From: Vitaly Mayatskikh <vmayatsk@redhat.com>
Subject: [RHEL-5.1 patch] BZ298381 {CVE-2007-4308} Missing ioctl() permission checks in aacraid driver
Date: Mon, 24 Sep 2007 17:41:55 +0200
Bugzilla: 298381
Message-Id: <m36420kr3w.fsf@gravicapa.englab.brq.redhat.com>
Changelog: [scsi] aacraid: Missing ioctl() permission checks
BZ#298381
https://bugzilla.redhat.com/show_bug.cgi?id=298381
Description:
============
On the SCSI layer ioctl path there is no implicit permissions check for
ioctls (and indeed other drivers implement unprivileged ioctls). aacraid
however allows all sorts of very admin only things to be done so should
check.
Upstream status of the patch:
=============================
Patch is upstream, see commit 719be62903a6e6419789557cb3ed0e840d3e4ca9
Content-Description: proposed patch
diff -up -bB ./drivers/scsi/aacraid/linit.c.orig ./drivers/scsi/aacraid/linit.c
--- ./drivers/scsi/aacraid/linit.c.orig 2007-09-24 17:33:20.000000000 +0200
+++ ./drivers/scsi/aacraid/linit.c 2007-09-24 17:37:04.000000000 +0200
@@ -628,6 +628,8 @@ static int aac_cfg_open(struct inode *in
static int aac_cfg_ioctl(struct inode *inode, struct file *file,
unsigned int cmd, unsigned long arg)
{
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
return aac_do_ioctl(file->private_data, cmd, (void __user *)arg);
}
@@ -681,6 +683,8 @@ static int aac_compat_ioctl(struct scsi_
static long aac_compat_cfg_ioctl(struct file *file, unsigned cmd, unsigned long arg)
{
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
return aac_compat_do_ioctl((struct aac_dev *)file->private_data, cmd, arg);
}
#endif
--
Vitaly Mayatskikh <vmayatsk@redhat.com>
Kernel development
Red Hat Czech, Brno
Phone: +420 532 294 111
IRC: vitaly on #kernel, #brno
GPG: 0x4BA2E8FB
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
89877e42827f16fa5f86b1df0c2860b1
>
files
>
2071
