** No longer affects: linux-armadaxp (Ubuntu Quantal) ** No longer affects: linux-ec2 (Ubuntu Quantal)
** No longer affects: linux-lts-saucy (Ubuntu Quantal) ** No longer affects: linux-lts-quantal (Ubuntu Quantal) ** No longer affects: linux-mvl-dove (Ubuntu Quantal) ** No longer affects: linux (Ubuntu Quantal) ** No longer affects: linux-fsl-imx51 (Ubuntu Quantal) ** No longer affects: linux-ti-omap4 (Ubuntu Quantal) ** No longer affects: linux-lts-raring (Ubuntu Quantal) ** Changed in: linux (Ubuntu Utopic) Status: New => Fix Committed ** Description changed: - The first issue lies in the driver's processing of FDRAWCMD ioctls, - specifically in its handling of copying floppy_raw_cmd ioctl argument - structures from and to userspace. There are four relevant functions in - drivers/block/floppy.c: raw_cmd_{ioctl,copyin,copyout,free}. First, - raw_cmd_ioctl calls raw_cmd_copyin. This function kmallocs space for a - floppy_raw_cmd structure and stores the resulting allocation in the - "rcmd" pointer argument. It then attempts to copy_from_user the - structure from userspace. If this fails, an early EFAULT return is - taken. The problem is that even if the early return is taken, the - pointer to the non-/partially-initialized floppy_raw_cmd structure has - already been returned via the "rcmd" pointer. Back out in raw_cmd_ioctl, - it attempts to raw_cmd_free this pointer. raw_cmd_free attempts to free - any DMA pages allocated for the raw command, kfrees the raw command - structure itself, and follows the linked list, if any, of further raw - commands (a user can specify the FD_RAW_MORE flag to signal that there - are more raw commands to follow in a single FDRAWCMD ioctl). So, a - malicious user can send a FDRAWCMD ioctl with a raw command argument - structure that has some bytes inaccessible (ie. off the end of an - allocated page). The copy_from_user will fail but raw_cmd_free will + The raw_cmd_copyin function in drivers/block/floppy.c in the Linux + kernel through 3.14.3 does not properly handle error conditions during + processing of an FDRAWCMD ioctl call, which allows local users to + trigger kfree operations and gain privileges by leveraging write access + to a /dev/fd device. First, raw_cmd_ioctl calls raw_cmd_copyin. This + function kmallocs space for a floppy_raw_cmd structure and stores the + resulting allocation in the "rcmd" pointer argument. It then attempts to + copy_from_user the structure from userspace. If this fails, an early + EFAULT return is taken. The problem is that even if the early return is + taken, the pointer to the non-/partially-initialized floppy_raw_cmd + structure has already been returned via the "rcmd" pointer. Back out in + raw_cmd_ioctl, it attempts to raw_cmd_free this pointer. raw_cmd_free + attempts to free any DMA pages allocated for the raw command, kfrees the + raw command structure itself, and follows the linked list, if any, of + further raw commands (a user can specify the FD_RAW_MORE flag to signal + that there are more raw commands to follow in a single FDRAWCMD ioctl). + So, a malicious user can send a FDRAWCMD ioctl with a raw command + argument structure that has some bytes inaccessible (ie. off the end of + an allocated page). The copy_from_user will fail but raw_cmd_free will attempt to process the floppy_raw_cmd as if it had been fully initialized by the rest of raw_cmd_copyin. The user can control the arguments passed to fd_dma_mem_free and kfree (by making use of the linked-list feature and specifying the target address as a next-in-list structure). Break-Fix: - ef87dbe7614341c2e7bfe8d32fcb7028cc97442c -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1316729 Title: CVE-2014-1737 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1316729/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs