libnvdimm: Fix security issue with DSM IOCTL.

commit 07accfa9 upstream. Code attempts to prevent certain IOCTL DSM from being called when device is opened read only. This security feature can be trivially overcome by changing the size portion of the ioctl_command which isn't used. Check only the _IOC_NR (i.e. the command). Signed-off-by: Jerry Hoemann <jerry.hoemann@hpe.com> Signed-off-by: Dan Williams <dan.j.williams@intel.com> Signed-off-by: Kamal Mostafa <kamal@canonical.com>

libnvdimm: Fix security issue with DSM IOCTL.
commit 07accfa9 upstream. Code attempts to prevent certain IOCTL DSM from being called when device is opened read only. This security feature can be trivially overcome by changing the size portion of the ioctl_command which isn't used. Check only the _IOC_NR (i.e. the command). Signed-off-by: Jerry Hoemann <jerry.hoemann@hpe.com> Signed-off-by: Dan Williams <dan.j.williams@intel.com> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
b614925d · Jerry Hoemann · Kamal Mostafa · 9a069889 · b614925d
Commit b614925d authored Jan 06, 2016 by Jerry Hoemann Committed by Kamal Mostafa Mar 30, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 4 deletions

drivers/nvdimm/bus.c drivers/nvdimm/bus.c +4 -4

No files found.
--- a/drivers/nvdimm/bus.c
+++ b/drivers/nvdimm/bus.c
@@ -513,10 +513,10 @@ static int __nd_ioctl(struct nvdimm_bus *nvdimm_bus, struct nvdimm *nvdimm,
 	/* fail write commands (when read-only) */
 	if (read_only)
-		switch (ioctl_cmd) {
+		switch (cmd) {
-		case ND_IOCTL_VENDOR:
+		case ND_CMD_VENDOR:
-		case ND_IOCTL_SET_CONFIG_DATA:
+		case ND_CMD_SET_CONFIG_DATA:
-		case ND_IOCTL_ARS_START:
+		case ND_CMD_ARS_START:
 			dev_dbg(&nvdimm_bus->dev, "'%s' command while read-only.\n",
 					nvdimm ? nvdimm_cmd_name(cmd)
 					: nvdimm_bus_cmd_name(cmd));