||
#include <linux/slab.h>
|
||||
#include <linux/times.h>
|
||||
#include <asm/uaccess.h>
|
||||
@@ -691,9 +692,53 @@ int scsi_cmd_ioctl(struct request_queue *q, struct gendisk *bd_disk, fmode_t mod
|
||||
}
|
||||
EXPORT_SYMBOL(scsi_cmd_ioctl);
|
||||
|
||||
+int scsi_verify_blk_ioctl(struct block_device *bd, unsigned int cmd)
|
||||
+{
|
||||
+ if (bd && bd == bd->bd_contains)
|
||||
+ return 0;
|
||||
+
|
||||
+ /* Actually none of these is particularly useful on a partition,
|
||||
+ * but they are safe.
|
||||
+ */
|
||||
+ switch (cmd) {
|
||||
+ case SCSI_IOCTL_GET_IDLUN:
|
||||
+ case SCSI_IOCTL_GET_BUS_NUMBER:
|
||||
+ case SCSI_IOCTL_GET_PCI:
|
||||
+ case SCSI_IOCTL_PROBE_HOST:
|
||||
+ case SG_GET_VERSION_NUM:
|
||||
+ case SG_SET_TIMEOUT:
|
||||
+ case SG_GET_TIMEOUT:
|
||||
+ case SG_GET_RESERVED_SIZE:
|
||||
+ case SG_SET_RESERVED_SIZE:
|
||||
+ case SG_EMULATED_HOST:
|
||||
+ return 0;
|
||||
+ case CDROM_GET_CAPABILITY:
|
||||
+ /* Keep this until we remove the printk below. udev sends it
|
||||
+ * and we do not want to spam dmesg about it. CD-ROMs do
|
||||
+ * not have partitions, so we get here only for disks.
|
||||
+ */
|
||||
+ return -ENOTTY;
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ /* In particular, rule out all resets and host-specific ioctls. */
|
||||
+ printk_ratelimited(KERN_WARNING
|
||||
+ "%s: sending ioctl %x to a partition!\n", current->comm, cmd);
|
||||
+
|
||||
+ return capable(CAP_SYS_RAWIO) ? 0 : -ENOTTY;
|
||||
+}
|
||||
+EXPORT_SYMBOL(scsi_verify_blk_ioctl);
|
||||
+
|
||||
int scsi_cmd_blk_ioctl(struct block_device *bd, fmode_t mode,
|
||||
unsigned int cmd, void __user *arg)
|
||||
{
|
||||
+ int ret;
|
||||
+
|
||||
+ ret = scsi_verify_blk_ioctl(bd, cmd);
|
||||
+ if (ret < 0)
|
||||
+ return ret;
|
||||
+
|
||||
return scsi_cmd_ioctl(bd->bd_disk->queue, bd->bd_disk, mode, cmd, arg);
|
||||
}
|
||||
EXPORT_SYMBOL(scsi_cmd_blk_ioctl);
|
||||
diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
|
||||
index c88885d..7d8b5d8 100644
|
||||
--- a/drivers/scsi/sd.c
|
||||
+++ b/drivers/scsi/sd.c
|
||||
@@ -1073,6 +1073,10 @@ static int sd_ioctl(struct block_device *bdev, fmode_t mode,
|
||||
SCSI_LOG_IOCTL(1, printk("sd_ioctl: disk=%s, cmd=0x%x\n",
|
||||
disk->disk_name, cmd));
|
||||
|
||||
+ error = scsi_verify_blk_ioctl(bdev, cmd);
|
||||
+ if (error < 0)
|
||||
+ return error;
|
||||
+
|
||||
/*
|
||||
* If we are in the middle of error recovery, don't let anyone
|
||||
* else try and use this device. Also, if error recovery fails, it
|
||||
@@ -1265,6 +1269,11 @@ static int sd_compat_ioctl(struct block_device *bdev, fmode_t mode,
|
||||
unsigned int cmd, unsigned long arg)
|
||||
{
|
||||
struct scsi_device *sdev = scsi_disk(bdev->bd_disk)->device;
|
||||
+ int ret;
|
||||
+
|
||||
+ ret = scsi_verify_blk_ioctl(bdev, cmd);
|
||||
+ if (ret < 0)
|
||||
+ return -ENOIOCTLCMD;
|
||||
|
||||
/*
|
||||
* If we are in the middle of error recovery, don't let anyone
|
||||
@@ -1276,8 +1285,6 @@ static int sd_compat_ioctl(struct block_device *bdev, fmode_t mode,
|
||||
return -ENODEV;
|
||||
|
||||
if (sdev->host->hostt->compat_ioctl) {
|
||||
- int ret;
|
||||
-
|
||||
ret = sdev->host->hostt->compat_ioctl(sdev, cmd, (void __user *)arg);
|
||||
|
||||
return ret;
