aacraid: fix security hole (CVE-2007-4308)

On the SCSI layer ioctl path there is no implicit permissions check for ioctls (and indeed other drivers implement unprivileged ioctls). aacraid however allows all sorts of very admin only things to be done so should check. Signed-off-by: Alan Cox <alan@redhat.com> Acked-by: Mark Salyzyn <mark_salyzyn@adaptec.com> Signed-off-by: Adrian Bunk <bunk@kernel.org>
author: Alan Cox <alan@redhat.com> 2007-11-02 03:41:27 +0100
committer: Adrian Bunk <bunk@kernel.org> 2007-11-02 03:41:27 +0100
commit: 401ef3d54cde6967c856b8fb362a91f406750767 (patch)
tree: 32e471312dce43648f063a94283c9cfb44eeff77
parent: da8262844e325cc9361114c55e8507c1fee54941 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/scsi/aacraid/linit.c b/drivers/scsi/aacraid/linit.c
index 271617890562..19a4579e3578 100644
--- a/drivers/scsi/aacraid/linit.c
+++ b/drivers/scsi/aacraid/linit.c
@@ -539,6 +539,8 @@ static int aac_cfg_open(struct inode *inode, struct file *file)
 static int aac_cfg_ioctl(struct inode *inode,  struct file *file,
 		unsigned int cmd, unsigned long arg)
 {
+	if (!capable(CAP_SYS_ADMIN))
+		return -EPERM;
 	return aac_do_ioctl(file->private_data, cmd, (void __user *)arg);
 }
 
@@ -592,6 +594,8 @@ static int aac_compat_ioctl(struct scsi_device *sdev, int cmd, void __user *arg)
 
 static long aac_compat_cfg_ioctl(struct file *file, unsigned cmd, unsigned long arg)
 {
+	if (!capable(CAP_SYS_ADMIN))
+		return -EPERM;
 	return aac_compat_do_ioctl((struct aac_dev *)file->private_data, cmd, arg);
 }
 #endif
author	Alan Cox <alan@redhat.com>	2007-11-02 03:41:27 +0100
committer	Adrian Bunk <bunk@kernel.org>	2007-11-02 03:41:27 +0100
commit	401ef3d54cde6967c856b8fb362a91f406750767 (patch)
tree	32e471312dce43648f063a94283c9cfb44eeff77
parent	da8262844e325cc9361114c55e8507c1fee54941 (diff)