kernel: block/floppy: CVE-2014-1737, CVE-2014-1738

Fixes privilege escalation via FDRAWCMD floppy ioctl command References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1737 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1738 Reference to upstream fixes: CVE-2014-1737: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ commit/?id=21506304588afab20b2d52aaa56b70e85aca6386 CVE-2014-1738: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ commit/?id=50c648e394a0968f19d448b70bec82da88219963 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-06-17 10:18:40 +0200
committer: Tudor Florea <tudor.florea@enea.com> 2016-06-17 19:08:55 +0200
commit: 8bd62a6ded78e4a1116e23fb66bb5103f856bf89 (patch)
tree: 8ff16d5a07fa7044aedc7d450c08d52da551170f
parent: cbedc995cb930608337e665b4a5fed3301f94c20 (diff)
download: meta-enea-8bd62a6ded78e4a1116e23fb66bb5103f856bf89.tar.gz
3 files changed, 94 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/floppy-CVE-2014-1737.patch b/recipes-kernel/linux/files/floppy-CVE-2014-1737.patch
new file mode 100644
index 0000000..d358e19
--- /dev/null
+++ b/recipes-kernel/linux/files/floppy-CVE-2014-1737.patch
@@ -0,0 +1,51 @@
+From 21506304588afab20b2d52aaa56b70e85aca6386 Mon Sep 17 00:00:00 2001
+From: Matthew Daley <mattd@bugfuzz.com>
+Date: Mon, 28 Apr 2014 19:05:20 +1200
+Subject: floppy: ignore kernel-only members in FDRAWCMD ioctl input
+commit ef87dbe7614341c2e7bfe8d32fcb7028cc97442c upstream.
+Always clear out these floppy_raw_cmd struct members after copying the
+entire structure from userspace so that the in-kernel version is always
+valid and never left in an interdeterminate state.
+CVE: CVE-2014-1737
+Upstream-Status: Backport
+Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/block/floppy.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
+index 04ceb7e..1a8ab67 100644
+--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
+@@ -3107,10 +3107,11 @@ loop:
+                return -ENOMEM;
+        *rcmd = ptr;
+        ret = copy_from_user(ptr, param, sizeof(*ptr));
+-       if (ret)
+-               return -EFAULT;
+        ptr->next = NULL;
+        ptr->buffer_length = 0;
+       ptr->kernel_data = NULL;
+       if (ret)
+               return -EFAULT;
+        param += sizeof(struct floppy_raw_cmd);
+        if (ptr->cmd_count > 33)
+                        /* the command may now also take up the space
+@@ -3126,7 +3127,6 @@ loop:
+        for (i = 0; i < 16; i++)
+                ptr->reply[i] = 0;
+        ptr->resultcode = 0;
+-       ptr->kernel_data = NULL;
+ 
+        if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) {
+                if (ptr->length <= 0)
+-- 
+cgit v0.12
diff --git a/recipes-kernel/linux/files/floppy-CVE-2014-1738.patch b/recipes-kernel/linux/files/floppy-CVE-2014-1738.patch
new file mode 100644
index 0000000..fa93391
--- /dev/null
+++ b/recipes-kernel/linux/files/floppy-CVE-2014-1738.patch
@@ -0,0 +1,41 @@
+From 50c648e394a0968f19d448b70bec82da88219963 Mon Sep 17 00:00:00 2001
+From: Matthew Daley <mattd@bugfuzz.com>
+Date: Mon, 28 Apr 2014 19:05:21 +1200
+Subject: floppy: don't write kernel-only members to FDRAWCMD ioctl output
+commit 2145e15e0557a01b9195d1c7199a1b92cb9be81f upstream.
+Do not leak kernel-only floppy_raw_cmd structure members to userspace.
+This includes the linked-list pointer and the pointer to the allocated
+DMA space.
