oss-sec mailing list archives
Linux kernel floppy ioctl kernel code execution
From: Marcus Meissner <meissner () suse de>
Date: Fri, 9 May 2014 09:13:30 +0200
Hi, As this was posted to linux-distros, and was supposed to be made public earlier this week, but so far wasn't published on oss-sec ... Reported by Matthew Daley to security () kernel org. There apparently exists a proof of concept root exploit, that allows local users with access to a floppy device to execute code in the linux kernel. (I think this needs a floppy driver to actually allow access to a floppy device. My machine only says "floppy0: no floppy controllers found" today.) Linux Kernel Mainline commits: 2145e15e0557a01b9195d1c7199a1b92cb9be81f Author: Matthew Daley <mattd () bugfuzz com> Date: Mon Apr 28 19:05:21 2014 +1200 floppy: don't write kernel-only members to FDRAWCMD ioctl output Do not leak kernel-only floppy_raw_cmd structure members to userspace. This includes the linked-list pointer and the pointer to the allocated DMA space. Signed-off-by: Matthew Daley <mattd () bugfuzz com> References: CVE-2014-1738 Signed-off-by: Linus Torvalds <torvalds () linux-foundation org> commit ef87dbe7614341c2e7bfe8d32fcb7028cc97442c Author: Matthew Daley <mattd () bugfuzz com> Date: Mon Apr 28 19:05:20 2014 +1200 floppy: ignore kernel-only members in FDRAWCMD ioctl input Always clear out these floppy_raw_cmd struct members after copying the entire structure from userspace so that the in-kernel version is always valid and never left in an interdeterminate state. Signed-off-by: Matthew Daley <mattd () bugfuzz com> References: CVE-2014-1737 Signed-off-by: Linus Torvalds <torvalds () linux-foundation org> Ciao, Marcus
Current thread:
- Linux kernel floppy ioctl kernel code execution Marcus Meissner (May 09)