Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tcmur: fail cross-device XCOPY requests #644

Merged
merged 1 commit into from
Jan 13, 2021
Merged

tcmur: fail cross-device XCOPY requests #644

merged 1 commit into from
Jan 13, 2021

Conversation

ddiss
Copy link
Contributor

@ddiss ddiss commented Jan 12, 2021

tcmu-runner can't determine whether the device(s) referred to in XCOPY
Copy Source/Copy Destination (CSCD) descriptors should be accessible to
the initiator via transport settings, ACLs, etc. Consequently, fail
XCOPY requests with CSCD descriptors which refer to any device other
than where the XCOPY request is processed.

References: CVE-2020-28374
Fixes: 9c86bd0 ("tcmur: Add emulate XCOPY command support")
Signed-off-by: David Disseldorp ddiss@suse.de
Reviewed-by: Lee Duncan lduncan@suse.com

@ddiss
tcmur: fail cross-device XCOPY requests
2b16e96 
tcmu-runner can't determine whether the device(s) referred to in XCOPY
Copy Source/Copy Destination (CSCD) descriptors should be accessible to
the initiator via transport settings, ACLs, etc. Consequently, fail
XCOPY requests with CSCD descriptors which refer to any device other
than where the XCOPY request is processed.

References: CVE-2020-28374
Fixes: 9c86bd0 ("tcmur: Add emulate XCOPY command support")
Signed-off-by: David Disseldorp <ddiss@suse.de>
Reviewed-by: Lee Duncan <lduncan@suse.com>
pkalever
pkalever approved these changes Jan 12, 2021
View reviewed changes
Copy link
Contributor

@pkalever pkalever left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.

@ddiss ddiss mentioned this pull request Jan 13, 2021
Merged
dillaman
dillaman approved these changes Jan 13, 2021
View reviewed changes
Copy link
Collaborator

@dillaman dillaman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@dillaman dillaman merged commit b4a986b into open-iscsi:master Jan 13, 2021
@carnil carnil mentioned this pull request Jan 13, 2021
Closed
@ddiss
Copy link
Contributor Author

ddiss commented Jan 13, 2021

JFYI, @msmeissn mentioned that there's a new CVE number to track this separate to the Linux kernel fix:

For tcmu-runner Mitre suggested that we use a different CVE as its not the same codebase.
Please use CVE-2021-3139 for tcmu-runner.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pkalever pkalever pkalever approved these changes

@dillaman dillaman dillaman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ddiss @dillaman @pkalever