From: Joe Jin Date: Fri, 23 Dec 2011 02:00:27 +0000 (+0800) Subject: [dm] do not forward ioctls from logical volumes to the underlying device X-Git-Tag: v2.6.39-400.9.0~423^2~28 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=528fa4bfd55395db4694d3c14f1e982bfd4aec8d;p=users%2Fjedix%2Flinux-maple.git [dm] do not forward ioctls from logical volumes to the underlying device CVE-2011-4127. A logical volume can map to just part of underlying physical volume. In this case, it must be treated like a partition. Based on a patch from Alasdair G Kergon. Cc: Alasdair G Kergon Cc: Mike Snitzer Signed-off-by: Paolo Bonzini Signed-off-by: Joe Jin --- diff --git a/drivers/md/dm-linear.c b/drivers/md/dm-linear.c index 3921e3bb43c1..9728839f844a 100644 --- a/drivers/md/dm-linear.c +++ b/drivers/md/dm-linear.c @@ -116,7 +116,17 @@ static int linear_ioctl(struct dm_target *ti, unsigned int cmd, unsigned long arg) { struct linear_c *lc = (struct linear_c *) ti->private; - return __blkdev_driver_ioctl(lc->dev->bdev, lc->dev->mode, cmd, arg); + struct dm_dev *dev = lc->dev; + int r = 0; + + /* + * Only pass ioctls through if the device sizes match exactly. + */ + if (lc->start || + ti->len != i_size_read(dev->bdev->bd_inode) >> SECTOR_SHIFT) + r = scsi_verify_blk_ioctl(NULL, cmd); + + return r ? : __blkdev_driver_ioctl(dev->bdev, dev->mode, cmd, arg); } static int linear_merge(struct dm_target *ti, struct bvec_merge_data *bvm, diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c index 209991bebd30..06e76b86dab0 100644 --- a/drivers/md/dm-mpath.c +++ b/drivers/md/dm-mpath.c @@ -1584,6 +1584,12 @@ static int multipath_ioctl(struct dm_target *ti, unsigned int cmd, spin_unlock_irqrestore(&m->lock, flags); + /* + * Only pass ioctls through if the device sizes match exactly. + */ + if (r == 0 && ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT) + r = scsi_verify_blk_ioctl(NULL, cmd); + return r ? : __blkdev_driver_ioctl(bdev, mode, cmd, arg); }