[3.13.y.z extended stable] Patch "floppy: don't write kernel-only members to FDRAWCMD ioctl output" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Tue May 6 20:29:38 UTC 2014


This is a note to let you know that I have just added a patch titled

    floppy: don't write kernel-only members to FDRAWCMD ioctl output

to the linux-3.13.y-queue branch of the 3.13.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.13.y-queue

This patch is scheduled to be released in version 3.13.11.1.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.13.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From ac31585c4c57b25f4e837a686800841d6674154c Mon Sep 17 00:00:00 2001
From: Matthew Daley <mattd at bugfuzz.com>
Date: Mon, 28 Apr 2014 19:05:21 +1200
Subject: floppy: don't write kernel-only members to FDRAWCMD ioctl output

commit 2145e15e0557a01b9195d1c7199a1b92cb9be81f upstream.

Do not leak kernel-only floppy_raw_cmd structure members to userspace.
This includes the linked-list pointer and the pointer to the allocated
DMA space.

Signed-off-by: Matthew Daley <mattd at bugfuzz.com>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
References: CVE-2014-1738
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 drivers/block/floppy.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
index 10fbd3f..738af94 100644
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -3053,7 +3053,10 @@ static int raw_cmd_copyout(int cmd, void __user *param,
 	int ret;

 	while (ptr) {
-		ret = copy_to_user(param, ptr, sizeof(*ptr));
+		struct floppy_raw_cmd cmd = *ptr;
+		cmd.next = NULL;
+		cmd.kernel_data = NULL;
+		ret = copy_to_user(param, &cmd, sizeof(cmd));
 		if (ret)
 			return -EFAULT;
 		param += sizeof(struct floppy_raw_cmd);
--
1.9.1





More information about the kernel-team mailing list