49 lines
1.8 KiB
Diff
49 lines
1.8 KiB
Diff
From: Andy Whitcroft <apw@canonical.com>
|
|
Date: Thu, 20 Sep 2018 09:09:48 -0600
|
|
Subject: floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl
|
|
Origin: https://git.kernel.org/linus/65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e
|
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-7755
|
|
|
|
The final field of a floppy_struct is the field "name", which is a pointer
|
|
to a string in kernel memory. The kernel pointer should not be copied to
|
|
user memory. The FDGETPRM ioctl copies a floppy_struct to user memory,
|
|
including this "name" field. This pointer cannot be used by the user
|
|
and it will leak a kernel address to user-space, which will reveal the
|
|
location of kernel code and data and undermine KASLR protection.
|
|
|
|
Model this code after the compat ioctl which copies the returned data
|
|
to a previously cleared temporary structure on the stack (excluding the
|
|
name pointer) and copy out to userspace from there. As we already have
|
|
an inparam union with an appropriate member and that memory is already
|
|
cleared even for read only calls make use of that as a temporary store.
|
|
|
|
Based on an initial patch by Brian Belleville.
|
|
|
|
CVE-2018-7755
|
|
Signed-off-by: Andy Whitcroft <apw@canonical.com>
|
|
|
|
Broke up long line.
|
|
|
|
Signed-off-by: Jens Axboe <axboe@kernel.dk>
|
|
---
|
|
drivers/block/floppy.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
|
|
index 48f622728ce6..f2b6f4da1034 100644
|
|
--- a/drivers/block/floppy.c
|
|
+++ b/drivers/block/floppy.c
|
|
@@ -3467,6 +3467,9 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int
|
|
(struct floppy_struct **)&outparam);
|
|
if (ret)
|
|
return ret;
|
|
+ memcpy(&inparam.g, outparam,
|
|
+ offsetof(struct floppy_struct, name));
|
|
+ outparam = &inparam.g;
|
|
break;
|
|
case FDMSGON:
|
|
UDP->flags |= FTD_MSG;
|
|
--
|
|
2.11.0
|
|
|