Received: by 10.213.65.68 with SMTP id h4csp996974imn;
        Thu, 22 Mar 2018 13:01:38 -0700 (PDT)
X-Google-Smtp-Source: AG47ELsc2/2zILEAwMOMHs2f5ljDVdl0F/oZ/S1ullx4nNcaI9wFYDY4xA4gAnd81Gp1aHD61oi2
X-Received: by 2002:a17:902:68c2:: with SMTP id x2-v6mr17298319plm.129.1521748898469;
        Thu, 22 Mar 2018 13:01:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1521748898; cv=none;
        d=google.com; s=arc-20160816;
        b=rSjEhiKOHmbx5SekWwYKmUwpXUF35d9l73Hb7lgganEczjzDOf+4acIo1lw2WQNO3n
         Phn85Gf7djQyJAE7KSKgw3jMTrqQAKicdadNzlRxTxUxYJuYpWHwnKPcHygIS+onB47H
         o98ku7Q9R3J7vTYcIb7S/oWuV/YaTABBetlVZMEfc1msz8GEIEJTlSz4CVmWCAvewYsL
         BHqZIrOXK1zHncGHJM+xl+gE4skbaB+Kn9ren3/4mCliq6Gb8Iug9vCUADnPlhmkTAt4
         4cJ3F0fmNgToAkK0ppD+bEGi7Mz0JpqU7LLJygxHLlui7i5YIAj93/7OowpGzm5KT67x
         PVxg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:to:subject:dkim-signature
         :arc-authentication-results;
        bh=Jrj3RUXnNM7VVb2oQhrYdcKqxhca1q67RBZNGTEDgZM=;
        b=GHIcljO5u88K1VAKpC0k/p6FgbebDFXN3M8P+ipE1yVsFDLtSaURGFO9dR1b/97oy7
         Iwm3oKc65KNXJ7SMjwJXqJ2oqpWHJO/eG2zNfPd98l5/762QjyTNSPVkkRaiF8cmcqTI
         ZRJQBQ04++YO9w/8zvPL24eseAiK+O4csOzRnLzKZgw8Z2Rn3Bqa/P7z/Gn/5EVtNgU8
         1S8m/np9D9ESKCayKV8aGWwy5JLu1/H2p7EM6Ze2Z9DgLLhxchADD6vpmWo14aj9BuF5
         c/JedEf4EHcFecbo0NTFgX2Ql6uiYMHzsUfMs3+UzkdWYNyHJpSeYYwS8cu/wdXZkEp1
         PyHQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@uci-edu.20150623.gappssmtp.com header.s=20150623 header.b=MVWzR3j5;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k19si5219395pff.275.2018.03.22.13.01.23;
        Thu, 22 Mar 2018 13:01:38 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@uci-edu.20150623.gappssmtp.com header.s=20150623 header.b=MVWzR3j5;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752129AbeCVT74 (ORCPT <rfc822;kerneldev.sdk@gmail.com>
        + 99 others); Thu, 22 Mar 2018 15:59:56 -0400
Received: from mail-pf0-f196.google.com ([209.85.192.196]:44517 "EHLO
        mail-pf0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751771AbeCVT7x (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 22 Mar 2018 15:59:53 -0400
Received: by mail-pf0-f196.google.com with SMTP id m68so3792770pfm.11
        for <linux-kernel@vger.kernel.org>; Thu, 22 Mar 2018 12:59:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=uci-edu.20150623.gappssmtp.com; s=20150623;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-language:content-transfer-encoding;
        bh=Jrj3RUXnNM7VVb2oQhrYdcKqxhca1q67RBZNGTEDgZM=;
        b=MVWzR3j5InuRHSDq7C5RzPEhhcnQNy0mCdMDPmCKBLniqRqXrWmDnrHRElYgbeDXPB
         Tl4232aO3ReOFbj/uKPf2aIREUKNFSGfwLuO9/1bknCLrdDFU0XfnaAc8BFg1KEi39TD
         SFLWgpbpPayiJaRCXnffX27SR1jEJLXW4NKjeiW5Devl8lVD84BgFNBNrhs5wPVnpeTM
         kr8yohK+YkDz56zNiPpzPHsqTfLmiSRBfgLpFrEfDt8uAQTa77dA7qMu+prL3X0bLUl6
         DkbWfcGYXG8QhTcZM52wX+E0p7iJvmFrdoV7V+rcuXn//jyLY0EoMAkpLnKcJ54gvAtd
