[CVE-2014-1737/CVE-2014-1738] floppy ioctl kernel memory content leak
Andy Whitcroft
apw at canonical.com
Tue May 6 19:10:31 UTC 2014
CVE-2014-1737
The first issue lies in the driver's processing of FDRAWCMD
ioctls, specifically in its handling of copying floppy_raw_cmd
ioctl argument structures from and to userspace. There
are four relevant functions in drivers/block/floppy.c:
raw_cmd_{ioctl,copyin,copyout,free}. First, raw_cmd_ioctl calls
raw_cmd_copyin. This function kmallocs space for a floppy_raw_cmd
structure and stores the resulting allocation in the "rcmd"
pointer argument. It then attempts to copy_from_user the
structure from userspace. If this fails, an early EFAULT return
is taken. The problem is that even if the early return is taken,
the pointer to the non-/partially-initialized floppy_raw_cmd
structure has already been returned via the "rcmd" pointer. Back
out in raw_cmd_ioctl, it attempts to raw_cmd_free this pointer.
raw_cmd_free attempts to free any DMA pages allocated for the raw
command, kfrees the raw command structure itself, and follows the
linked list, if any, of further raw commands (a user can specify
the FD_RAW_MORE flag to signal that there are more raw commands to
follow in a single FDRAWCMD ioctl). So, a malicious user can send
a FDRAWCMD ioctl with a raw command argument structure that has
some bytes inaccessible (ie. off the end of an allocated page). The
copy_from_user will fail but raw_cmd_free will attempt to process
the floppy_raw_cmd as if it had been fully initialized by the rest
of raw_cmd_copyin. The user can control the arguments passed to
fd_dma_mem_free and kfree (by making use of the linked-list feature
and specifying the target address as a next-in-list structure).
CVE-2014-1738
There is also another issue which greatly helps in the exploitation
of this other issue. In raw_cmd_copyout, the entire floppy_raw_cmd
structure is copy_to_user'd back to userspace after raw command
processing. The issue is that the entire structure is copied back,
which leaks to userspace the address of the allocated DMA pages,
if any, and the address of the next-in-list command structure,
if any. A malicious user can send a FDRAWCMD ioctl with the
FD_RAW_MORE flag set and, upon inspecting the result in the command
argument, find the address of the last floppy_raw_cmd allocation
on the kmalloc-nnn slab.
Following this email are two sets of patches, one pair for lucid, and
the other for precise, quantal, precise/lts-backport-raring, saucy,
and trusty.
Proposing for SRU as above.
-apw
More information about the kernel-team
mailing list