+CVE: CVE-2014-1738
+Upstream-Status: Backport
+Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/block/floppy.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
+index 1a8ab67..eb3575b 100644
+--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
+@@ -3053,7 +3053,10 @@ static int raw_cmd_copyout(int cmd, void __user *param,
+        int ret;
+ 
+        while (ptr) {
+-               ret = copy_to_user(param, ptr, sizeof(*ptr));
+               struct floppy_raw_cmd cmd = *ptr;
+               cmd.next = NULL;
+               cmd.kernel_data = NULL;
+               ret = copy_to_user(param, &cmd, sizeof(cmd));
+                if (ret)
+                        return -EFAULT;
+                param += sizeof(struct floppy_raw_cmd);
+-- 
+cgit v0.12
diff --git a/recipes-kernel/linux/linux-qoriq-sdk.bbappend b/recipes-kernel/linux/linux-qoriq-sdk.bbappend
index 0568d58..c3ded18 100644
--- a/recipes-kernel/linux/linux-qoriq-sdk.bbappend
+++ b/recipes-kernel/linux/linux-qoriq-sdk.bbappend
@@ -20,6 +20,8 @@ SRC_URI += "file://add-no-error-uninitialized.patch \
    file://fs-CVE-2013-4247.patch \
    file://net-CVE-2013-4348.patch \
    file://virt-kvm-CVE-2013-4587.patch \
+    file://floppy-CVE-2014-1737.patch \
+    file://floppy-CVE-2014-1738.patch \
    file://Fix-CVE-2014-3153.patch \
    file://CVE-2014-0196_n_tty_write_crash.patch \
    file://Fix-CVE-2014-5471_CVE-2014-5472.patch \
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-06-17 10:18:40 +0200
committer	Tudor Florea <tudor.florea@enea.com>	2016-06-17 19:08:55 +0200
commit	8bd62a6ded78e4a1116e23fb66bb5103f856bf89 (patch)
tree	8ff16d5a07fa7044aedc7d450c08d52da551170f
parent	cbedc995cb930608337e665b4a5fed3301f94c20 (diff)
download	meta-enea-8bd62a6ded78e4a1116e23fb66bb5103f856bf89.tar.gz

diff --git a/recipes-kernel/linux/files/floppy-CVE-2014-1737.patch b/recipes-kernel/linux/files/floppy-CVE-2014-1737.patch new file mode 100644 index 0000000..d358e19 --- /dev/null +++ b/recipes-kernel/linux/files/floppy-CVE-2014-1737.patch
@@ -0,0 +1,51 @@
		1	From 21506304588afab20b2d52aaa56b70e85aca6386 Mon Sep 17 00:00:00 2001
		2	From: Matthew Daley <mattd@bugfuzz.com>
		3	Date: Mon, 28 Apr 2014 19:05:20 +1200
		4	Subject: floppy: ignore kernel-only members in FDRAWCMD ioctl input
		5
		6	commit ef87dbe7614341c2e7bfe8d32fcb7028cc97442c upstream.
		7
		8	Always clear out these floppy_raw_cmd struct members after copying the
		9	entire structure from userspace so that the in-kernel version is always
		10	valid and never left in an interdeterminate state.
