• Andy Whitcroft's avatar
    floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl · 04bc4dd8
    Andy Whitcroft authored
    commit 65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e upstream.
    
    The final field of a floppy_struct is the field "name", which is a pointer
    to a string in kernel memory.  The kernel pointer should not be copied to
    user memory.  The FDGETPRM ioctl copies a floppy_struct to user memory,
    including this "name" field.  This pointer cannot be used by the user
    and it will leak a kernel address to user-space, which will reveal the
    location of kernel code and data and undermine KASLR protection.
    
    Model this code after the compat ioctl which copies the returned data
    to a previously cleared temporary structure on the stack (excluding the
    name pointer) and copy out to userspace from there.  As we already have
    an inparam union with an appropriate member and that memory is already
    cleared even for read only calls make use of that as a temporary store.
    
    Based on an initial patch by Brian Belleville.
    
    CVE-2018-7755
    Signed-off-by: 's avatarAndy Whitcroft <apw@canonical.com>
    Broke up long line.
    Signed-off-by: 's avatarJens Axboe <axboe@kernel.dk>
    Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    04bc4dd8
Name
Last commit
Last update
..
aoe Loading commit data...
drbd Loading commit data...
mtip32xx Loading commit data...
paride Loading commit data...
rsxx Loading commit data...
xen-blkback Loading commit data...
zram Loading commit data...
DAC960.c Loading commit data...
DAC960.h Loading commit data...
Kconfig Loading commit data...
Makefile Loading commit data...
amiflop.c Loading commit data...
ataflop.c Loading commit data...
brd.c Loading commit data...
cryptoloop.c Loading commit data...
floppy.c Loading commit data...
loop.c Loading commit data...
loop.h Loading commit data...
nbd.c Loading commit data...
null_blk.c Loading commit data...
pktcdvd.c Loading commit data...
ps3disk.c Loading commit data...
ps3vram.c Loading commit data...
rbd.c Loading commit data...
rbd_types.h Loading commit data...
skd_main.c Loading commit data...
skd_s1120.h Loading commit data...
smart1,2.h Loading commit data...
sunvdc.c Loading commit data...
swim.c Loading commit data...
swim3.c Loading commit data...
swim_asm.S Loading commit data...
sx8.c Loading commit data...
umem.c Loading commit data...
umem.h Loading commit data...
virtio_blk.c Loading commit data...
xen-blkfront.c Loading commit data...
xsysace.c Loading commit data...
z2ram.c Loading commit data...