From: John Feeney <jfeeney@redhat.com>
Date: Tue, 12 Oct 2010 22:11:39 -0400
Subject: [s390] dasd_eckd: remove PSF order/suborder ioctl check
Message-id: <4CB4DD1B.402@redhat.com>
Patchwork-id: 28720
O-Subject: [RHEL5.6 PATCH] Remove PSF order/suborder check for dasd ioctl
Bugzilla: 565973
RH-Acked-by: Bob Picco <bpicco@redhat.com>
RH-Acked-by: Dean Nelson <dnelson@redhat.com>
RH-Acked-by: Don Zickus <dzickus@redhat.com>

bz565973
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=565973
[EMC 5.6 bug] security and PSF update patch for EMC CKD ioctl

Description of problem:
The EMC Symmetrix CKD dasd ioctl has an unnecessary order/
suborder check.

Solution:
Remove the unnecessary check but do restrict the ioctl to
root only.

Upstream status:
The upstream commit:

From: Nigel Hislop <hislop_nigel@emc.com>
Date: Mon, 8 Mar 2010 11:25:16 +0000 (+0100)
Subject: [S390] dasd: security and PSF update patch for EMC CKD ioctl
52898025cf7d458d029c18773d0ef49b4789d829

[S390] dasd: security and PSF update patch for EMC CKD ioctl

Remove the PSF order/suborder check from the Symmetrix CKD dasd ioctl.
In exchange restrict the ioctl to CAP_SYS_ADMIN and CAP_SYS_RAWIO.

Brew:
Successfully built for all arches in Brew (task_2812247)

Testing:
EMC successfully tested this fix (refer to comment #11 in bz).

Acks would be appreciated. Thanks.

Signed-off-by: Jarod Wilson <jarod@redhat.com>

diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c
index e61b91a..cb314c7 100644
--- a/drivers/s390/block/dasd_eckd.c
+++ b/drivers/s390/block/dasd_eckd.c
@@ -1799,8 +1799,13 @@ static int dasd_symm_io(struct dasd_device *device, void __user *argp)
 	char *psf_data, *rssd_result;
 	struct dasd_ccw_req *cqr;
 	struct ccw1 *ccw;
+	char psf0, psf1;
 	int rc;
 
+	if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RAWIO))
+		return -EACCES;
+	psf0 = psf1 = 0;
+
 	/* Copy parms from caller */
 	rc = -EFAULT;
 	if (copy_from_user(&usrparm, argp, sizeof(usrparm)))
@@ -1826,12 +1831,8 @@ static int dasd_symm_io(struct dasd_device *device, void __user *argp)
 			   (void __user *)(unsigned long) usrparm.psf_data,
 			   usrparm.psf_data_len))
 		goto out_free;
-
-	/* sanity check on syscall header */
-	if (psf_data[0] != 0x17 && psf_data[1] != 0xce) {
-		rc = -EINVAL;
-		goto out_free;
-	}
+	psf0 = psf_data[0];
+	psf1 = psf_data[1];
 
 	/* setup CCWs for PSF + RSSD */
 	cqr = dasd_smalloc_request("ECKD", 2 , 0, device);
@@ -1881,7 +1882,9 @@ out_free:
 	kfree(rssd_result);
 	kfree(psf_data);
 out:
-	DBF_DEV_EVENT(DBF_WARNING, device, "Symmetrix ioctl: rc=%d", rc);
+	DBF_DEV_EVENT(DBF_WARNING, device,
+		      "Symmetrix ioctl (0x%02x 0x%02x): rc=%d",
+		      (int) psf0, (int) psf1, rc);
 	return rc;
 }