From patchwork Tue May 6 19:10:35 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Whitcroft X-Patchwork-Id: 346301 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id AA928140155; Wed, 7 May 2014 05:11:13 +1000 (EST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1Whkli-0004NN-UQ; Tue, 06 May 2014 19:11:10 +0000 Received: from mail-qc0-f173.google.com ([209.85.216.173]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1WhklP-0004DJ-SM for kernel-team@lists.ubuntu.com; Tue, 06 May 2014 19:10:51 +0000 Received: by mail-qc0-f173.google.com with SMTP id i8so3930743qcq.4 for ; Tue, 06 May 2014 12:10:51 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=BcY+t5ocZDooZ3HziAcdHjZw2yFrWG53SP2vU0PjiJ4=; b=juMpEAVY3vXI7meGFYoJBBrivUipcHLF7YKmCl6GGFQaRKvbt3/m8Palb44mSVHpzz ZUgHCSM+dSiSxDq+48qwHHJqcFrH14Xb5aHbkCMmSxKB+O18YQEhxqohyGbJ7Ln6j03R Ze3u4c29BxUxl5rKh+hFBiSWLHPOMhJUQ1nUOkp7mmflfEIGLMCPgO8/v9FRWeNMvIy3 eNz9qHtTf4nCo/W2RnasJvHsuiUUTWGOKoN1WvMXeh6DWLM//kptfrf6ATzOaGuv8H5C Noy9/lkcgzEs4OyxYj7FTO+wL+XFAy6cebv320SAshGpeo57ArDM5gNNUE0EPokRr+Lf uRPg== X-Gm-Message-State: ALoCoQnryYmzTQBaxTudvkO27aBvSc6+1v58VPJIbLbZszvvlADFOyBuN2biqosOprxi9pll+t53 X-Received: by 10.229.89.65 with SMTP id d1mr56792766qcm.14.1399403451291; Tue, 06 May 2014 12:10:51 -0700 (PDT) Received: from localhost ([2001:470:6973:2:221:70ff:fe81:b177]) by mx.google.com with ESMTPSA id s10sm18947468qas.31.2014.05.06.12.10.50 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Tue, 06 May 2014 12:10:50 -0700 (PDT) From: Andy Whitcroft To: kernel-team@lists.ubuntu.com Subject: [precise, quantal, precise/lts-backport-raring, saucy, trusty 1/2] floppy: ignore kernel-only members in FDRAWCMD ioctl input Date: Tue, 6 May 2014 20:10:35 +0100 Message-Id: <1399403436-21214-5-git-send-email-apw@canonical.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1399403436-21214-1-git-send-email-apw@canonical.com> References: <1399403436-21214-1-git-send-email-apw@canonical.com> Cc: Andy Whitcroft X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com From: Matthew Daley Always clear out these floppy_raw_cmd struct members after copying the entire structure from userspace so that the in-kernel version is always valid and never left in an interdeterminate state. Signed-off-by: Matthew Daley Signed-off-by: Linus Torvalds (cherry picked from commit ef87dbe7614341c2e7bfe8d32fcb7028cc97442c) CVE-2014-1737 BugLink: http://bugs.launchpad.net/bugs/1316729 Signed-off-by: Andy Whitcroft --- drivers/block/floppy.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c index 000abe2..10fbd3f 100644 --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c @@ -3107,10 +3107,11 @@ loop: return -ENOMEM; *rcmd = ptr; ret = copy_from_user(ptr, param, sizeof(*ptr)); - if (ret) - return -EFAULT; ptr->next = NULL; ptr->buffer_length = 0; + ptr->kernel_data = NULL; + if (ret) + return -EFAULT; param += sizeof(struct floppy_raw_cmd); if (ptr->cmd_count > 33) /* the command may now also take up the space @@ -3126,7 +3127,6 @@ loop: for (i = 0; i < 16; i++) ptr->reply[i] = 0; ptr->resultcode = 0; - ptr->kernel_data = NULL; if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) { if (ptr->length <= 0)