--- /dev/null
+From foo@baz Tue Aug 21 07:37:56 CEST 2018
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 15 Aug 2018 12:14:05 -0700
+Subject: isdn: Disable IIOCDBGVAR
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 5e22002aa8809e2efab2da95855f73f63e14a36c ]
+
+It was possible to directly leak the kernel address where the isdn_dev
+structure pointer was stored. This is a kernel ASLR bypass for anyone
+with access to the ioctl. The code had been present since the beginning
+of git history, though this shouldn't ever be needed for normal operation,
+therefore remove it.
+
+Reported-by: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Karsten Keil <isdn@linux-pingi.de>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/isdn/i4l/isdn_common.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+--- a/drivers/isdn/i4l/isdn_common.c
++++ b/drivers/isdn/i4l/isdn_common.c
+@@ -1655,13 +1655,7 @@ isdn_ioctl(struct file *file, uint cmd,
+ } else
+ return -EINVAL;
+ case IIOCDBGVAR:
+- if (arg) {
+- if (copy_to_user(argp, &dev, sizeof(ulong)))
+- return -EFAULT;
+- return 0;
+- } else
+- return -EINVAL;
+- break;
++ return -EINVAL;
+ default:
+ if ((cmd & IIOCDRVCTL) == IIOCDRVCTL)
+ cmd = ((cmd >> _IOC_NRSHIFT) & _IOC_NRMASK) & ISDN_DRVIOCTL_MASK;
projects / thirdparty / kernel / stable-queue.git / commitdiff
