From patchwork Tue May 6 21:09:57 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kamal Mostafa X-Patchwork-Id: 346330 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id D5E6F1400E2; Wed, 7 May 2014 07:10:15 +1000 (EST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1Whmcv-0002MS-0o; Tue, 06 May 2014 21:10:13 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1Whmch-0002JC-RM for kernel-team@lists.ubuntu.com; Tue, 06 May 2014 21:09:59 +0000 Received: from c-67-160-228-185.hsd1.ca.comcast.net ([67.160.228.185] helo=fourier) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1Whmch-0001rR-76; Tue, 06 May 2014 21:09:59 +0000 Received: from kamal by fourier with local (Exim 4.82) (envelope-from ) id 1Whmcf-0006DT-Cl; Tue, 06 May 2014 14:09:57 -0700 From: Kamal Mostafa To: Matthew Daley Subject: [3.8.y.z extended stable] Patch "floppy: ignore kernel-only members in FDRAWCMD ioctl input" has been added to staging queue Date: Tue, 6 May 2014 14:09:57 -0700 Message-Id: <1399410597-23864-1-git-send-email-kamal@canonical.com> X-Mailer: git-send-email 1.9.1 X-Extended-Stable: 3.8 Cc: Kamal Mostafa , Linus Torvalds , kernel-team@lists.ubuntu.com X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com This is a note to let you know that I have just added a patch titled floppy: ignore kernel-only members in FDRAWCMD ioctl input to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree which can be found at: http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.8.y-queue This patch is scheduled to be released in version 3.8.13.23. If you, or anyone else, feels it should not be added to this tree, please reply to this email. For more information about the 3.8.y.z tree, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable Thanks. -Kamal ------ From f464c29056aa423429d1e9b6bc00e3867245a9f8 Mon Sep 17 00:00:00 2001 From: Matthew Daley Date: Mon, 28 Apr 2014 19:05:20 +1200 Subject: floppy: ignore kernel-only members in FDRAWCMD ioctl input commit ef87dbe7614341c2e7bfe8d32fcb7028cc97442c upstream. Always clear out these floppy_raw_cmd struct members after copying the entire structure from userspace so that the in-kernel version is always valid and never left in an interdeterminate state. Signed-off-by: Matthew Daley Signed-off-by: Linus Torvalds References: CVE-2014-1737 Signed-off-by: Kamal Mostafa --- drivers/block/floppy.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) -- 1.9.1 diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c index 2ddd64a..7ca5d3d 100644 --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c @@ -3107,10 +3107,11 @@ loop: return -ENOMEM; *rcmd = ptr; ret = copy_from_user(ptr, param, sizeof(*ptr)); - if (ret) - return -EFAULT; ptr->next = NULL; ptr->buffer_length = 0; + ptr->kernel_data = NULL; + if (ret) + return -EFAULT; param += sizeof(struct floppy_raw_cmd); if (ptr->cmd_count > 33) /* the command may now also take up the space @@ -3126,7 +3127,6 @@ loop: for (i = 0; i < 16; i++) ptr->reply[i] = 0; ptr->resultcode = 0; - ptr->kernel_data = NULL; if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) { if (ptr->length <= 0)