[dm-devel] [PATCH 5/8] dm/connector: Only process connector packages from privileged processes
Jonathan Brassow
jbrassow at redhat.com
Fri Oct 2 16:40:10 UTC 2009
This patch (and "[dm-devel] [PATCH 3/8] connector/dm: Fixed a
compilation warning") will likely collide with an earlier patch (which
agk is pushing) to fix the compilation warning (https://www.redhat.com/archives/dm-devel/2009-September/msg00218.html
), but the fix-up will be trivial.
The dm-log-userspace code checks that incoming messages correspond to
requests that were sent to userspace by way of a sequence number. If
they don't correspond, they are dropped. So, you must be able to
receive the messages from this kernel module (be root) in order to be
able respond with a message that will be accepted. I can't completely
rule out the ability to guess a sequence number, and be able to beat
the log daemon in responding while the window of that sequence
number's validity is open though... If someone could manage to pull
this off with accuracy, they could disrupt the creation of a device,
mimic a log device failure, or cause mirror resynchronization to occur
to a different area that may simultaneously be performing a write
(potential data corruption of a mirror). It would be an impressive
feat to accomplish this, but I very much welcome the patch rather than
test fate.
Reviewed-by: Jonathan Brassow <jbrassow at redhat.com>
brassow
On Oct 2, 2009, at 7:40 AM, Philipp Reisner wrote:
> Signed-off-by: Philipp Reisner <philipp.reisner at linbit.com>
> ---
> drivers/md/dm-log-userspace-transfer.c | 3 +++
> 1 files changed, 3 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/md/dm-log-userspace-transfer.c b/drivers/md/dm-
> log-userspace-transfer.c
> index 1327e1a..54abf9e 100644
> --- a/drivers/md/dm-log-userspace-transfer.c
> +++ b/drivers/md/dm-log-userspace-transfer.c
> @@ -133,6 +133,9 @@ static void cn_ulog_callback(struct cn_msg *msg,
> struct netlink_skb_parms *nsp)
> {
> struct dm_ulog_request *tfr = (struct dm_ulog_request *)(msg + 1);
>
> + if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN))
> + return;
> +
> spin_lock(&receiving_list_lock);
> if (msg->len == 0)
> fill_pkg(msg, NULL);
> --
> 1.6.0.4
>
> --
> dm-devel mailing list
> dm-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/dm-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/dm-devel/attachments/20091002/35d511c1/attachment.htm>
More information about the dm-devel
mailing list