** No longer affects: linux-armadaxp (Ubuntu Quantal)
** No longer affects: linux-ec2 (Ubuntu Quantal)
** No longer affects: linux-lts-saucy (Ubuntu Quantal)
** No longer affects: linux-lts-quantal (Ubuntu Quantal)
** No longer affects: linux-mvl-dove (Ubuntu Quantal)
** No longer affects: linux (Ubuntu Quantal)
** No longer affects: linux-fsl-imx51 (Ubuntu Quantal)
** No longer affects: linux-ti-omap4 (Ubuntu Quantal)
** No longer affects: linux-lts-raring (Ubuntu Quantal)
** Changed in: linux (Ubuntu Utopic)
Status: New => Fix Committed
** Description changed:
- The first issue lies in the driver's processing of FDRAWCMD ioctls,
- specifically in its handling of copying floppy_raw_cmd ioctl argument
- structures from and to userspace. There are four relevant functions in
- drivers/block/floppy.c: raw_cmd_{ioctl,copyin,copyout,free}. First,
- raw_cmd_ioctl calls raw_cmd_copyin. This function kmallocs space for a
- floppy_raw_cmd structure and stores the resulting allocation in the
- "rcmd" pointer argument. It then attempts to copy_from_user the
- structure from userspace. If this fails, an early EFAULT return is
- taken. The problem is that even if the early return is taken, the
- pointer to the non-/partially-initialized floppy_raw_cmd structure has
- already been returned via the "rcmd" pointer. Back out in raw_cmd_ioctl,
- it attempts to raw_cmd_free this pointer. raw_cmd_free attempts to free
- any DMA pages allocated for the raw command, kfrees the raw command
- structure itself, and follows the linked list, if any, of further raw
- commands (a user can specify the FD_RAW_MORE flag to signal that there
- are more raw commands to follow in a single FDRAWCMD ioctl). So, a
- malicious user can send a FDRAWCMD ioctl with a raw command argument
- structure that has some bytes inaccessible (ie. off the end of an
- allocated page). The copy_from_user will fail but raw_cmd_free will
+ The raw_cmd_copyin function in drivers/block/floppy.c in the Linux
+ kernel through 3.14.3 does not properly handle error conditions during
+ processing of an FDRAWCMD ioctl call, which allows local users to
+ trigger kfree operations and gain privileges by leveraging write access
+ to a /dev/fd device. First, raw_cmd_ioctl calls raw_cmd_copyin. This
+ function kmallocs space for a floppy_raw_cmd structure and stores the
+ resulting allocation in the "rcmd" pointer argument. It then attempts to
+ copy_from_user the structure from userspace. If this fails, an early
+ EFAULT return is taken. The problem is that even if the early return is
+ taken, the pointer to the non-/partially-initialized floppy_raw_cmd
+ structure has already been returned via the "rcmd" pointer. Back out in
+ raw_cmd_ioctl, it attempts to raw_cmd_free this pointer. raw_cmd_free
+ attempts to free any DMA pages allocated for the raw command, kfrees the
+ raw command structure itself, and follows the linked list, if any, of
+ further raw commands (a user can specify the FD_RAW_MORE flag to signal
+ that there are more raw commands to follow in a single FDRAWCMD ioctl).
+ So, a malicious user can send a FDRAWCMD ioctl with a raw command
+ argument structure that has some bytes inaccessible (ie. off the end of
+ an allocated page). The copy_from_user will fail but raw_cmd_free will
attempt to process the floppy_raw_cmd as if it had been fully
initialized by the rest of raw_cmd_copyin. The user can control the
arguments passed to fd_dma_mem_free and kfree (by making use of the
linked-list feature and specifying the target address as a next-in-list
structure).
Break-Fix: - ef87dbe7614341c2e7bfe8d32fcb7028cc97442c
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1316729
Title:
CVE-2014-1737
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1316729/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
