提交 5f78e89b 编写于 作者: A Alan Cox 提交者: James Bottomley

[SCSI] aacraid: fix security weakness

Actually there are several but one is trivially fixed

1.	FSACTL_GET_NEXT_ADAPTER_FIB ioctl does not lock dev->fib_list
but needs to
2.	Ditto for FSACTL_CLOSE_GET_ADAPTER_FIB
3.	It is possible to construct an attack via the SRB ioctls where
the user obtains assorted elevated privileges. Various approaches are
possible, the trivial ones being things like writing to the raw media
via scsi commands and the swap image of other executing programs with
higher privileges.

So the ioctls should be CAP_SYS_RAWIO - at least all the FIB manipulating
ones. This is a bandaid fix for #3 but probably the ioctls should grow
their own capable checks. The other two bugs need someone competent in that
driver to fix them.
Signed-off-by: NAlan Cox <alan@redhat.com>
Acked-by: NMark Salyzyn <mark_salyzyn@adaptec.com>
Signed-off-by: NJames Bottomley <James.Bottomley@HansenPartnership.com>
上级 e6096963
......@@ -636,7 +636,7 @@ static int aac_cfg_open(struct inode *inode, struct file *file)
static int aac_cfg_ioctl(struct inode *inode, struct file *file,
unsigned int cmd, unsigned long arg)
{
if (!capable(CAP_SYS_ADMIN))
if (!capable(CAP_SYS_RAWIO))
return -EPERM;
return aac_do_ioctl(file->private_data, cmd, (void __user *)arg);
}
......@@ -691,7 +691,7 @@ static int aac_compat_ioctl(struct scsi_device *sdev, int cmd, void __user *arg)
static long aac_compat_cfg_ioctl(struct file *file, unsigned cmd, unsigned long arg)
{
if (!capable(CAP_SYS_ADMIN))
if (!capable(CAP_SYS_RAWIO))
return -EPERM;
return aac_compat_do_ioctl((struct aac_dev *)file->private_data, cmd, arg);
}
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册