From patchwork Wed Aug 15 19:14:05 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 958002 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=reject dis=none) header.from=chromium.org Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=chromium.org header.i=@chromium.org header.b="O/gYJBMG"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 41rJzj5dR6z9s7c for ; Thu, 16 Aug 2018 05:14:09 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727627AbeHOWHc (ORCPT ); Wed, 15 Aug 2018 18:07:32 -0400 Received: from mail-pg1-f193.google.com ([209.85.215.193]:45623 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727408AbeHOWHc (ORCPT ); Wed, 15 Aug 2018 18:07:32 -0400 Received: by mail-pg1-f193.google.com with SMTP id f1-v6so893231pgq.12 for ; Wed, 15 Aug 2018 12:14:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:mime-version:content-disposition; bh=pTX9ZBM0lo/9R3KAJqHp5EcmXEzBdg9wbtQtlj3XAWk=; b=O/gYJBMG0ZYa5fdPzp8dOetwJRI7GNkqcsXNrtBN+fSRnySoMFGj+pL+/7yNpAJNm4 oYs/VlS1HKRw/yg/TET97vv5eK5OEKoqQQhz3knqyiwED1DVMyhQWnCkgTUTphKutdtQ BRJXKEuh+cDbgb08MpyBpZo6FATZbuJzHNkFc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition; bh=pTX9ZBM0lo/9R3KAJqHp5EcmXEzBdg9wbtQtlj3XAWk=; b=TgtT2ek94Mqsj+RHK2it38x7K+elI9pZwxcq7VKrMDSUxqGxSTsMpuXdA8Itw2OP0L ZcZhnMSCv+CRhYHOdtafEAtYPZc9wCk706A+hPMKrTANuExPvZSdZ38dF67bl8HeLV90 DO7K9nL9jlfZ9n5xjJx1NGiUahssr1Y5Xvuii0sC1IFkViVBULm6v0SsnuBgYKGon1dm hu0lKN2aIaZN969/siQEHTqjEGz/RnS6JX1XRiCcy0WNmR/k+OfTNbqgk7f2UMAPpuJI zouTCXIYJyKMrNBMMuvFv/eyCggKgGp0+ehC/MFZoIY+m+6oKYYUKO+z67E4faNiEWok sZdg== X-Gm-Message-State: AOUpUlFx+yX6+digcUnRkVumbDyhyklj4I9Hk3fNO1sgSS1HFeVBaKH0 nchWDkv4PtFz5/zwPsY4yG1SbQ== X-Google-Smtp-Source: AA+uWPzJsJtZYl1KqcRt+q3S2L1tQjzOW7LbecEC6e+f3S5m22/kHZ1/9KB7HWMBz4SCsmkPHDSrnA== X-Received: by 2002:a63:2647:: with SMTP id m68-v6mr26241556pgm.60.1534360447092; Wed, 15 Aug 2018 12:14:07 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id j191-v6sm39342410pfc.136.2018.08.15.12.14.05 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 15 Aug 2018 12:14:05 -0700 (PDT) Date: Wed, 15 Aug 2018 12:14:05 -0700 From: Kees Cook To: "David S. Miller" Cc: Al Viro , Karsten Keil , linux-kernel@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH] isdn: Disable IIOCDBGVAR Message-ID: <20180815191405.GA29528@beast> MIME-Version: 1.0 Content-Disposition: inline Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org It was possible to directly leak the kernel address where the isdn_dev structure pointer was stored. This is a kernel ASLR bypass for anyone with access to the ioctl. The code had been present since the beginning of git history, though this shouldn't ever be needed for normal operation, therefore remove it. Reported-by: Al Viro Cc: Karsten Keil Signed-off-by: Kees Cook --- netdev doesn't like explict stable markings, so I'll just ask here that it get included in -stable please. :) --- drivers/isdn/i4l/isdn_common.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/drivers/isdn/i4l/isdn_common.c b/drivers/isdn/i4l/isdn_common.c index 7a501dbe7123..6a5b3f00f9ad 100644 --- a/drivers/isdn/i4l/isdn_common.c +++ b/drivers/isdn/i4l/isdn_common.c @@ -1640,13 +1640,7 @@ isdn_ioctl(struct file *file, uint cmd, ulong arg) } else return -EINVAL; case IIOCDBGVAR: - if (arg) { - if (copy_to_user(argp, &dev, sizeof(ulong))) - return -EFAULT; - return 0; - } else - return -EINVAL; - break; + return -EINVAL; default: if ((cmd & IIOCDRVCTL) == IIOCDRVCTL) cmd = ((cmd >> _IOC_NRSHIFT) & _IOC_NRMASK) & ISDN_DRVIOCTL_MASK;