Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3913488imm; Mon, 8 Oct 2018 11:35:32 -0700 (PDT) X-Google-Smtp-Source: ACcGV63JXY2k3HbdvEdyUhgUY/cYazzucprJhgLiPq+qpiEqW0sZet2hF2TtSKGYpG1ChCEzFTq8 X-Received: by 2002:a17:902:6b47:: with SMTP id g7-v6mr25382314plt.128.1539023732027; Mon, 08 Oct 2018 11:35:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539023731; cv=none; d=google.com; s=arc-20160816; b=Z+PBx1R9d7zrBF4Lhwxmn9CRl7vyWXcuGXeUKsyKWLoesLiFh4U+e8PTlKp3E4g561 IwpGmA2jKx5XOz3GcRLSu1eyS8YIpu6W9tNKwMRk3wdqzEte1bT7EpwMUETkVcgV+FOJ 8BJyicrkF9CBfD/4iVQif26o9AJF0Kne5g/rHTbROVbav/mdT2QNBUBxWAFVQEMStX9l oeSTH0xZeWCymM7DHtjPxFxrZT3hEQ2jGdfQW5TLsZr6AqTIycBWrhJJiDSvRJiPqULe zWT57h6dlAQ8XZbqCJw21diRzyfj1hwMsBcIsnrNDomyjLTVDs+TejlZfNakrtELhGAO d/Pw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=fco6/D8f92Tq57PFk/X6n1BqeUyEYq6FWtb82+zXj2I=; b=nznko7an4MVt+nQIbrDGOaUkGDrJRkBHQa71/Q60u8FDpNzzRCE9Ltajkn2mjv9DnG lsCvLGBo/+TeuT+DO0oav+jz7ddRbnGkJmU+zW8yNaz69wSgily1xqjq7pxoBTbp2CeP unCkHADYhA2dnznkTNq/O3ivEYhyYx/hexFLfTvYw7OpZHb5b2nSlgWEJsS5020WIyuY CEdI6WHh5IXLunWULjiXxguPwnwuGyvkg4WF3GUTyH8kmYX1jikERg1f99PonsE9v6Wl ++aRrrcvNz1bqd+Crg9h39OWbl+Y4NPRvzkPtPhJYYU5uHSnNZrXjWWQOBD/VQJh8C3k 3MBQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=HDwVPhpH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a5-v6si18822170plh.312.2018.10.08.11.35.17; Mon, 08 Oct 2018 11:35:31 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=HDwVPhpH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727829AbeJIBre (ORCPT + 99 others); Mon, 8 Oct 2018 21:47:34 -0400 Received: from mail.kernel.org ([198.145.29.99]:58850 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726665AbeJIBrd (ORCPT ); Mon, 8 Oct 2018 21:47:33 -0400 Received: from localhost (ip-213-127-77-176.ip.prioritytelecom.net [213.127.77.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4B1872087D; Mon, 8 Oct 2018 18:34:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1539023670; bh=Z5q3h5GzmJzU6ohR4DC9HAlL9STfjU92vOugySZdZc0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=HDwVPhpHRoeUjJZw2sPgee2y9CyI3vPdTtA+fq/o1g2yPXYpNP0WUI/6ddYnpIP87 fySn1sZrLqAuh/NUTwTtj/ykr5KdY6n0uaP1jNRKk6j5aq9i/cS+XbP64GXijxfX9i Oa1N64/1PqxfH6umusUYMxJ42qIaIb5LnGcBLPJk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Andy Whitcroft , Jens Axboe Subject: [PATCH 4.4 043/113] floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl Date: Mon, 8 Oct 2018 20:30:44 +0200 Message-Id: <20181008175532.968002656@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20181008175530.864641368@linuxfoundation.org> References: <20181008175530.864641368@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Andy Whitcroft commit 65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e upstream. The final field of a floppy_struct is the field "name", which is a pointer to a string in kernel memory. The kernel pointer should not be copied to user memory. The FDGETPRM ioctl copies a floppy_struct to user memory, including this "name" field. This pointer cannot be used by the user and it will leak a kernel address to user-space, which will reveal the location of kernel code and data and undermine KASLR protection. Model this code after the compat ioctl which copies the returned data to a previously cleared temporary structure on the stack (excluding the name pointer) and copy out to userspace from there. As we already have an inparam union with an appropriate member and that memory is already cleared even for read only calls make use of that as a temporary store. Based on an initial patch by Brian Belleville. CVE-2018-7755 Signed-off-by: Andy Whitcroft Broke up long line. Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman --- drivers/block/floppy.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c @@ -3459,6 +3459,9 @@ static int fd_locked_ioctl(struct block_ (struct floppy_struct **)&outparam); if (ret) return ret; + memcpy(&inparam.g, outparam, + offsetof(struct floppy_struct, name)); + outparam = &inparam.g; break; case FDMSGON: UDP->flags |= FTD_MSG;