		11
		12	CVE: CVE-2014-1737
		13	Upstream-Status: Backport
		14
		15	Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
		16	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
		17	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		18	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		19	---
		20	drivers/block/floppy.c \| 6 +++---
		21	1 file changed, 3 insertions(+), 3 deletions(-)
		22
		23	diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
		24	index 04ceb7e..1a8ab67 100644
		25	--- a/drivers/block/floppy.c
		26	+++ b/drivers/block/floppy.c
		27	@@ -3107,10 +3107,11 @@ loop:
		28	return -ENOMEM;
		29	*rcmd = ptr;
		30	ret = copy_from_user(ptr, param, sizeof(*ptr));
		31	- if (ret)
		32	- return -EFAULT;
		33	ptr->next = NULL;
		34	ptr->buffer_length = 0;
		35	+ ptr->kernel_data = NULL;
		36	+ if (ret)
		37	+ return -EFAULT;
		38	param += sizeof(struct floppy_raw_cmd);
		39	if (ptr->cmd_count > 33)
		40	/* the command may now also take up the space
		41	@@ -3126,7 +3127,6 @@ loop:
		42	for (i = 0; i < 16; i++)
		43	ptr->reply[i] = 0;
		44	ptr->resultcode = 0;
		45	- ptr->kernel_data = NULL;
		46
		47	if (ptr->flags & (FD_RAW_READ \| FD_RAW_WRITE)) {
		48	if (ptr->length <= 0)
		49	--
		50	cgit v0.12
		51


diff --git a/recipes-kernel/linux/files/floppy-CVE-2014-1738.patch b/recipes-kernel/linux/files/floppy-CVE-2014-1738.patch new file mode 100644 index 0000000..fa93391 --- /dev/null +++ b/recipes-kernel/linux/files/floppy-CVE-2014-1738.patch
@@ -0,0 +1,41 @@
		1	From 50c648e394a0968f19d448b70bec82da88219963 Mon Sep 17 00:00:00 2001
		2	From: Matthew Daley <mattd@bugfuzz.com>
		3	Date: Mon, 28 Apr 2014 19:05:21 +1200
		4	Subject: floppy: don't write kernel-only members to FDRAWCMD ioctl output
		5
		6	commit 2145e15e0557a01b9195d1c7199a1b92cb9be81f upstream.
		7
		8	Do not leak kernel-only floppy_raw_cmd structure members to userspace.
		9	This includes the linked-list pointer and the pointer to the allocated
		10	DMA space.
		11
		12	CVE: CVE-2014-1738
		13	Upstream-Status: Backport
		14
		15	Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
		16	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
		17	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		18	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		19	---
		20	drivers/block/floppy.c \| 5 ++++-
		21	1 file changed, 4 insertions(+), 1 deletion(-)
		22
		23	diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
		24	index 1a8ab67..eb3575b 100644
		25	--- a/drivers/block/floppy.c
		26	+++ b/drivers/block/floppy.c
		27	@@ -3053,7 +3053,10 @@ static int raw_cmd_copyout(int cmd, void __user *param,
		28	int ret;
		29
		30	while (ptr) {
		31	- ret = copy_to_user(param, ptr, sizeof(*ptr));
		32	+ struct floppy_raw_cmd cmd = *ptr;
		33	+ cmd.next = NULL;
		34	+ cmd.kernel_data = NULL;
		35	+ ret = copy_to_user(param, &cmd, sizeof(cmd));
		36	if (ret)
		37	return -EFAULT;
		38	param += sizeof(struct floppy_raw_cmd);
		39	--
		40	cgit v0.12
		41


diff --git a/recipes-kernel/linux/linux-qoriq-sdk.bbappend b/recipes-kernel/linux/linux-qoriq-sdk.bbappend index 0568d58..c3ded18 100644 --- a/recipes-kernel/linux/linux-qoriq-sdk.bbappend +++ b/recipes-kernel/linux/linux-qoriq-sdk.bbappend
@@ -20,6 +20,8 @@ SRC_URI += "file://add-no-error-uninitialized.patch \
20	file://fs-CVE-2013-4247.patch \	20	file://fs-CVE-2013-4247.patch \
21	file://net-CVE-2013-4348.patch \	21	file://net-CVE-2013-4348.patch \
22	file://virt-kvm-CVE-2013-4587.patch \	22	file://virt-kvm-CVE-2013-4587.patch \
		23	file://floppy-CVE-2014-1737.patch \
		24	file://floppy-CVE-2014-1738.patch \
23	file://Fix-CVE-2014-3153.patch \	25	file://Fix-CVE-2014-3153.patch \
24	file://CVE-2014-0196_n_tty_write_crash.patch \	26	file://CVE-2014-0196_n_tty_write_crash.patch \
25	file://Fix-CVE-2014-5471_CVE-2014-5472.patch \	27	file://Fix-CVE-2014-5471_CVE-2014-5472.patch \