floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl (CVE-2018-7755)

2018-09-22 17:10:00 +02:00 · 2018-09-22 17:10:00 +02:00 · f46ed6ff17
parent bf27abcb1c
commit f46ed6ff17
3 changed files with 53 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -22,6 +22,10 @@ linux (4.18.8-2) UNRELEASED; urgency=medium
      ACPI_APEI_EINJ, WDAT_WDT as modules
  * [arm64] acpi: Add fixup for HPE m400 quirks

+  [ Salvatore Bonaccorso ]
+  * floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl
+    (CVE-2018-7755)
+
 -- Vagrant Cascadian <vagrant@debian.org>  Tue, 18 Sep 2018 10:13:18 -0700

 linux (4.18.8-1) unstable; urgency=medium
--- a/debian/patches/bugfix/all/floppy-Do-not-copy-a-kernel-pointer-to-user-memory-i.patch
+++ b/debian/patches/bugfix/all/floppy-Do-not-copy-a-kernel-pointer-to-user-memory-i.patch
@ -0,0 +1,48 @@
+From: Andy Whitcroft <apw@canonical.com>
+Date: Thu, 20 Sep 2018 09:09:48 -0600
+Subject: floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl
+Origin: https://git.kernel.org/linus/65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-7755
+
+The final field of a floppy_struct is the field "name", which is a pointer
+to a string in kernel memory.  The kernel pointer should not be copied to
+user memory.  The FDGETPRM ioctl copies a floppy_struct to user memory,
+including this "name" field.  This pointer cannot be used by the user
+and it will leak a kernel address to user-space, which will reveal the
+location of kernel code and data and undermine KASLR protection.
+
+Model this code after the compat ioctl which copies the returned data
+to a previously cleared temporary structure on the stack (excluding the
+name pointer) and copy out to userspace from there.  As we already have
+an inparam union with an appropriate member and that memory is already
+cleared even for read only calls make use of that as a temporary store.
+
+Based on an initial patch by Brian Belleville.
+
+CVE-2018-7755
+Signed-off-by: Andy Whitcroft <apw@canonical.com>
+
+Broke up long line.
+
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+---
+ drivers/block/floppy.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
+index 48f622728ce6..f2b6f4da1034 100644
+--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
+@@ -3467,6 +3467,9 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int
+ 					  (struct floppy_struct **)&outparam);
+ 		if (ret)
+ 			return ret;
+		memcpy(&inparam.g, outparam,
+				offsetof(struct floppy_struct, name));
+		outparam = &inparam.g;
+ 		break;
+ 	case FDMSGON:
+ 		UDP->flags |= FTD_MSG;
+-- 
+2.11.0
+
--- a/debian/patches/series
+++ b/debian/patches/series
@ -143,6 +143,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
 bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch
+bugfix/all/floppy-Do-not-copy-a-kernel-pointer-to-user-memory-i.patch

 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch