Re: pass-through linux ioctl for mfi(4)

[Thor Lancelot Simon <tls%panix.com@localhost>]

On Sun, Sep 16, 2012 at 05:29:38PM +0200, Manuel Bouyer wrote:
> On Sun, Sep 16, 2012 at 10:43:40AM -0400, Thor Lancelot Simon wrote:
> > On Sun, Sep 16, 2012 at 03:23:22PM +0200, Manuel Bouyer wrote:
> > > Hello,
> > > the attached patch adds a pass-through ioctl interface, with the
> > > necessery linux compat code, for mfi(4). This allows to run the
> > > linux binary of the MegaCLI tool provided by LSI logic.
> > 
> > This ioctl is extremely dangerous.  The driver passes the command
> > to the device firmware with no parsing or access control of any
> > kind.  Are we really sure we want to support this?  It is a
> > truly gaping security hole.
> 
> Yes, of course it's a risk. We support a similar ioctl for other drivers,
> e.g. amr(4). the pass-through for scsi(4) and ata(4) devices could
> probably do something similar too.

The scsi and ata case is very different, because we have enough
documentation to allow us to parse the commands, and perform at least
some kind of access control -- even if we do not do so in all cases in
which we could.

The case of amr and mfi is very different: as far as I know, there is
no documentation whatsoever of the command format between megacli and
the card firmware, so we cannot, for example, allow hot-plugging or
even battery status checks without allowing overwriting arbitrary disk
blocks.  Ugly, ugly, ugly.

Thor