Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp1344426imm;
        Tue, 2 Oct 2018 06:51:28 -0700 (PDT)
X-Google-Smtp-Source: ACcGV62roTiz14pMzXOPuw+uMwY6rXbrWriRJJOV+00HFPlM3z+OXbOZcsI8737oHF+NmMXEqUdk
X-Received: by 2002:a65:4585:: with SMTP id o5-v6mr14205240pgq.212.1538488287960;
        Tue, 02 Oct 2018 06:51:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1538488287; cv=none;
        d=google.com; s=arc-20160816;
        b=exNbr3pj3im1OFuoLGQt3wpbNOhpFFQzZmfAlrdjBX5UizCqOnj8P7u59vzVFIkr0Q
         9B+yLqmCtFfCtFXSbjaprOHBePv8eSTkqc9i86OCMyvhctBuQxxo/rueKm2p335uCOaZ
         5gyb91o+LaADm/yxprJ7yejDTNbPd3MXfcexTLMPYPaaSQN2UI0gbptXhJO6u8D5FO/p
         gh8NO0k0Z3/JttApa/rskpUk4Avs4ETZgwARwZi3/eLoyzzddsnuabBDkpkp6T4YFKec
         JXLpVhXCW6Xjf39Sio8x0NzcQGTXYXNA3S0XIRtQrx1HjdfBOLY1JBCX6MnNDtPfGR9t
         sMaA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from;
        bh=TVu8cMtug7tWJPWIOn0ZPDIDpTKsazHl89JATXgBhKA=;
        b=h6Hfjf6zFdhLidsClAy5tDSD78eo5YuAezA3DUavJnSRCSRJPMUTNxlcviQpG/RHb0
         NekkZRkNx/goIDDfRxAVSNFeuSpB/ZZHnUwhtcOF8KxUT/yAhzjNIXGfgVHvGnTTeKgO
         YDLjwrbRu9kPAaHI/sXPxtk24pF/Mm6jVSp37WMCMAoi0S2yqOKHX4+7tDgq6JLag2bw
         yNMla/z9Gi1I5T6U22o6Vu4SYcSrtgmgcy0kDDUqVYnYYSsgpHLsbCfha7/KTfqdpwhp
         UyCojGA+D5DMqIjWGBgYYtrO3zPpDikgSFKXlc77qEUO4aSdSywyDYHojEQ7SRFeP1ek
         012A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d127-v6si17457090pfa.189.2018.10.02.06.51.13;
        Tue, 02 Oct 2018 06:51:27 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731991AbeJBURM (ORCPT <rfc822;tanxianhu@gmail.com> + 99 others);
        Tue, 2 Oct 2018 16:17:12 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:35054 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1731957AbeJBURL (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 2 Oct 2018 16:17:11 -0400
Received: from localhost (24-104-73-23-ip-static.hfc.comcastbusiness.net [24.104.73.23])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 121FC5AA;
        Tue,  2 Oct 2018 13:33:48 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Andy Whitcroft <apw@canonical.com>,
        Jens Axboe <axboe@kernel.dk>
Subject: [PATCH 4.14 083/137] floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl
Date:   Tue,  2 Oct 2018 06:24:44 -0700
Message-Id: <20181002132504.317375189@linuxfoundation.org>
X-Mailer: git-send-email 2.19.0
In-Reply-To: <20181002132458.446916963@linuxfoundation.org>
References: <20181002132458.446916963@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andy Whitcroft <apw@canonical.com>

commit 65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e upstream.

The final field of a floppy_struct is the field "name", which is a pointer
to a string in kernel memory.  The kernel pointer should not be copied to
user memory.  The FDGETPRM ioctl copies a floppy_struct to user memory,
including this "name" field.  This pointer cannot be used by the user
and it will leak a kernel address to user-space, which will reveal the
location of kernel code and data and undermine KASLR protection.

Model this code after the compat ioctl which copies the returned data
to a previously cleared temporary structure on the stack (excluding the
name pointer) and copy out to userspace from there.  As we already have
an inparam union with an appropriate member and that memory is already
cleared even for read only calls make use of that as a temporary store.

Based on an initial patch by Brian Belleville.

CVE-2018-7755
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Broke up long line.
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/block/floppy.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -3462,6 +3462,9 @@ static int fd_locked_ioctl(struct block_
 					  (struct floppy_struct **)&outparam);
 		if (ret)
 			return ret;
+		memcpy(&inparam.g, outparam,
+				offsetof(struct floppy_struct, name));
+		outparam = &inparam.g;
 		break;
 	case FDMSGON:
 		UDP->flags |= FTD_MSG;