Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp3392514imm;
        Tue, 29 May 2018 06:33:10 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZq3bO+AmL0jgROdkOq/4cbPH3KQpLdSQcFRW+5p3x6Xxp7E8533Itecw9UuWm146AGmL2ws
X-Received: by 2002:a17:902:ab93:: with SMTP id f19-v6mr17991202plr.392.1527600790280;
        Tue, 29 May 2018 06:33:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527600790; cv=none;
        d=google.com; s=arc-20160816;
        b=ilxfSI93F5tlMtIqQVUBQqZ9F2lrata95Ka2fiv1l57oZAzdGDVUQxXZXssNAiwdh9
         geU/OGIeWcFhl9rp42nlSJwG8/ORCVtJPF5sjuo6jayJ/We5iA3glEqgQdVlVkzrM8++
         sXIDp0znrVFkEoRMWbQrJ7532TiWRiOFHWm4oaRlPCk1+f2eL1pv62HT0KjdzLLa/LAg
         FrsCzOeA6Q8uhjYA842qqyga4fHKQm9WmZ87C+pgo2aSbRrStrx5J0JyR5SftQrw7vOe
         C8Ukp7A/GbjP/K4OHwW/ElcpJbAijDBn48Yu5lbhrKXbnLWxnqzbM8eMnkIG+A71d7tE
         BijA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature:arc-authentication-results;
        bh=Ah97HIe95Vsm02ce3YxIArxrLWMmdYXvgJ0ubFlJ5ys=;
        b=R0ZqU9bC93WeI7s8dcPaSRp8n5vKo9vK7Hjq5MYZJUoPoqlNSIRLHyBd7sInF96A7q
         8OWkH76uCXoQLDeKcA3VAJV6lwbsFBGrNyn6e4q4ODjY01dbKr98HmHgDnSJCRDpV+eV
         LvA8tvgLtNjByidQLJsUwsdTMxyEFi1qxc+pBj6/JxjLHPIFW096Q6XumbTV26m0p2W8
         W7f1Gb+xKPTnnN52H7gCNN4VnaTzWj/GaB4G7I9JcH6CDDSWYSVbS7k9Q6FQVguwn5zt
         uNhYIgWAARd6jirwxbdpr+htNO2sruLNFrjbhPELWC0FFwttJhrmrCYUR8xKbc3qt1zy
         Q8Ig==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=ces8iRJe;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t17-v6si9881244pgb.465.2018.05.29.06.32.25;
        Tue, 29 May 2018 06:33:10 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=ces8iRJe;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S934309AbeE2N13 (ORCPT <rfc822;shmalave.kernel@gmail.com>
        + 99 others); Tue, 29 May 2018 09:27:29 -0400
Received: from mail-wr0-f196.google.com ([209.85.128.196]:46673 "EHLO
        mail-wr0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S934178AbeE2N10 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 29 May 2018 09:27:26 -0400
Received: by mail-wr0-f196.google.com with SMTP id v13-v6so13828230wrp.13
        for <linux-kernel@vger.kernel.org>; Tue, 29 May 2018 06:27:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=Ah97HIe95Vsm02ce3YxIArxrLWMmdYXvgJ0ubFlJ5ys=;
        b=ces8iRJeC8ZQtpMvyWdlNkBiVQkA9eOdTsqTZ/rCTAaQu/mc5Y7t2PhC9nXCvTTCzu
         RRU1h6dTZ4Gh2ppJztMYJAq52m54/qm6kzGidg70xbaJm8rHebmowjTpULffIn4pi2zz
         MfI7t9JTtdtdMehuEJ30q7gZnTQiUTLL5Qj0HGIPlWuEjY75Aga15ucp1MA50jc/DGgp
         ShWOPU5wRQAC3jPEqHSKbBoBmoFu/ZVmFQAV8khSym3EA64mZsGPj0b4zPOlaVzsSMXj
         aZdPfHkeq0oVv3IKl4TtHLt6vTziBbdb6+SKRF/d0HW3KOap1h7ekirPkGreR3NrH1lS
         PxZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=Ah97HIe95Vsm02ce3YxIArxrLWMmdYXvgJ0ubFlJ5ys=;
        b=JmYHMLSg96NSMwG8NmBPH+lH4wZpeVpqy6u2/h1wjthO5dNlJuhqqfSh0aDS71yoNd
         gisyNnTmDKTPUCEKfwmu5FZB8TMbxR6/Nnh2v+YGalcOh0AOQbxC14DIJk92+vBNEtmK
         f2lBvFxlQ2ZLeci7EF4N427AjXVtK5TDH90L6t1bGYu8Ng/4U1BilqGt0Jwgm7v0QeTF
         y/VUwTvMiEPbG/07KLMjtXlLcCYbxv27Ivd/IeWVW8899HPq8FY8DHunacK9J4ouYMvc
         QEdl/WFfkMGVX5Th8yeImpPklDJ/+Px+1u4Y7dKLOtDXmOEIz7EUr2rUdA+yO6yWqR+h
         +Oow==
X-Gm-Message-State: ALKqPweFNYQIdTI4PtLT+woQ3cUAb3/LgTeo5lkd758IQDKfCuv4BZkq
        7GqZruxe67kySw92xFF0dOLccpVU
X-Received: by 2002:adf:9dc9:: with SMTP id q9-v6mr8031641wre.12.1527600444685;
        Tue, 29 May 2018 06:27:24 -0700 (PDT)
Received: from localhost ([2001:470:6973:2:a1e2:ad06:119:7751])
        by smtp.gmail.com with ESMTPSA id n11-v6sm29193582wrh.10.2018.05.29.06.27.23
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Tue, 29 May 2018 06:27:23 -0700 (PDT)
Date:   Tue, 29 May 2018 14:27:22 +0100
From:   Andy Whitcroft <robobotbotbot@gmail.com>
To:     Brian Belleville <bbellevi@uci.edu>
Cc:     Jiri Kosina <jikos@kernel.org>, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] floppy: Do not copy a kernel pointer to user memory in
 FDGETPRM ioctl
Message-ID: <20180529132722.GH7445@brain>
References: <1520467365-7194-1-git-send-email-bbellevi@uci.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1520467365-7194-1-git-send-email-bbellevi@uci.edu>
User-Agent: Mutt/1.9.5 (2018-04-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Mar 07, 2018 at 04:02:45PM -0800, Brian Belleville wrote:
> The final field of a floppy_struct is the field "name", which is a
> pointer to a string in kernel memory. The kernel pointer should not be
> copied to user memory. The FDGETPRM ioctl copies a floppy_struct to
> user memory, including the "name" field. This pointer cannot be used
> by the user, and it will leak a kernel address to user-space, which
> will reveal the location of kernel code and data and undermine KASLR
> protection. Instead, copy the floppy_struct except for the "name"
> field.
> 
> Signed-off-by: Brian Belleville <bbellevi@uci.edu>
> ---
>  drivers/block/floppy.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
> index eae484a..4d4a422 100644
> --- a/drivers/block/floppy.c
> +++ b/drivers/block/floppy.c
> @@ -3470,6 +3470,7 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int
>  					  (struct floppy_struct **)&outparam);
>  		if (ret)
>  			return ret;
> +		size = offsetof(struct floppy_struct, name);
>  		break;
>  	case FDMSGON:
>  		UDP->flags |= FTD_MSG;