|
||||
diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
|
||||
index aa829a4..8b7a19e 100644
|
||||
--- a/include/linux/blkdev.h
|
||||
+++ b/include/linux/blkdev.h
|
||||
@@ -675,6 +675,7 @@ extern int blk_insert_cloned_request(struct request_queue *q,
|
||||
struct request *rq);
|
||||
extern void blk_delay_queue(struct request_queue *, unsigned long);
|
||||
extern void blk_recount_segments(struct request_queue *, struct bio *);
|
||||
+extern int scsi_verify_blk_ioctl(struct block_device *, unsigned int);
|
||||
extern int scsi_cmd_blk_ioctl(struct block_device *, fmode_t,
|
||||
unsigned int, void __user *);
|
||||
extern int scsi_cmd_ioctl(struct request_queue *, struct gendisk *, fmode_t,
|
||||
--
|
||||
1.7.7.5
|
||||
|
|
@ -0,0 +1,91 @@
|
|||
From bf50a5715cac3b85f3bd33f184f7c031debabe0b Mon Sep 17 00:00:00 2001
|
||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Date: Mon, 16 Jan 2012 17:13:00 +0100
|
||||
Subject: [PATCH 3/3] dm: do not forward ioctls from logical volumes to the
|
||||
underlying device
|
||||
|
||||
A logical volume can map to just part of underlying physical volume.
|
||||
In this case, it must be treated like a partition.
|
||||
|
||||
Based on a patch from Alasdair G Kergon.
|
||||
|
||||
[ Cherry picked from 95113a17a2a1eb06151dc698dca9bcc4a29e4fbb ]
|
||||
|
||||
Cc: stable@kernel.org
|
||||
Cc: Alasdair G Kergon <agk@redhat.com>
|
||||
Cc: dm-devel@redhat.com
|
||||
Cc: linux-scsi@vger.kernel.org
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
drivers/md/dm-flakey.c | 11 ++++++++++-
|
||||
drivers/md/dm-linear.c | 12 +++++++++++-
|
||||
drivers/md/dm-mpath.c | 6 ++++++
|
||||
3 files changed, 27 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/md/dm-flakey.c b/drivers/md/dm-flakey.c
|
||||
index f84c080..9fb18c1 100644
|
||||
--- a/drivers/md/dm-flakey.c
|
||||
+++ b/drivers/md/dm-flakey.c
|
||||
@@ -368,8 +368,17 @@ static int flakey_status(struct dm_target *ti, status_type_t type,
|
||||
static int flakey_ioctl(struct dm_target *ti, unsigned int cmd, unsigned long arg)
|
||||
{
|
||||
struct flakey_c *fc = ti->private;
|
||||
+ struct dm_dev *dev = fc->dev;
|
||||
+ int r = 0;
|
||||
|
||||
- return __blkdev_driver_ioctl(fc->dev->bdev, fc->dev->mode, cmd, arg);
|
||||
+ /*
|
||||
+ * Only pass ioctls through if the device sizes match exactly.
|
||||
+ */
|
||||
+ if (fc->start ||
|
||||
+ ti->len != i_size_read(dev->bdev->bd_inode) >> SECTOR_SHIFT)
|
||||
+ r = scsi_verify_blk_ioctl(NULL, cmd);
|
||||
+
|
||||
+ return r ? : __blkdev_driver_ioctl(dev->bdev, dev->mode, cmd, arg);
|
||||
}
|
||||
|
||||
static int flakey_merge(struct dm_target *ti, struct bvec_merge_data *bvm,
|
||||
diff --git a/drivers/md/dm-linear.c b/drivers/md/dm-linear.c
|
||||
index 3921e3b..9728839 100644
|
||||
--- a/drivers/md/dm-linear.c
|
||||
+++ b/drivers/md/dm-linear.c
|
||||
@@ -116,7 +116,17 @@ static int linear_ioctl(struct dm_target *ti, unsigned int cmd,
|
||||
unsigned long arg)
|
||||
{
|
||||
struct linear_c *lc = (struct linear_c *) ti->private;
|
||||
- return __blkdev_driver_ioctl(lc->dev->bdev, lc->dev->mode, cmd, arg);
|
||||
+ struct dm_dev *dev = lc->dev;
|
||||
+ int r = 0;
|
||||
+
|
||||
+ /*
|
||||
+ * Only pass ioctls through if the device sizes match exactly.
