Received: by 10.223.185.116 with SMTP id b49csp5660743wrg; Wed, 7 Mar 2018 16:04:02 -0800 (PST) X-Google-Smtp-Source: AG47ELv/iRsj4YissTARqeRsYfi/NxTTVwUp8/a8xtiMa3Lo1jOfqfjz8loDeBTiu4Fx/zFNTcgS X-Received: by 10.99.97.68 with SMTP id v65mr19726308pgb.104.1520467442094; Wed, 07 Mar 2018 16:04:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520467442; cv=none; d=google.com; s=arc-20160816; b=D2e9wHreI0OkL90KAGbLikidM7zNhuxGCVnVbW8wDcxI7BDf3mLRVrp2m+BTUtbRj8 rE3rNqdIdyOwJtgXfZET2FW2ZxtCPLZGW29ucqxxKWqWqukGaFa5upyfijn9zQdT6dnG r2ixb1dkHHESr1RzTJvudrNxCqsZGU78/nygRVRB2ELy1pyU2P8JYKFCxNeYled7nhrL j4OoDoH+kHXT/BOmbD2LqK2AsooDuzNFC/4boJdoBNYrUKgetUpwZHXaF6vlIrzefwCl 3kPZahXL62GQFpFt4EFuYBy2wj/xGN3I167F0Z+XNxtzSeA7lknd5Vv4R0vDA0u3EwgB Ve/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=dFTXx7c3HsZKXqZCSnGhdqQmJ/ZVkAFR/iZJN1+9MAU=; b=jqwsxbxXpxPDqEBicKZVOjxJ7RXQz0QhGw1yu3VniyJ7EFkUAHmwGoLgOmxOg90kkZ mEEX1hr9iE7o5Yad3nGAJI01/Dl2WW9aC/b1Lk6VDzhH6+l/OEYymJJKfhQ7Fl4H+WOm IyXpN4Lpt+7mrhaEqQ7DkZVaSy5ZVCV08VCOYTfjbgESg1moHBBvw7N1/8GSky8qlBlc NpADLRXowG34tT4ByjVrQF09ujPpieCWNuxbkBgeJ1YnfukTw7dV3LP2qdbwqZ8C0mFC 73iJI1Sb7Xu2mYX3HdBQcseG/nkaXFM0cgy7DS554i9jh7M6LlI/5xXUihdeTm4NFjjJ /hcQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@uci-edu.20150623.gappssmtp.com header.s=20150623 header.b=VClp9DKy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j15si11910966pgv.676.2018.03.07.16.03.47; Wed, 07 Mar 2018 16:04:02 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@uci-edu.20150623.gappssmtp.com header.s=20150623 header.b=VClp9DKy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754963AbeCHACu (ORCPT + 99 others); Wed, 7 Mar 2018 19:02:50 -0500 Received: from mail-pf0-f193.google.com ([209.85.192.193]:40857 "EHLO mail-pf0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754553AbeCHACs (ORCPT ); Wed, 7 Mar 2018 19:02:48 -0500 Received: by mail-pf0-f193.google.com with SMTP id x1so1622875pfh.7 for ; Wed, 07 Mar 2018 16:02:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uci-edu.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=dFTXx7c3HsZKXqZCSnGhdqQmJ/ZVkAFR/iZJN1+9MAU=; b=VClp9DKyhwEDLvy40guGB549jIdrcDde9Qfchxj29xAS6kEq/KTiCt0nNi/OrQTyKW G0FyZC2Jrc2KnKayf2lJQqGKaghRElecgwWhGrtexOEdEUpRVpBjfaBOti15Jxpd1AP3 uAZKrdVQeql9s1M8fOuTk32MHelA3zpVEZQ12eNZ7cbNLciA2Ot67eT6qiwqUAEGGAV/ EQnMWQ8Pyrsn96d2bv95nmbgdBK6u5twPDGPfK3+qg4OGbJaGW5zJpYS7q2edJfAZdcH 7iEcduE4ZWCWKuWj1lJROV1Cgy3h721OHrZr+EfrvqYsk44GRNO2+cuDxPHv4sAMaL0u QREg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=dFTXx7c3HsZKXqZCSnGhdqQmJ/ZVkAFR/iZJN1+9MAU=; b=XHDdVZfcp4n4AVGalMUI67gMf78Epq0vFZ4HuMMt0JG71TTVjCM5/++A9s36t+mosC JXqyBJNpOQUYwk+VTUQa08ylo5K+JLXBnGRf9/3CSLuhfUnxKw/sLaC9p87TJtxVaVUs HOwer9PyIa3ebP9KaBu5jP7I7SM2uIrTGsPyEK7wOg/x3p6nI5kOS9ylrfwQoaVMJ0SE luGAVTvn71AXW20+PPROhbFSvk/nvO09dF3alGVoLIGmIX0fFqwbM4ywWeTRh/lXTtLN +TrM5Ou968FkP5MR2jOp763BgD9XzxjfRAH+1XgtdBrtc/FfkkG9vpz1rfH0HnvVThCf vDIA== X-Gm-Message-State: APf1xPBXC3LoLN0c2W0QMalC/XNcX8RXE5Ikd+YOUQqQGmgjptx8WtQB oO8I8p0AQzTlqP359RGVw6/nBw== X-Received: by 10.98.139.145 with SMTP id e17mr24271641pfl.53.1520467368425; Wed, 07 Mar 2018 16:02:48 -0800 (PST) Received: from brian-MacBookPro.ics.uci.edu (bbellevi-eth.ics.uci.edu. [128.195.4.137]) by smtp.gmail.com with ESMTPSA id q67sm40922683pfg.180.2018.03.07.16.02.47 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 07 Mar 2018 16:02:47 -0800 (PST) From: Brian Belleville To: Jiri Kosina , linux-kernel@vger.kernel.org Cc: Brian Belleville Subject: [PATCH] floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl Date: Wed, 7 Mar 2018 16:02:45 -0800 Message-Id: <1520467365-7194-1-git-send-email-bbellevi@uci.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The final field of a floppy_struct is the field "name", which is a pointer to a string in kernel memory. The kernel pointer should not be copied to user memory. The FDGETPRM ioctl copies a floppy_struct to user memory, including the "name" field. This pointer cannot be used by the user, and it will leak a kernel address to user-space, which will reveal the location of kernel code and data and undermine KASLR protection. Instead, copy the floppy_struct except for the "name" field. Signed-off-by: Brian Belleville --- drivers/block/floppy.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c index eae484a..4d4a422 100644 --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c @@ -3470,6 +3470,7 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int (struct floppy_struct **)&outparam); if (ret) return ret; + size = offsetof(struct floppy_struct, name); break; case FDMSGON: UDP->flags |= FTD_MSG; -- 2.7.4