floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl (CVE-2018-7755)
This commit is contained in:
parent
bf27abcb1c
commit
f46ed6ff17
|
@ -22,6 +22,10 @@ linux (4.18.8-2) UNRELEASED; urgency=medium
|
||||||
ACPI_APEI_EINJ, WDAT_WDT as modules
|
ACPI_APEI_EINJ, WDAT_WDT as modules
|
||||||
* [arm64] acpi: Add fixup for HPE m400 quirks
|
* [arm64] acpi: Add fixup for HPE m400 quirks
|
||||||
|
|
||||||
|
[ Salvatore Bonaccorso ]
|
||||||
|
* floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl
|
||||||
|
(CVE-2018-7755)
|
||||||
|
|
||||||
-- Vagrant Cascadian <vagrant@debian.org> Tue, 18 Sep 2018 10:13:18 -0700
|
-- Vagrant Cascadian <vagrant@debian.org> Tue, 18 Sep 2018 10:13:18 -0700
|
||||||
|
|
||||||
linux (4.18.8-1) unstable; urgency=medium
|
linux (4.18.8-1) unstable; urgency=medium
|
||||||
|
|
48
debian/patches/bugfix/all/floppy-Do-not-copy-a-kernel-pointer-to-user-memory-i.patch
vendored
Normal file
48
debian/patches/bugfix/all/floppy-Do-not-copy-a-kernel-pointer-to-user-memory-i.patch
vendored
Normal file
|
@ -0,0 +1,48 @@
|
||||||
|
From: Andy Whitcroft <apw@canonical.com>
|
||||||
|
Date: Thu, 20 Sep 2018 09:09:48 -0600
|
||||||
|
Subject: floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl
|
||||||
|
Origin: https://git.kernel.org/linus/65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e
|
||||||
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-7755
|
||||||
|
|
||||||
|
The final field of a floppy_struct is the field "name", which is a pointer
|
||||||
|
to a string in kernel memory. The kernel pointer should not be copied to
|
||||||
|
user memory. The FDGETPRM ioctl copies a floppy_struct to user memory,
|
||||||
|
including this "name" field. This pointer cannot be used by the user
|
||||||
|
and it will leak a kernel address to user-space, which will reveal the
|
||||||
|
location of kernel code and data and undermine KASLR protection.
|
||||||
|
|
||||||
|
Model this code after the compat ioctl which copies the returned data
|
||||||
|
to a previously cleared temporary structure on the stack (excluding the
|
||||||
|
name pointer) and copy out to userspace from there. As we already have
|
||||||
|
an inparam union with an appropriate member and that memory is already
|
||||||
|
cleared even for read only calls make use of that as a temporary store.
|
||||||
|
|
||||||
|
Based on an initial patch by Brian Belleville.
|
||||||
|
|
||||||
|
CVE-2018-7755
|
||||||
|
Signed-off-by: Andy Whitcroft <apw@canonical.com>
|
||||||
|
|
||||||
|
Broke up long line.
|
||||||
|
|
||||||
|
Signed-off-by: Jens Axboe <axboe@kernel.dk>
|
||||||
|
---
|
||||||
|
drivers/block/floppy.c | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
|
||||||
|
index 48f622728ce6..f2b6f4da1034 100644
|
||||||
|
--- a/drivers/block/floppy.c
|
||||||
|
+++ b/drivers/block/floppy.c
|
||||||
|
@@ -3467,6 +3467,9 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int
|
||||||
|
(struct floppy_struct **)&outparam);
|
||||||
|
if (ret)
|
||||||
|
return ret;
|
||||||
|
+ memcpy(&inparam.g, outparam,
|
||||||
|
+ offsetof(struct floppy_struct, name));
|
||||||
|
+ outparam = &inparam.g;
|
||||||
|
break;
|
||||||
|
case FDMSGON:
|
||||||
|
UDP->flags |= FTD_MSG;
|
||||||
|
--
|
||||||
|
2.11.0
|
||||||
|
|
|
@ -143,6 +143,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
||||||
# Security fixes
|
# Security fixes
|
||||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||||
bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch
|
bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch
|
||||||
|
bugfix/all/floppy-Do-not-copy-a-kernel-pointer-to-user-memory-i.patch
|
||||||
|
|
||||||
# Fix exported symbol versions
|
# Fix exported symbol versions
|
||||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||||
|
|
Loading…
Reference in New Issue