Bugzilla – Bug 807154
VUL-1: CVE-2012-4542: kernel: SCSI filtering bypass
Last modified: 2014-03-12 09:47:16 UTC
is public, via cvedb
block/scsi_ioctl.c in the Linux kernel through 3.8 does not properly consider the SCSI device class during authorization of SCSI commands, which allows local users to bypass intended access
restrictions via an SG_IO ioctl call that leverages overlapping opcodes.
Reference: CONFIRM: https://oss.oracle.com/git/?p=redpatch.git;a=commit;h=76a274e17114abf1a77de6b651424648ce9e10c8
Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=875360
Reference: MLIST: http://marc.info/?l=linux-kernel&m=135904012416042&w=2
Reference: MLIST: http://marc.info/?l=linux-kernel&m=135903967015813&w=2
bugbot adjusting priority
What an interesting idea.
So to recap, this is just to prohibit commands from a different commandset being send to a device, right?
In most cases this _should_ be errored out by the device itself, as the command won't be supported. So we would only have a problem if
a) Commands with the same opcode have a different meaning for different commandsets
b) these overlapping commands would have different protection rules (read/write)
After a cursory glance only very few commands are affected by this; I'll be checking the spec.
Also, the current filter set is geared for CD/DVD-ROM. As this is the only type currently supported for user access it should be perfectly sufficient to just check for commands which are currently filtered, but might be filtered incorrectly due to a commandset overlap.
Or is it desireable to have a user access for normal block devices, too?
The normal user should only be able to access the cdrom style block devices, the others not. (i hope that was the question for me ;)
*** Bug 853890 has been marked as a duplicate of this bug. ***
As a 'normal' user should only be able to access cdrom style block devices, _and_ these commands are already filtered out correctly I fail to see the need to modify anything here.
The mentioned CVE only applies for devices which are _not_ cd-roms and where an accidental command set overlap _might_ allow the user to send down commands to that device which _should_ have been filtered out.
But as we're only concerned with cdrom devices, and all other types are not user-accessible we're fine.