|
||||
+ */
|
||||
+ if (lc->start ||
|
||||
+ ti->len != i_size_read(dev->bdev->bd_inode) >> SECTOR_SHIFT)
|
||||
+ r = scsi_verify_blk_ioctl(NULL, cmd);
|
||||
+
|
||||
+ return r ? : __blkdev_driver_ioctl(dev->bdev, dev->mode, cmd, arg);
|
||||
}
|
||||
|
||||
static int linear_merge(struct dm_target *ti, struct bvec_merge_data *bvm,
|
||||
diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c
|
||||
index 5e0090e..801d92d 100644
|
||||
--- a/drivers/md/dm-mpath.c
|
||||
+++ b/drivers/md/dm-mpath.c
|
||||
@@ -1520,6 +1520,12 @@ static int multipath_ioctl(struct dm_target *ti, unsigned int cmd,
|
||||
|
||||
spin_unlock_irqrestore(&m->lock, flags);
|
||||
|
||||
+ /*
|
||||
+ * Only pass ioctls through if the device sizes match exactly.
|
||||
+ */
|
||||
+ if (!r && ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT)
|
||||
+ r = scsi_verify_blk_ioctl(NULL, cmd);
|
||||
+
|
||||
return r ? : __blkdev_driver_ioctl(bdev, mode, cmd, arg);
|
||||
}
|
||||
|
||||
--
|
||||
1.7.7.5
|
||||
|
15
kernel.spec
15
kernel.spec
|
@ -42,7 +42,7 @@ Summary: The Linux kernel
|
|||
# When changing real_sublevel below, reset this by hand to 1
|
||||
# (or to 0 and then use rpmdev-bumpspec).
|
||||
#
|
||||
%global baserelease 3
|
||||
%global baserelease 4
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# real_sublevel is the 3.x kernel version we're starting with
|
||||
|
@ -744,6 +744,11 @@ Patch21075: KVM-x86-fix-missing-checks-in-syscall-emulation.patch
|
|||
#rhbz 728740
|
||||
Patch21076: rtl8192cu-Fix-WARNING-on-suspend-resume.patch
|
||||
|
||||
Patch21077: 01-block-add-and-use-scsi_blk_cmd_ioctl.patch
|
||||
Patch21078: 02-block-fail-SCSI-passthrough-ioctls-on-partition-devs.patch
|
||||
Patch21079: 03-dm-dont-fwd-ioctls-from-LVs-to-underlying-dev.patch
|
||||
|
||||
|
||||
%endif
|
||||
|
||||
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
|
||||
|
@ -1381,6 +1386,11 @@ ApplyPatch KVM-x86-fix-missing-checks-in-syscall-emulation.patch
|
|||
#rhbz 728740
|
||||
ApplyPatch rtl8192cu-Fix-WARNING-on-suspend-resume.patch
|
||||
|
||||
#rhbz 769911
|
||||
ApplyPatch 01-block-add-and-use-scsi_blk_cmd_ioctl.patch
|
||||
ApplyPatch 02-block-fail-SCSI-passthrough-ioctls-on-partition-devs.patch
|
||||
ApplyPatch 03-dm-dont-fwd-ioctls-from-LVs-to-underlying-dev.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2028,6 +2038,9 @@ fi
|
|||
# and build.
|
||||
|
||||
%changelog
|
||||
* Tue Jan 17 2012 Josh Boyer <jwboyer@redhat.com>
|
||||
- CVE-2011-4127 possible privilege escalation via SG_IO ioctl (rhbz 769911)
|
||||
|
||||
* Sun Jan 15 2012 Josh Boyer <jwboyer@redhat.com>
|
||||
- Avoid packaging symlinks for kernel-doc files (rhbz 767351)
|
||||
|
||||
|
|
Loading…
Reference in New Issue