| Summary: | Kernel: local root / raw and pktcdvd devices ioctl (CAN-2005-{1264|1589}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> |
| Component: | Kernel | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | major | CC: | security-kernel |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | LocalRoot | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Sune Kloppenborg Jeppesen (RETIRED)
2005-05-13 21:50:20 UTC
I think this is public already, please confirm: Raw character devices are supposed to pass ioctls through to the block devices they are bound to. Unfortunately, they are using the wrong function for this: ioctl_by_bdev(), instead of blkdev_ioctl(). ioctl_by_bdev() performs a set_fs(KERNEL_DS) before calling the ioctl, redirecting the user-space buffer access to the kernel address space. This is, needless to say, a bad thing. This was noticed first on s390, where raw IO was non-functioning. The s390 driver config does not actually allow raw IO to be enabled, which was the first part of the problem. Secondly, the s390 kernel address space is distinct from user, causing legal raw ioctls to fail. I've reproduced this on a kernel built with 4G:4G split on x86, which fails in the same way (-EFAULT if the address does not exist kernel-side; returns success without actually populating the user buffer if it does.) The patch below fixes both the config and address-space problems. It's based closely on a patch by Jan Glauber <jang@de.ibm.com>, which has been tested on s390 at IBM. I've tested it on x86 4G:4G (split address space) and x86_64 (common address space). Kernel-address-space access has been assigned CAN-2005-1264. Signed-off-by: Stephen Tweedie <sct@redhat.com> Signed-off-by: Dave Jones <davej@redhat.com> Index: drivers/block/ioctl.c =================================================================== --- eed337ef5e9ae7d62caa84b7974a11fddc7f06e0/drivers/block/ioctl.c (mode:100644) +++ uncommitted/drivers/block/ioctl.c (mode:100644) @@ -237,3 +237,5 @@ } return ret; } + +EXPORT_SYMBOL_GPL(blkdev_ioctl); Index: drivers/char/raw.c =================================================================== --- eed337ef5e9ae7d62caa84b7974a11fddc7f06e0/drivers/char/raw.c (mode:100644) +++ uncommitted/drivers/char/raw.c (mode:100644) @@ -122,7 +122,7 @@ { struct block_device *bdev = filp->private_data; - return ioctl_by_bdev(bdev, command, arg); + return blkdev_ioctl(bdev->bd_inode, filp, command, arg); } static void bind_device(struct raw_config_request *rq) Index: drivers/s390/Kconfig =================================================================== --- eed337ef5e9ae7d62caa84b7974a11fddc7f06e0/drivers/s390/Kconfig (mode:100644) +++ uncommitted/drivers/s390/Kconfig (mode:100644) @@ -193,6 +193,26 @@ help Character device driver for reading z/VM monitor service records +config RAW_DRIVER + tristate "RAW driver (/dev/raw/rawN) (OBSOLETE)" + help + The raw driver permits block devices to be bound to /dev/raw/rawN. + Once bound, I/O against /dev/raw/rawN uses efficient zero-copy I/O. + See the raw(8) manpage for more details. + + The raw driver is deprecated and may be removed from 2.7 + kernels. Applications should simply open the device (eg /dev/hda1) + with the O_DIRECT flag. + +config MAX_RAW_DEVS + int "Maximum number of RAW devices to support (1-8192)" + depends on RAW_DRIVER + default "256" + help + The maximum number of RAW devices that are supported. + Default is 256. Increase this number in case you need lots of + raw devices. + endmenu menu "Cryptographic devices" CAN-2005-1264 for the raw device hole CAN-2005-1589 for the similar flaw in pktcdvd Public through Ubuntu's USN-131-1 |