[CVE-2014-1737/CVE-2014-1738] floppy ioctl kernel memory content leak

Andy Whitcroft apw at canonical.com
Tue May 6 19:10:31 UTC 2014

	The first issue lies in the driver's processing of FDRAWCMD
	ioctls, specifically in its handling of copying floppy_raw_cmd
	ioctl argument structures from and to userspace. There
	are four relevant functions in drivers/block/floppy.c:
	raw_cmd_{ioctl,copyin,copyout,free}.  First, raw_cmd_ioctl calls
	raw_cmd_copyin. This function kmallocs space for a floppy_raw_cmd
	structure and stores the resulting allocation in the "rcmd"
	pointer argument. It then attempts to copy_from_user the
	structure from userspace. If this fails, an early EFAULT return
	is taken.  The problem is that even if the early return is taken,
	the pointer to the non-/partially-initialized floppy_raw_cmd
	structure has already been returned via the "rcmd" pointer. Back
	out in raw_cmd_ioctl, it attempts to raw_cmd_free this pointer.
	raw_cmd_free attempts to free any DMA pages allocated for the raw
	command, kfrees the raw command structure itself, and follows the
	linked list, if any, of further raw commands (a user can specify
	the FD_RAW_MORE flag to signal that there are more raw commands to
	follow in a single FDRAWCMD ioctl).  So, a malicious user can send
	a FDRAWCMD ioctl with a raw command argument structure that has
	some bytes inaccessible (ie. off the end of an allocated page). The
	copy_from_user will fail but raw_cmd_free will attempt to process
	the floppy_raw_cmd as if it had been fully initialized by the rest
	of raw_cmd_copyin. The user can control the arguments passed to
	fd_dma_mem_free and kfree (by making use of the linked-list feature
	and specifying the target address as a next-in-list structure).

	There is also another issue which greatly helps in the exploitation
	of this other issue. In raw_cmd_copyout, the entire floppy_raw_cmd
	structure is copy_to_user'd back to userspace after raw command
	processing. The issue is that the entire structure is copied back,
	which leaks to userspace the address of the allocated DMA pages,
	if any, and the address of the next-in-list command structure,
	if any. A malicious user can send a FDRAWCMD ioctl with the
	FD_RAW_MORE flag set and, upon inspecting the result in the command
	argument, find the address of the last floppy_raw_cmd allocation
	on the kmalloc-nnn slab.

Following this email are two sets of patches, one pair for lucid, and
the other for precise, quantal, precise/lts-backport-raring, saucy,
and trusty.

Proposing for SRU as above.


More information about the kernel-team mailing list