On Tue, 2018-05-29 at 14:27 +0100, Andy Whitcroft wrote: [...] > >From ddb8c77229a9507fa5575c910d2847e123a9c94c Mon Sep 17 00:00:00 2001 > From: Andy Whitcroft <a...@canonical.com> > Date: Tue, 29 May 2018 13:04:15 +0100 > Subject: [PATCH 1/1] floppy: Do not copy a kernel pointer to user memory in > FDGETPRM ioctl > > The final field of a floppy_struct is the field "name", which is a pointer > to a string in kernel memory. The kernel pointer should not be copied to > user memory. The FDGETPRM ioctl copies a floppy_struct to user memory, > including this "name" field. This pointer cannot be used by the user > and it will leak a kernel address to user-space, which will reveal the > location of kernel code and data and undermine KASLR protection. > > Model this code after the compat ioctl which copies the returned data > to a previously cleared temporary structure on the stack (excluding the > name pointer) and copy out to userspace from there. As we already have > an inparam union with an appropriate member and that memory is already > cleared even for read only calls make use of that as a temporary store. > > Based on an initial patch by Brian Belleville. > > CVE-2018-7755 > Signed-off-by: Andy Whitcroft <a...@canonical.com>
Reviewed-and-tested-by: Ben Hutchings <b...@decadent.org.uk> Ben. > --- > drivers/block/floppy.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c > index 8ec7235fc93b..7512f6ff7c43 100644 > --- a/drivers/block/floppy.c > +++ b/drivers/block/floppy.c > @@ -3470,6 +3470,8 @@ static int fd_locked_ioctl(struct block_device *bdev, > fmode_t mode, unsigned int > (struct floppy_struct **)&outparam); > if (ret) > return ret; > + memcpy(&inparam.g, outparam, offsetof(struct floppy_struct, > name)); > + outparam = &inparam.g; > break; > case FDMSGON: > UDP->flags |= FTD_MSG; -- Ben Hutchings If you seem to know what you are doing, you'll be given more to do.
signature.asc
Description: This is a digitally signed message part