Message ID | 1399403436-21214-5-git-send-email-apw@canonical.com |
---|---|
State | New |
Headers | show |
On 05/06/2014 12:10 PM, Andy Whitcroft wrote: > From: Matthew Daley <mattd@bugfuzz.com> > > Always clear out these floppy_raw_cmd struct members after copying the > entire structure from userspace so that the in-kernel version is always > valid and never left in an interdeterminate state. > > Signed-off-by: Matthew Daley <mattd@bugfuzz.com> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > > (cherry picked from commit ef87dbe7614341c2e7bfe8d32fcb7028cc97442c) > CVE-2014-1737 > BugLink: http://bugs.launchpad.net/bugs/1316729 > Signed-off-by: Andy Whitcroft <apw@canonical.com> > --- > drivers/block/floppy.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c > index 000abe2..10fbd3f 100644 > --- a/drivers/block/floppy.c > +++ b/drivers/block/floppy.c > @@ -3107,10 +3107,11 @@ loop: > return -ENOMEM; > *rcmd = ptr; > ret = copy_from_user(ptr, param, sizeof(*ptr)); > - if (ret) > - return -EFAULT; > ptr->next = NULL; > ptr->buffer_length = 0; > + ptr->kernel_data = NULL; > + if (ret) > + return -EFAULT; > param += sizeof(struct floppy_raw_cmd); > if (ptr->cmd_count > 33) > /* the command may now also take up the space > @@ -3126,7 +3127,6 @@ loop: > for (i = 0; i < 16; i++) > ptr->reply[i] = 0; > ptr->resultcode = 0; > - ptr->kernel_data = NULL; > > if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) { > if (ptr->length <= 0) >
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c index 000abe2..10fbd3f 100644 --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c @@ -3107,10 +3107,11 @@ loop: return -ENOMEM; *rcmd = ptr; ret = copy_from_user(ptr, param, sizeof(*ptr)); - if (ret) - return -EFAULT; ptr->next = NULL; ptr->buffer_length = 0; + ptr->kernel_data = NULL; + if (ret) + return -EFAULT; param += sizeof(struct floppy_raw_cmd); if (ptr->cmd_count > 33) /* the command may now also take up the space @@ -3126,7 +3127,6 @@ loop: for (i = 0; i < 16; i++) ptr->reply[i] = 0; ptr->resultcode = 0; - ptr->kernel_data = NULL; if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) { if (ptr->length <= 0)