[T/X/A/B/C] CVE-2018-7755 -- floppy ioctl FDGETPRM exposes kernel pointer
Andy Whitcroft
apw at canonical.com
Mon Jun 4 12:19:06 UTC 2018
On Tue, May 29, 2018 at 02:38:26PM +0100, Andy Whitcroft wrote:
> CVE-2018-7755:
> An issue was discovered in the fd_locked_ioctl function in
> drivers/block/floppy.c in the Linux kernel through 4.15.7. The
> floppy driver will copy a kernel pointer to user memory in response
> to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and
> use the obtained kernel pointer to discover the location of kernel
> code and data and bypass kernel security protections such as KASLR.
>
> Ensure this pointer is not populated in the data as returned to
> userspace. Proposing for SRU to trusty, xenial, artful, bionic, and
> cosmic.
Note that this should be applied as UBUNTU: SAUCE: as it has not yet
made it upstream.
-apw
More information about the kernel-team
mailing list