[dm-devel] [PATCH 5/8] dm/connector: Only process connector packages from privileged processes

Jonathan Brassow jbrassow at redhat.com
Fri Oct 2 16:40:10 UTC 2009 

This patch (and "[dm-devel] [PATCH 3/8] connector/dm: Fixed a  
compilation warning") will likely collide with an earlier patch (which  
agk is pushing) to fix the compilation warning (https://www.redhat.com/archives/dm-devel/2009-September/msg00218.html 
), but the fix-up will be trivial.

The dm-log-userspace code checks that incoming messages correspond to  
requests that were sent to userspace by way of a sequence number.  If  
they don't correspond, they are dropped.  So, you must be able to  
receive the messages from this kernel module (be root) in order to be  
able respond with a message that will be accepted.  I can't completely  
rule out the ability to guess a sequence number, and be able to beat  
the log daemon in responding while the window of that sequence  
number's validity is open though...  If someone could manage to pull  
this off with accuracy, they could disrupt the creation of a device,  
mimic a log device failure, or cause mirror resynchronization to occur  
to a different area that may simultaneously be performing a write  
(potential data corruption of a mirror).  It would be an impressive  
feat to accomplish this, but I very much welcome the patch rather than  
test fate.

Reviewed-by: Jonathan Brassow <jbrassow at redhat.com>

  brassow

On Oct 2, 2009, at 7:40 AM, Philipp Reisner wrote:

> Signed-off-by: Philipp Reisner <philipp.reisner at linbit.com>
> ---
> drivers/md/dm-log-userspace-transfer.c |    3 +++
> 1 files changed, 3 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/md/dm-log-userspace-transfer.c b/drivers/md/dm- 
> log-userspace-transfer.c
> index 1327e1a..54abf9e 100644
> --- a/drivers/md/dm-log-userspace-transfer.c
> +++ b/drivers/md/dm-log-userspace-transfer.c
> @@ -133,6 +133,9 @@ static void cn_ulog_callback(struct cn_msg *msg,  
> struct netlink_skb_parms *nsp)
> {
> 	struct dm_ulog_request *tfr = (struct dm_ulog_request *)(msg + 1);
>
> +	if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN))
> +		return;
> +
> 	spin_lock(&receiving_list_lock);
> 	if (msg->len == 0)
> 		fill_pkg(msg, NULL);
> -- 
> 1.6.0.4
>
> --
> dm-devel mailing list
> dm-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/dm-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/dm-devel/attachments/20091002/35d511c1/attachment.htm>

More information about the dm-devel mailing list