         /nWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=Jrj3RUXnNM7VVb2oQhrYdcKqxhca1q67RBZNGTEDgZM=;
        b=Har0L27mdP4sLNxMbMTUzHI+P0ck+zHcYjpR6wuM5hgXRTq2iMza8ngl1ZDmBhZw+j
         DWbUxfSeqRs+wvtI+q9HrxER0qHLMytKdsUg5ry+UU2ScEtYc61I6pfXWbfDA4nBL5f1
         iOfxmgynuQRP03gifQy1t8gl6TyAV8l1BOy+q4j2lcZe9QFS76EbD+VgmFX57SUHGaj1
         Pu6dUTA0fVge698TC5eF9xD5ELi+FnftM5gwt+CrpfzQZM2Fv3zuC+a3vs8udXa8lqze
         7MeHl8JW3Qy6F/Ix6t+iOVySSF+hq/rPELN2LmGfqpseahFWp1u3TQ8H7s2BuIB0zTgQ
         lyLQ==
X-Gm-Message-State: AElRT7HMuUNX6g8kl9L5EODdJT+o1N72WwY5Slhe4amm585wTIR5CUAd
        T4KO57zm45lCS4TSXfY3fzlsrmMGoH0=
X-Received: by 10.167.130.205 with SMTP id f13mr4455582pfn.20.1521748793020;
        Thu, 22 Mar 2018 12:59:53 -0700 (PDT)
Received: from [128.195.4.137] (bbellevi-eth.ics.uci.edu. [128.195.4.137])
        by smtp.gmail.com with ESMTPSA id y186sm14434417pfb.92.2018.03.22.12.59.51
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 22 Mar 2018 12:59:52 -0700 (PDT)
Subject: Re: [PATCH] floppy: Do not copy a kernel pointer to user memory in
 FDGETPRM ioctl
To:     Jiri Kosina <jikos@kernel.org>, linux-kernel@vger.kernel.org
References: <1520467365-7194-1-git-send-email-bbellevi@uci.edu>
From:   Brian Belleville <bbellevi@uci.edu>
Message-ID: <ca7b2e22-483c-f16f-2a41-04fb936bba9b@uci.edu>
Date:   Thu, 22 Mar 2018 12:59:51 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <1520467365-7194-1-git-send-email-bbellevi@uci.edu>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi, are there any comments on this patch or the issue I described? I 
have tested the FDGETPRM ioctl and confirmed that the struct it returns 
does contain a pointer to kernel data. I also have tested my patch, and 
with it applied the returned struct no longer contains a kernel pointer, 
but all other fields are still present.

Thank you,
Brian Belleville


On 03/07/2018 04:02 PM, Brian Belleville wrote:
> The final field of a floppy_struct is the field "name", which is a
> pointer to a string in kernel memory. The kernel pointer should not be
> copied to user memory. The FDGETPRM ioctl copies a floppy_struct to
> user memory, including the "name" field. This pointer cannot be used
> by the user, and it will leak a kernel address to user-space, which
> will reveal the location of kernel code and data and undermine KASLR
> protection. Instead, copy the floppy_struct except for the "name"
> field.
> 
> Signed-off-by: Brian Belleville <bbellevi@uci.edu>
> ---
>   drivers/block/floppy.c | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
> index eae484a..4d4a422 100644
> --- a/drivers/block/floppy.c
> +++ b/drivers/block/floppy.c
> @@ -3470,6 +3470,7 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int
>   					  (struct floppy_struct **)&outparam);
>   		if (ret)
>   			return ret;
> +		size = offsetof(struct floppy_struct, name);
>   		break;
>   	case FDMSGON:
>   		UDP->flags |= FTD_MSG;
>