[thirdparty/kernel/stable-queue.git] / releases / 4.4.160 / floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch

From 65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e Mon Sep 17 00:00:00 2001
From: Andy Whitcroft <apw@canonical.com>
Date: Thu, 20 Sep 2018 09:09:48 -0600
Subject: floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl

From: Andy Whitcroft <apw@canonical.com>

commit 65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e upstream.

The final field of a floppy_struct is the field "name", which is a pointer
to a string in kernel memory.  The kernel pointer should not be copied to
user memory.  The FDGETPRM ioctl copies a floppy_struct to user memory,
including this "name" field.  This pointer cannot be used by the user
and it will leak a kernel address to user-space, which will reveal the
location of kernel code and data and undermine KASLR protection.

Model this code after the compat ioctl which copies the returned data
to a previously cleared temporary structure on the stack (excluding the
name pointer) and copy out to userspace from there.  As we already have
an inparam union with an appropriate member and that memory is already
cleared even for read only calls make use of that as a temporary store.

Based on an initial patch by Brian Belleville.

CVE-2018-7755
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Broke up long line.
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/block/floppy.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -3459,6 +3459,9 @@ static int fd_locked_ioctl(struct block_
 					  (struct floppy_struct **)&outparam);
 		if (ret)
 			return ret;
+		memcpy(&inparam.g, outparam,
+				offsetof(struct floppy_struct, name));
+		outparam = &inparam.g;
 		break;
 	case FDMSGON:
 		UDP->flags |= FTD_MSG;
Commit	Line	Data
a6e7b84f GKH	1	From 65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e Mon Sep 17 00:00:00 2001
	2	From: Andy Whitcroft <apw@canonical.com>
	3	Date: Thu, 20 Sep 2018 09:09:48 -0600
	4	Subject: floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl
	5
	6	From: Andy Whitcroft <apw@canonical.com>
	7
	8	commit 65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e upstream.
	9
	10	The final field of a floppy_struct is the field "name", which is a pointer
	11	to a string in kernel memory. The kernel pointer should not be copied to
	12	user memory. The FDGETPRM ioctl copies a floppy_struct to user memory,
	13	including this "name" field. This pointer cannot be used by the user
	14	and it will leak a kernel address to user-space, which will reveal the
	15	location of kernel code and data and undermine KASLR protection.
	16
	17	Model this code after the compat ioctl which copies the returned data
	18	to a previously cleared temporary structure on the stack (excluding the
	19	name pointer) and copy out to userspace from there. As we already have
	20	an inparam union with an appropriate member and that memory is already
	21	cleared even for read only calls make use of that as a temporary store.
	22
	23	Based on an initial patch by Brian Belleville.
	24
	25	CVE-2018-7755
	26	Signed-off-by: Andy Whitcroft <apw@canonical.com>
	27	Broke up long line.
	28	Signed-off-by: Jens Axboe <axboe@kernel.dk>
	29	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	30
	31	---
	32	drivers/block/floppy.c \| 3 +++
	33	1 file changed, 3 insertions(+)
	34
	35	--- a/drivers/block/floppy.c
	36	+++ b/drivers/block/floppy.c
	37	@@ -3459,6 +3459,9 @@ static int fd_locked_ioctl(struct block_
	38	(struct floppy_struct **)&outparam);
	39	if (ret)
	40	return ret;
	41	+ memcpy(&inparam.g, outparam,
	42	+ offsetof(struct floppy_struct, name));
	43	+ outparam = &inparam.g;
	44	break;
	45	case FDMSGON:
	46	UDP->flags \|= FTD_MSG;