A privilege escalation via SCSI pass-through
Posted Jan 7, 2012 22:02 UTC (Sat) by giraffedata
In reply to: A privilege escalation via SCSI pass-through
Parent article: A privilege escalation via SCSI pass-through
However, please look at the title: "SCSI pass-through".
The pass-through that refers to is passing through the block layer, so as to access the underlying SCSI storage device instead of the block device. In a virtual machine, the underlying SCSI storage device is a virtual SCSI device which itself uses an underlying real SCSI device as a resource. The issuer of a pass-through ioctl isn't supposed to have any concept of a VM host.
The kind of pass-through you're talking about is also a reasonable concept, but the way you would implement it is by defining a pass-through SCSI command class (analogous to Write or Request Sense or Eject) and having the virtual SCSI device implement it. The Passthrough CDB would include a CDB to be passed through.
It does not make any sense for an "eject" command specifying a virtual device to cause a real flash drive to eject, but there could be a
"hosteject" command that ejects the underlying real flash drive. It would use a SCSI passthrough ioctl that specifies a CDB that specifies a Passthrough SCSI command that specifies an Eject command.
Leaving out the whole virtual machine scenario, it's probably just as reasonable to do SCSI pass-through to a partition block device as to a whole-device block device. In both cases, the user is insinuating himself into Linux internals -- the fact that Linux uses a SCSI device in some way to implement the block device.
to post comments)