summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlan Cox <alan@redhat.com>2007-12-09 19:07:00 +0100
committerAdrian Bunk <bunk@kernel.org>2008-01-06 04:19:00 +0200
commit0949515eac13172c4754691d2270772c0b195565 (patch)
tree4ca3f01151bca16be0e416bc78e71e3d7b765021
parent3528fed43621960e41fef18a2013dc05801ee707 (diff)
downloadlinux-stable-0949515eac13172c4754691d2270772c0b195565.tar.gz
linux-stable-0949515eac13172c4754691d2270772c0b195565.tar.bz2
linux-stable-0949515eac13172c4754691d2270772c0b195565.zip
[SCSI] aacraid: fix security weakness
Actually there are several but one is trivially fixed 1. FSACTL_GET_NEXT_ADAPTER_FIB ioctl does not lock dev->fib_list but needs to 2. Ditto for FSACTL_CLOSE_GET_ADAPTER_FIB 3. It is possible to construct an attack via the SRB ioctls where the user obtains assorted elevated privileges. Various approaches are possible, the trivial ones being things like writing to the raw media via scsi commands and the swap image of other executing programs with higher privileges. So the ioctls should be CAP_SYS_RAWIO - at least all the FIB manipulating ones. This is a bandaid fix for #3 but probably the ioctls should grow their own capable checks. The other two bugs need someone competent in that driver to fix them. Signed-off-by: Alan Cox <alan@redhat.com> Acked-by: Mark Salyzyn <mark_salyzyn@adaptec.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Signed-off-by: Adrian Bunk <bunk@kernel.org>
-rw-r--r--drivers/scsi/aacraid/linit.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/scsi/aacraid/linit.c b/drivers/scsi/aacraid/linit.c
index 19a4579e3578..1e8d6ff25813 100644
--- a/drivers/scsi/aacraid/linit.c
+++ b/drivers/scsi/aacraid/linit.c
@@ -539,7 +539,7 @@ static int aac_cfg_open(struct inode *inode, struct file *file)
static int aac_cfg_ioctl(struct inode *inode, struct file *file,
unsigned int cmd, unsigned long arg)
{
- if (!capable(CAP_SYS_ADMIN))
+ if (!capable(CAP_SYS_RAWIO))
return -EPERM;
return aac_do_ioctl(file->private_data, cmd, (void __user *)arg);
}
@@ -594,7 +594,7 @@ static int aac_compat_ioctl(struct scsi_device *sdev, int cmd, void __user *arg)
static long aac_compat_cfg_ioctl(struct file *file, unsigned cmd, unsigned long arg)
{
- if (!capable(CAP_SYS_ADMIN))
+ if (!capable(CAP_SYS_RAWIO))
return -EPERM;
return aac_compat_do_ioctl((struct aac_dev *)file->private_data, cmd, arg);
}