Previously, the only capability effectively required to operate on the /proc/scsi interface was CAP_DAC_OVERRIDE (or for some other files, having an fsuid of GLOBAL_ROOT_UID was enough). This means that semi-privileged processes could interfere with core components of a system (such as causing a DoS by removing the underlying SCSI device of the host's / mount). Cc: <stable@xxxxxxxxxxxxxxx> Cc: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> Signed-off-by: Aleksa Sarai <asarai@xxxxxxx> --- drivers/scsi/scsi_proc.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/scsi_proc.c b/drivers/scsi/scsi_proc.c index 480a597b3877..05d70e200c5f 100644 --- a/drivers/scsi/scsi_proc.c +++ b/drivers/scsi/scsi_proc.c @@ -27,6 +27,7 @@ #include <linux/mutex.h> #include <linux/gfp.h> #include <linux/uaccess.h> +#include <linux/capability.h> #include <scsi/scsi.h> #include <scsi/scsi_device.h> @@ -51,7 +52,10 @@ static ssize_t proc_scsi_host_write(struct file *file, const char __user *buf, struct Scsi_Host *shost = PDE_DATA(file_inode(file)); ssize_t ret = -ENOMEM; char *page; - + + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + if (count > PROC_BLOCK_SIZE) return -EOVERFLOW; @@ -313,6 +317,9 @@ static ssize_t proc_scsi_write(struct file *file, const char __user *buf, char *buffer, *p; int err; + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + if (!buf || length > PAGE_SIZE) return -EINVAL; -- 2.14.3
