www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Andy Whitcroft <apw@canonical.com>
	Thu, 20 Sep 2018 15:09:48 +0000 (09:09 -0600)
committer	Brian Maly <brian.maly@oracle.com>
	Tue, 4 Dec 2018 18:04:02 +0000 (13:04 -0500)
commit	ce0367e79e5194721adec476a16803b950a32afe
tree	029f0b5265d66a8f9a9e7f894a70f2eb94e4d1e9	tree
parent	2314b9a460e7c5941373fc2f6715863c187970c4	commit \| diff

floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl

The final field of a floppy_struct is the field "name", which is a pointer
to a string in kernel memory.  The kernel pointer should not be copied to
user memory.  The FDGETPRM ioctl copies a floppy_struct to user memory,
including this "name" field.  This pointer cannot be used by the user
and it will leak a kernel address to user-space, which will reveal the
location of kernel code and data and undermine KASLR protection.

Model this code after the compat ioctl which copies the returned data
to a previously cleared temporary structure on the stack (excluding the
name pointer) and copy out to userspace from there.  As we already have
an inparam union with an appropriate member and that memory is already
cleared even for read only calls make use of that as a temporary store.

Based on an initial patch by Brian Belleville.

CVE-2018-7755
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Broke up long line.

Signed-off-by: Jens Axboe <axboe@kernel.dk>
(cherry picked from commit 65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e)

Orabug: 28956547
CVE: CVE-2018-7755

Signed-off-by: John Donnelly <john.p.donnelly@oracle.com>
Reviewed-by: Jack Vogel <jack.vogel@oracle.com>
Signed-off-by: Brian Maly <brian.maly@oracle.com>