CVE-2021-27364: git/torvalds/linux.git - Linux kernel source tree

author

Lee Duncan [email protected]

2021-02-23 13:06:24 -0800

committer

Martin K. Petersen [email protected]

2021-03-04 20:09:50 -0500

commit

688e8128b7a92df982709a4137ea4588d16f24aa (patch)

tree

d86dc54e1bd181e77e16edfba22f09e9ae612786

parent

f69d02e37a85645aa90d18cacfff36dba370f797 (diff)

download

linux-688e8128b7a92df982709a4137ea4588d16f24aa.tar.gz

scsi: iscsi: Restrict sessions and handles to admin capabilities

Protect the iSCSI transport handle, available in sysfs, by requiring CAP_SYS_ADMIN to read it. Also protect the netlink socket by restricting reception of messages to ones sent with CAP_SYS_ADMIN. This disables normal users from being able to end arbitrary iSCSI sessions. Cc: [email protected] Reported-by: Adam Nichols [email protected] Reviewed-by: Chris Leech [email protected] Reviewed-by: Mike Christie [email protected] Signed-off-by: Lee Duncan [email protected] Signed-off-by: Martin K. Petersen [email protected]

-rw-r–r--

drivers/scsi/scsi_transport_iscsi.c

6

1 files changed, 6 insertions, 0 deletions

diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
index 969d24d580e29…69a1f55499ef9 100644
— a/drivers/scsi/scsi_transport_iscsi.c
+++ b/drivers/scsi/scsi_transport_iscsi.c

@@ -132,6 +132,9 @@ show_transport_handle(struct device *dev, struct device_attribute *attr,

char *buf)

{

struct iscsi_internal *priv = dev_to_iscsi_internal(dev);

+ if (!capable(CAP_SYS_ADMIN))

+ return -EACCES;

return sprintf(buf, "%llu\n", (unsigned long long)iscsi_handle(priv->iscsi_transport));

}

static DEVICE_ATTR(handle, S_IRUGO, show_transport_handle, NULL);

@@ -3621,6 +3624,9 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group)

struct iscsi_cls_conn *conn;

struct iscsi_endpoint *ep = NULL;

+ if (!netlink_capable(skb, CAP_SYS_ADMIN))

+ return -EPERM;

if (nlh->nlmsg_type == ISCSI_UEVENT_PATH_UPDATE)

*group = ISCSI_NL_GRP_UIP;

else