floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl (CVE-2018-7755)
This commit is contained in:
parent
bf27abcb1c
commit
f46ed6ff17
|
@ -22,6 +22,10 @@ linux (4.18.8-2) UNRELEASED; urgency=medium
|
|||
ACPI_APEI_EINJ, WDAT_WDT as modules
|
||||
* [arm64] acpi: Add fixup for HPE m400 quirks
|
||||
|
||||
[ Salvatore Bonaccorso ]
|
||||
* floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl
|
||||
(CVE-2018-7755)
|
||||
|
||||
-- Vagrant Cascadian <vagrant@debian.org> Tue, 18 Sep 2018 10:13:18 -0700
|
||||
|
||||
linux (4.18.8-1) unstable; urgency=medium
|
||||
|
|
48
debian/patches/bugfix/all/floppy-Do-not-copy-a-kernel-pointer-to-user-memory-i.patch
vendored
Normal file
48
debian/patches/bugfix/all/floppy-Do-not-copy-a-kernel-pointer-to-user-memory-i.patch
vendored
Normal file
|
@ -0,0 +1,48 @@
|
|||
From: Andy Whitcroft <apw@canonical.com>
|
||||
Date: Thu, 20 Sep 2018 09:09:48 -0600
|
||||
Subject: floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl
|
||||
Origin: https://git.kernel.org/linus/65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-7755
|
||||
|
||||
The final field of a floppy_struct is the field "name", which is a pointer
|
||||
to a string in kernel memory. The kernel pointer should not be copied to
|
||||
user memory. The FDGETPRM ioctl copies a floppy_struct to user memory,
|
||||
including this "name" field. This pointer cannot be used by the user
|
||||
and it will leak a kernel address to user-space, which will reveal the
|
||||
location of kernel code and data and undermine KASLR protection.
|
||||
|
||||
Model this code after the compat ioctl which copies the returned data
|
||||
to a previously cleared temporary structure on the stack (excluding the
|
||||
name pointer) and copy out to userspace from there. As we already have
|
||||
an inparam union with an appropriate member and that memory is already
|
||||
cleared even for read only calls make use of that as a temporary store.
|
||||
|
||||
Based on an initial patch by Brian Belleville.
|
||||
|
||||
CVE-2018-7755
|
||||
Signed-off-by: Andy Whitcroft <apw@canonical.com>
|
||||
|
||||
Broke up long line.
|
||||
|
||||
Signed-off-by: Jens Axboe <axboe@kernel.dk>
|
||||
---
|
||||
drivers/block/floppy.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
|
||||
index 48f622728ce6..f2b6f4da1034 100644
|
||||
--- a/drivers/block/floppy.c
|
||||
+++ b/drivers/block/floppy.c
|
||||
@@ -3467,6 +3467,9 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int
|
||||
(struct floppy_struct **)&outparam);
|
||||
if (ret)
|
||||
return ret;
|
||||
+ memcpy(&inparam.g, outparam,
|
||||
+ offsetof(struct floppy_struct, name));
|
||||
+ outparam = &inparam.g;
|
||||
break;
|
||||
case FDMSGON:
|
||||
UDP->flags |= FTD_MSG;
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -143,6 +143,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
|||
# Security fixes
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch
|
||||
bugfix/all/floppy-Do-not-copy-a-kernel-pointer-to-user-memory-i.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
Loading…
Reference in New Issue