Linux Kernel 3.14.3 /dev/fd gain privileges

2014.05.12

Credit: Matthew Daley

Risk: High

Local: Yes

Remote: No

CVE: CVE-2014-1737 | CVE-2014-1738

CWE: N/A

Always clear out these floppy_raw_cmd struct members after copying the entire structure from userspace so that the in-kernel version is always valid and never left in an interdeterminate state.
drivers/block/floppy.c 6
1 files changed, 3 insertions, 3 deletions
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
index 8f5565b..12251a6 100644
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -3121,10 +3121,11 @@ loop:
return -ENOMEM;
*rcmd = ptr;
ret = copy_from_user(ptr, param, sizeof(*ptr));
- if (ret)
- return -EFAULT;
ptr->next = NULL;
ptr->buffer_length = 0;
+ ptr->kernel_data = NULL;
+ if (ret)
+ return -EFAULT;
param += sizeof(struct floppy_raw_cmd);
if (ptr->cmd_count > 33)
/* the command may now also take up the space
@@ -3140,7 +3141,6 @@ loop:
for (i = 0; i < 16; i++)
ptr->reply[i] = 0;
ptr->resultcode = 0;
- ptr->kernel_data = NULL;
if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) {
if (ptr->length <= 0)

References:

https://github.com/torvalds/linux/commit/ef87dbe7614341c2e7bfe8d32fcb7028cc97442c

https://bugzilla.redhat.com/show_bug.cgi?id=1094299

http://www.openwall.com/lists/oss-security/2014/05/09/2

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ef87dbe7614341c2e7bfe8d32fcb7028cc97442c

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}