See URL for full details. "Any user who has been granted permissions to access a SCSI tape device can send some commands, which may cause it to become unusable for other users." Fix: http://linux.bkbits.net:8080/linux-2.6/cset@42373cf23YEvgue3d3UyXV1OR0aIWA
Alan Cox on rhkernel-list .. -------------------------------------- NAK. Because 1. arbitary SCSI command is CAP_SYS_RAWIO (firmware reprogram ...) 2. The midlayer has a proper command filter (which will need tuning for tape) 3. The tape device are usually root only owned. I'd like to see #1/#2 fixed then its worth it. ------------------------------------- #3 should make this not-so-urgent to fix ?
I'll move this from moderate to low severity as exploitation requires that an administrator has explicity allowed tape devices to be controlled by other users.
For reference, this is the patch that has been tentatively agreed upon upstream. It is not formally checked in yet, though, so I'll wait a bit before posting it on rhkernel-list. Adding to the proposed list for U2. From linux-scsi-owner.org Sun May 1 14:10:18 2005 Date: Sun, 1 May 2005 21:11:55 +0300 (EEST) From: Kai Makisara <Kai.Makisara> To: linux-scsi.org Subject: [PATCH 2.6] SCSI tape: fix permissions for SG_IO, etc. This patch is against 2.6.12-rc3 + linus-patch from April 30. The patch contains the following fixes: - CAP_SYS_RAWIO is used instead of CAP_SYS_ADMIN; fix from Alan Cox - only direct sending of SCSI commands requires this permission - the st status is modified is successful unload is performed using SCSI_IOCTL_STOP_UNIT Signed-off-by: Kai Makisara <kai.makisara> --- linux-2.6.12-rc3-300405/drivers/scsi/st.c 2005-04-05 22:36:16.000000000 +0300 +++ linux-2.6.12-rc3-300405-k1/drivers/scsi/st.c 2005-05-01 20:45:27.000000000 +0300 @@ -17,7 +17,7 @@ Last modified: 18-JAN-1998 Richard Gooch <rgooch.au> Devfs support */ -static char *verstr = "20050312"; +static char *verstr = "20050501"; #include <linux/module.h> @@ -29,6 +29,7 @@ static char *verstr = "20050312"; #include <linux/string.h> #include <linux/errno.h> #include <linux/mtio.h> +#include <linux/cdrom.h> #include <linux/ioctl.h> #include <linux/fcntl.h> #include <linux/spinlock.h> @@ -50,6 +51,7 @@ static char *verstr = "20050312"; #include <scsi/scsi_host.h> #include <scsi/scsi_ioctl.h> #include <scsi/scsi_request.h> +#include <scsi/sg.h> /* The driver prints some debugging information on the console if DEBUG @@ -3463,7 +3465,10 @@ static int st_ioctl(struct inode *inode, case SCSI_IOCTL_GET_BUS_NUMBER: break; default: - if (!capable(CAP_SYS_ADMIN)) + if ((cmd_in == SG_IO || + cmd_in == SCSI_IOCTL_SEND_COMMAND || + cmd_in == CDROM_SEND_PACKET) && + !capable(CAP_SYS_RAWIO)) i = -EPERM; else i = scsi_cmd_ioctl(file, STp->disk, cmd_in, p); @@ -3471,10 +3476,12 @@ static int st_ioctl(struct inode *inode, return i; break; } - if (!capable(CAP_SYS_ADMIN) && - (cmd_in == SCSI_IOCTL_START_UNIT || cmd_in == SCSI_IOCTL_STOP_UNIT)) - return -EPERM; - return scsi_ioctl(STp->device, cmd_in, p); + retval = scsi_ioctl(STp->device, cmd_in, p); + if (!retval && cmd_in == SCSI_IOCTL_STOP_UNIT) { /* unload */ + STp->rew_at_close = 0; + STp->ready = ST_NO_TAPE; + } + return retval; out: up(&STp->lock);
This bug should be public, the acks have broken that; please fix asap.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-514.html