A device permission issue was reported in SUSE Linux on May 5th 2004 affecting '/proc/scsi/qla2300/HbaApiNode' file. A local user could potentially use this to cause a denial of service. On Red Hat Enterprise Linux 3 this may also affect drivers/addon/qla2200_60600b11/qla2x00.c and drivers/addon/qla2200/qla2x00.c although these are unsupported. Patch from SUSE attached.
Created attachment 101285 [details] Patch from SUSE (will need modification for other cases)
A fix for this problem was committed to the RHEL3 U3 this past Saturday evening (in kernel version 2.4.21-15.14.EL).
Confirmed, linux-2.4.9-qla2200.patch now corrects this, however Patch8081: linux-2.4.9-qla2200-backup-60702RH2.patch still contains a couple of proc_mknod(APIDEV_NODE, 0777+S_IFCHR... calls which look to be the same issue.
Mark, our strategy-to-date with backup drivers is that they should exactly match the version of the driver in the prior update. No one should actually be using the backup driver. It is retained solely for the hypothetical scenario that a driver update causes a serious regression, in which case a customer could fall back to using the prior version (which would require manual intervention). Since customers automatically start using the new driver after their systems are updated, would it be okay with you if we simply leave the old backup driver as is?
agreed
Ok, I'll put this back in MODIFIED state (fixed in U3). I also intend to pull the fix into the next security errata (in the E3 stream), and I will update this bug again after committing the fix there.
A fix for this problem has also been committed to the RHEL3 E3 patch pool (in kernel version 2.4.21-15.0.4.EL).
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2004-413.html