This is a note to let you know that I've just added the patch titled libnvdimm: Fix security issue with DSM IOCTL. to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: libnvdimm-fix-security-issue-with-dsm-ioctl.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 07accfa9d1a8bac8262f6d24a94a54d2d1f35149 Mon Sep 17 00:00:00 2001 From: Jerry Hoemann <jerry.hoemann@xxxxxxx> Date: Wed, 6 Jan 2016 16:03:41 -0700 Subject: libnvdimm: Fix security issue with DSM IOCTL. From: Jerry Hoemann <jerry.hoemann@xxxxxxx> commit 07accfa9d1a8bac8262f6d24a94a54d2d1f35149 upstream. Code attempts to prevent certain IOCTL DSM from being called when device is opened read only. This security feature can be trivially overcome by changing the size portion of the ioctl_command which isn't used. Check only the _IOC_NR (i.e. the command). Signed-off-by: Jerry Hoemann <jerry.hoemann@xxxxxxx> Signed-off-by: Dan Williams <dan.j.williams@xxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/nvdimm/bus.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) --- a/drivers/nvdimm/bus.c +++ b/drivers/nvdimm/bus.c @@ -513,10 +513,10 @@ static int __nd_ioctl(struct nvdimm_bus /* fail write commands (when read-only) */ if (read_only) - switch (ioctl_cmd) { - case ND_IOCTL_VENDOR: - case ND_IOCTL_SET_CONFIG_DATA: - case ND_IOCTL_ARS_START: + switch (cmd) { + case ND_CMD_VENDOR: + case ND_CMD_SET_CONFIG_DATA: + case ND_CMD_ARS_START: dev_dbg(&nvdimm_bus->dev, "'%s' command while read-only.\n", nvdimm ? nvdimm_cmd_name(cmd) : nvdimm_bus_cmd_name(cmd)); Patches currently in stable-queue which might be from jerry.hoemann@xxxxxxx are queue-4.4/libnvdimm-fix-security-issue-with-dsm-ioctl.patch -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html