I am not sure it is reasonable to simply set size here to the length of the
valid data.  Though in the real world everyonne should be using the defines
and those should include the full length, the code itself does not require
this, it only prevents overly long reads.  So I think it is possible to do
this read with a shorter userspace buffer; with this change we would
then write beyond the end of the buffer.

This also seems to introduce a slight behavioural difference between the
primary and compat calls.  The compat call already elides the name but it
also is copying into a new structure for return and this is pre-cleared,
so the name will always be null for the compat case and undefined for
the primary ioctl.

Perhaps the below patch would be more appropriate.

-apw

From ddb8c77229a9507fa5575c910d2847e123a9c94c Mon Sep 17 00:00:00 2001
From: Andy Whitcroft <apw@canonical.com>
Date: Tue, 29 May 2018 13:04:15 +0100
Subject: [PATCH 1/1] floppy: Do not copy a kernel pointer to user memory in
 FDGETPRM ioctl

The final field of a floppy_struct is the field "name", which is a pointer
to a string in kernel memory.  The kernel pointer should not be copied to
user memory.  The FDGETPRM ioctl copies a floppy_struct to user memory,
including this "name" field.  This pointer cannot be used by the user
and it will leak a kernel address to user-space, which will reveal the
location of kernel code and data and undermine KASLR protection.

Model this code after the compat ioctl which copies the returned data
to a previously cleared temporary structure on the stack (excluding the
name pointer) and copy out to userspace from there.  As we already have
an inparam union with an appropriate member and that memory is already
cleared even for read only calls make use of that as a temporary store.

Based on an initial patch by Brian Belleville.

CVE-2018-7755
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 drivers/block/floppy.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
index 8ec7235fc93b..7512f6ff7c43 100644
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -3470,6 +3470,8 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int
 					  (struct floppy_struct **)&outparam);
 		if (ret)
 			return ret;
+		memcpy(&inparam.g, outparam, offsetof(struct floppy_struct, name));
+		outparam = &inparam.g;
 		break;
 	case FDMSGON:
 		UDP->flags |= FTD_MSG;
-- 
2.17.0