This is a note to let you know that I've just added the patch titled scsi: iscsi: Restrict sessions and handles to admin capabilities to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: scsi-iscsi-restrict-sessions-and-handles-to-admin-capabilities.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 688e8128b7a92df982709a4137ea4588d16f24aa Mon Sep 17 00:00:00 2001 From: Lee Duncan <lduncan@xxxxxxxx> Date: Tue, 23 Feb 2021 13:06:24 -0800 Subject: scsi: iscsi: Restrict sessions and handles to admin capabilities From: Lee Duncan <lduncan@xxxxxxxx> commit 688e8128b7a92df982709a4137ea4588d16f24aa upstream. Protect the iSCSI transport handle, available in sysfs, by requiring CAP_SYS_ADMIN to read it. Also protect the netlink socket by restricting reception of messages to ones sent with CAP_SYS_ADMIN. This disables normal users from being able to end arbitrary iSCSI sessions. Cc: stable@xxxxxxxxxxxxxxx Reported-by: Adam Nichols <adam@xxxxxxxxxxxx> Reviewed-by: Chris Leech <cleech@xxxxxxxxxx> Reviewed-by: Mike Christie <michael.christie@xxxxxxxxxx> Signed-off-by: Lee Duncan <lduncan@xxxxxxxx> Signed-off-by: Martin K. Petersen <martin.petersen@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/scsi/scsi_transport_iscsi.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/drivers/scsi/scsi_transport_iscsi.c +++ b/drivers/scsi/scsi_transport_iscsi.c @@ -119,6 +119,9 @@ show_transport_handle(struct device *dev char *buf) { struct iscsi_internal *priv = dev_to_iscsi_internal(dev); + + if (!capable(CAP_SYS_ADMIN)) + return -EACCES; return sprintf(buf, "%llu\n", (unsigned long long)iscsi_handle(priv->iscsi_transport)); } static DEVICE_ATTR(handle, S_IRUGO, show_transport_handle, NULL); @@ -3523,6 +3526,9 @@ iscsi_if_recv_msg(struct sk_buff *skb, s struct iscsi_cls_conn *conn; struct iscsi_endpoint *ep = NULL; + if (!netlink_capable(skb, CAP_SYS_ADMIN)) + return -EPERM; + if (nlh->nlmsg_type == ISCSI_UEVENT_PATH_UPDATE) *group = ISCSI_NL_GRP_UIP; else Patches currently in stable-queue which might be from lduncan@xxxxxxxx are queue-4.4/scsi-iscsi-restrict-sessions-and-handles-to-admin-capabilities.patch queue-4.4/scsi-iscsi-ensure-sysfs-attributes-are-limited-to-page_size.patch queue-4.4/scsi-iscsi-verify-lengths-on-passthrough-pdus.patch