summaryrefslogtreecommitdiff
path: root/drivers/block
diff options
context:
space:
mode:
authorAndy Whitcroft <apw@canonical.com>2018-09-20 18:09:48 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2018-10-04 03:01:49 +0300
commit3da4db1dfc217c6f330be87baf5759ef4a4b8d93 (patch)
tree802860c162f67e553fc080ffb9a2916bf30d9645 /drivers/block
parenta5f1735d55e79f3a074da8223c059a1513092ef6 (diff)
downloadlinux-3da4db1dfc217c6f330be87baf5759ef4a4b8d93.tar.xz
floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl
commit 65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e upstream. The final field of a floppy_struct is the field "name", which is a pointer to a string in kernel memory. The kernel pointer should not be copied to user memory. The FDGETPRM ioctl copies a floppy_struct to user memory, including this "name" field. This pointer cannot be used by the user and it will leak a kernel address to user-space, which will reveal the location of kernel code and data and undermine KASLR protection. Model this code after the compat ioctl which copies the returned data to a previously cleared temporary structure on the stack (excluding the name pointer) and copy out to userspace from there. As we already have an inparam union with an appropriate member and that memory is already cleared even for read only calls make use of that as a temporary store. Based on an initial patch by Brian Belleville. CVE-2018-7755 Signed-off-by: Andy Whitcroft <apw@canonical.com> Broke up long line. Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/block')
-rw-r--r--drivers/block/floppy.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
index e3d8e4ced4a2..a321d7d849c6 100644
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -3459,6 +3459,9 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int
(struct floppy_struct **)&outparam);
if (ret)
return ret;
+ memcpy(&inparam.g, outparam,
+ offsetof(struct floppy_struct, name));
+ outparam = &inparam.g;
break;
case FDMSGON:
UDP->flags |= FTD_MSG;