From patchwork Tue May 6 19:10:36 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Whitcroft X-Patchwork-Id: 346300 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 6DBF9140155; Wed, 7 May 2014 05:11:08 +1000 (EST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1Whklc-0004JP-C8; Tue, 06 May 2014 19:11:04 +0000 Received: from mail-qa0-f50.google.com ([209.85.216.50]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1WhklS-0004E7-Gc for kernel-team@lists.ubuntu.com; Tue, 06 May 2014 19:10:54 +0000 Received: by mail-qa0-f50.google.com with SMTP id j15so3783184qaq.23 for ; Tue, 06 May 2014 12:10:53 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=sA0iYOKirXxkpxpgJHHz6TKItahjCp5tBkuk6YkemAE=; b=Swl3IHhncVJLHcd5tAT9X1V/qERrLF9Tq0fhF2aZJw6K93TmOFd7PdA+SGhJmN+mXf vXdw3vAG/qUaqEw16nu5jiVGyiHQpzgQglT4G18ilVy3iTgCGBL8LurxPiTIe7zz2DF4 WF7yYl0FGhrxKzAF1q76bCzyNgs6Cbkz1TqjgBrQPmVYq0Q4fH1nvIs7nMC1MIRckEfe dpsgjSDvhfAjcv3oYZk9DLzjor99dBlxT/59HsVEqt2DwwR6qqkFv/Uqt+vdoGkUHI5Q 1BTIoK5mmArabT4nFVqZ18RvxNqbRTUumo/ITDFVhvHCV8Dhf/RGX+aR1fzv/b1fG8gi 1yNw== X-Gm-Message-State: ALoCoQm1TsRylTZjyS3gs0dJFu1MFCnCfb6MWo2A6sjGlNnHcwYnFZn8NGa3tXLKrNDhwTE4GKNZ X-Received: by 10.140.98.233 with SMTP id o96mr53528582qge.86.1399403453890; Tue, 06 May 2014 12:10:53 -0700 (PDT) Received: from localhost ([2001:470:6973:2:221:70ff:fe81:b177]) by mx.google.com with ESMTPSA id m7sm25082267qae.35.2014.05.06.12.10.52 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Tue, 06 May 2014 12:10:53 -0700 (PDT) From: Andy Whitcroft To: kernel-team@lists.ubuntu.com Subject: [precise, quantal, precise+lts-backports-raring, saucy, trusty 2/2] floppy: don't write kernel-only members to FDRAWCMD ioctl output Date: Tue, 6 May 2014 20:10:36 +0100 Message-Id: <1399403436-21214-6-git-send-email-apw@canonical.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1399403436-21214-1-git-send-email-apw@canonical.com> References: <1399403436-21214-1-git-send-email-apw@canonical.com> Cc: Andy Whitcroft X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com From: Matthew Daley Do not leak kernel-only floppy_raw_cmd structure members to userspace. This includes the linked-list pointer and the pointer to the allocated DMA space. Signed-off-by: Matthew Daley Signed-off-by: Linus Torvalds (cherry picked from commit 2145e15e0557a01b9195d1c7199a1b92cb9be81f) CVE-2014-1738 BugLink: http://bugs.launchpad.net/bugs/1316735 Signed-off-by: Andy Whitcroft --- drivers/block/floppy.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c index 10fbd3f..738af94 100644 --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c @@ -3053,7 +3053,10 @@ static int raw_cmd_copyout(int cmd, void __user *param, int ret; while (ptr) { - ret = copy_to_user(param, ptr, sizeof(*ptr)); + struct floppy_raw_cmd cmd = *ptr; + cmd.next = NULL; + cmd.kernel_data = NULL; + ret = copy_to_user(param, &cmd, sizeof(cmd)); if (ret) return -EFAULT; param += sizeof(struct floppy_raw_cmd);