User: Password:
|
|
Subscribe / Log in / New account

A privilege escalation via SCSI pass-through

A privilege escalation via SCSI pass-through

Posted Jan 5, 2012 21:51 UTC (Thu) by dougg (guest, #1894)
Parent article: A privilege escalation via SCSI pass-through

If the VM vendors were doing their job properly then SCSI targets accessible from within a VM would themselves be virtual; for example with storage backed from a file (or partition) on the host machine. If VM vendors let a physical disk be accessed from within a VM then then they should not be too surprised there might be security problems. The SANITIZE command (both ATA and SCSI) would be interesting.

Anyone thinking about command filtering should consider the SCSI command set (a moving target), the SAT standard and the fact that protocols other than SCSI use the SG_IO ioctl (e.g. SMP).

P.S. One would think Paolo Bonzini might bring up the subject on the linux-scsi list.


(Log in to post comments)

A privilege escalation via SCSI pass-through

Posted Jan 6, 2012 10:01 UTC (Fri) by drag (subscriber, #31333) [Link]

> If the VM vendors were doing their job properly then SCSI targets accessible from within a VM would themselves be virtual; for example with storage backed from a file (or partition) on the host machine.

From what I've read...

No. From a file, yes. From a partition: No.

Any block device. It does not have to do with iSCSI or SCSI or anything like that in particular. It's any block device on a storage device that uses SCSI subsystem, which is going to be most things. That means whole disks, partitions, and logical volumes on most storage devices (such as SATA drives) are vulnerable.

On my KVM virtual machines I use LVM because of the performance advantage of using block devices directly rather then through file-backed storage.

This bug is a bit disheartening.

A privilege escalation via SCSI pass-through

Posted Jan 6, 2012 10:02 UTC (Fri) by lacos (subscriber, #70616) [Link]

SCSI targets accessible from within a VM would themselves be virtual; for example with storage backed from a file (or partition) on the host machine

That's about the default: virtual disks. However, please look at the title: "SCSI pass-through". The idea is to let the guest use the host's resource directly, with its own driver (strictly restricted to boundaries configured in the host).

What's passed-through is a partition, not a complete disk. So the configuration is correct, the partition is basically dedicated to the guest. But the boundaries (ie. partition, not full drive) are not properly enforced by the host.

Just my two cents.

A privilege escalation via SCSI pass-through

Posted Jan 7, 2012 22:02 UTC (Sat) by giraffedata (subscriber, #1954) [Link]

However, please look at the title: "SCSI pass-through".

The pass-through that refers to is passing through the block layer, so as to access the underlying SCSI storage device instead of the block device. In a virtual machine, the underlying SCSI storage device is a virtual SCSI device which itself uses an underlying real SCSI device as a resource. The issuer of a pass-through ioctl isn't supposed to have any concept of a VM host.

The kind of pass-through you're talking about is also a reasonable concept, but the way you would implement it is by defining a pass-through SCSI command class (analogous to Write or Request Sense or Eject) and having the virtual SCSI device implement it. The Passthrough CDB would include a CDB to be passed through.

It does not make any sense for an "eject" command specifying a virtual device to cause a real flash drive to eject, but there could be a "hosteject" command that ejects the underlying real flash drive. It would use a SCSI passthrough ioctl that specifies a CDB that specifies a Passthrough SCSI command that specifies an Eject command.

Leaving out the whole virtual machine scenario, it's probably just as reasonable to do SCSI pass-through to a partition block device as to a whole-device block device. In both cases, the user is insinuating himself into Linux internals -- the fact that Linux uses a SCSI device in some way to implement the block device.

A privilege escalation via SCSI pass-through

Posted Jan 9, 2012 11:15 UTC (Mon) by pbonzini (subscriber, #60935) [Link]

> P.S. One would think Paolo Bonzini might bring up the subject on the linux-scsi list.

This suggests that MAINTAINERS needs some care in this area.

In any case, the patches were so intrusive that they could only go in directly through Linus.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds