diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-06-17 10:18:40 +0200 |
---|---|---|
committer | Tudor Florea <tudor.florea@enea.com> | 2016-06-17 19:08:55 +0200 |
commit | 8bd62a6ded78e4a1116e23fb66bb5103f856bf89 (patch) | |
tree | 8ff16d5a07fa7044aedc7d450c08d52da551170f | |
parent | cbedc995cb930608337e665b4a5fed3301f94c20 (diff) | |
download | meta-enea-8bd62a6ded78e4a1116e23fb66bb5103f856bf89.tar.gz |
kernel: block/floppy: CVE-2014-1737, CVE-2014-1738
Fixes privilege escalation via FDRAWCMD floppy ioctl command
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1737
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1738
Reference to upstream fixes:
CVE-2014-1737:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
commit/?id=21506304588afab20b2d52aaa56b70e85aca6386
CVE-2014-1738:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
commit/?id=50c648e394a0968f19d448b70bec82da88219963
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
-rw-r--r-- | recipes-kernel/linux/files/floppy-CVE-2014-1737.patch | 51 | ||||
-rw-r--r-- | recipes-kernel/linux/files/floppy-CVE-2014-1738.patch | 41 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-qoriq-sdk.bbappend | 2 |
3 files changed, 94 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/floppy-CVE-2014-1737.patch b/recipes-kernel/linux/files/floppy-CVE-2014-1737.patch new file mode 100644 index 0000000..d358e19 --- /dev/null +++ b/recipes-kernel/linux/files/floppy-CVE-2014-1737.patch | |||
@@ -0,0 +1,51 @@ | |||
1 | From 21506304588afab20b2d52aaa56b70e85aca6386 Mon Sep 17 00:00:00 2001 | ||
2 | From: Matthew Daley <mattd@bugfuzz.com> | ||
3 | Date: Mon, 28 Apr 2014 19:05:20 +1200 | ||
4 | Subject: floppy: ignore kernel-only members in FDRAWCMD ioctl input | ||
5 | |||
6 | commit ef87dbe7614341c2e7bfe8d32fcb7028cc97442c upstream. | ||
7 | |||
8 | Always clear out these floppy_raw_cmd struct members after copying the | ||
9 | entire structure from userspace so that the in-kernel version is always | ||
10 | valid and never left in an interdeterminate state. | ||
11 | |||
12 | CVE: CVE-2014-1737 | ||
13 | Upstream-Status: Backport | ||
14 | |||
15 | Signed-off-by: Matthew Daley <mattd@bugfuzz.com> | ||
16 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | ||
17 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
18 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
19 | --- | ||
20 | drivers/block/floppy.c | 6 +++--- | ||
21 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
22 | |||
23 | diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c | ||
24 | index 04ceb7e..1a8ab67 100644 | ||
25 | --- a/drivers/block/floppy.c | ||
26 | +++ b/drivers/block/floppy.c | ||
27 | @@ -3107,10 +3107,11 @@ loop: | ||
28 | return -ENOMEM; | ||
29 | *rcmd = ptr; | ||
30 | ret = copy_from_user(ptr, param, sizeof(*ptr)); | ||
31 | - if (ret) | ||
32 | - return -EFAULT; | ||
33 | ptr->next = NULL; | ||
34 | ptr->buffer_length = 0; | ||
35 | + ptr->kernel_data = NULL; | ||
36 | + if (ret) | ||
37 | + return -EFAULT; | ||
38 | param += sizeof(struct floppy_raw_cmd); | ||
39 | if (ptr->cmd_count > 33) | ||
40 | /* the command may now also take up the space | ||
41 | @@ -3126,7 +3127,6 @@ loop: | ||
42 | for (i = 0; i < 16; i++) | ||
43 | ptr->reply[i] = 0; | ||
44 | ptr->resultcode = 0; | ||
45 | - ptr->kernel_data = NULL; | ||
46 | |||
47 | if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) { | ||
48 | if (ptr->length <= 0) | ||
49 | -- | ||
50 | cgit v0.12 | ||
51 | |||
diff --git a/recipes-kernel/linux/files/floppy-CVE-2014-1738.patch b/recipes-kernel/linux/files/floppy-CVE-2014-1738.patch new file mode 100644 index 0000000..fa93391 --- /dev/null +++ b/recipes-kernel/linux/files/floppy-CVE-2014-1738.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | From 50c648e394a0968f19d448b70bec82da88219963 Mon Sep 17 00:00:00 2001 | ||
2 | From: Matthew Daley <mattd@bugfuzz.com> | ||
3 | Date: Mon, 28 Apr 2014 19:05:21 +1200 | ||
4 | Subject: floppy: don't write kernel-only members to FDRAWCMD ioctl output | ||
5 | |||
6 | commit 2145e15e0557a01b9195d1c7199a1b92cb9be81f upstream. | ||
7 | |||
8 | Do not leak kernel-only floppy_raw_cmd structure members to userspace. | ||
9 | This includes the linked-list pointer and the pointer to the allocated | ||
10 | DMA space. | ||
11 | |||
12 | CVE: CVE-2014-1738 | ||
13 | Upstream-Status: Backport | ||
14 | |||
15 | Signed-off-by: Matthew Daley <mattd@bugfuzz.com> | ||
16 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | ||
17 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
18 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
19 | --- | ||
20 | drivers/block/floppy.c | 5 ++++- | ||
21 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
22 | |||
23 | diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c | ||
24 | index 1a8ab67..eb3575b 100644 | ||
25 | --- a/drivers/block/floppy.c | ||
26 | +++ b/drivers/block/floppy.c | ||
27 | @@ -3053,7 +3053,10 @@ static int raw_cmd_copyout(int cmd, void __user *param, | ||
28 | int ret; | ||
29 | |||
30 | while (ptr) { | ||
31 | - ret = copy_to_user(param, ptr, sizeof(*ptr)); | ||
32 | + struct floppy_raw_cmd cmd = *ptr; | ||
33 | + cmd.next = NULL; | ||
34 | + cmd.kernel_data = NULL; | ||
35 | + ret = copy_to_user(param, &cmd, sizeof(cmd)); | ||
36 | if (ret) | ||
37 | return -EFAULT; | ||
38 | param += sizeof(struct floppy_raw_cmd); | ||
39 | -- | ||
40 | cgit v0.12 | ||
41 | |||
diff --git a/recipes-kernel/linux/linux-qoriq-sdk.bbappend b/recipes-kernel/linux/linux-qoriq-sdk.bbappend index 0568d58..c3ded18 100644 --- a/recipes-kernel/linux/linux-qoriq-sdk.bbappend +++ b/recipes-kernel/linux/linux-qoriq-sdk.bbappend | |||
@@ -20,6 +20,8 @@ SRC_URI += "file://add-no-error-uninitialized.patch \ | |||
20 | file://fs-CVE-2013-4247.patch \ | 20 | file://fs-CVE-2013-4247.patch \ |
21 | file://net-CVE-2013-4348.patch \ | 21 | file://net-CVE-2013-4348.patch \ |
22 | file://virt-kvm-CVE-2013-4587.patch \ | 22 | file://virt-kvm-CVE-2013-4587.patch \ |
23 | file://floppy-CVE-2014-1737.patch \ | ||
24 | file://floppy-CVE-2014-1738.patch \ | ||
23 | file://Fix-CVE-2014-3153.patch \ | 25 | file://Fix-CVE-2014-3153.patch \ |
24 | file://CVE-2014-0196_n_tty_write_crash.patch \ | 26 | file://CVE-2014-0196_n_tty_write_crash.patch \ |
25 | file://Fix-CVE-2014-5471_CVE-2014-5472.patch \ | 27 | file://Fix-CVE-2014-5471_CVE-2014-5472.patch \ |