| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1520467365-7194-1-git-send-email-bbellevi@uci.edu> Date: Wed, 7 Mar 2018 16:02:45 -0800 From: Brian Belleville <bbellevi@....edu> To: Jiri Kosina <jikos@...nel.org>, linux-kernel@...r.kernel.org Cc: Brian Belleville <bbellevi@....edu> Subject: [PATCH] floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl The final field of a floppy_struct is the field "name", which is a pointer to a string in kernel memory. The kernel pointer should not be copied to user memory. The FDGETPRM ioctl copies a floppy_struct to user memory, including the "name" field. This pointer cannot be used by the user, and it will leak a kernel address to user-space, which will reveal the location of kernel code and data and undermine KASLR protection. Instead, copy the floppy_struct except for the "name" field. Signed-off-by: Brian Belleville <bbellevi@....edu> --- drivers/block/floppy.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c index eae484a..4d4a422 100644 --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c @@ -3470,6 +3470,7 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int (struct floppy_struct **)&outparam); if (ret) return ret; + size = offsetof(struct floppy_struct, name); break; case FDMSGON: UDP->flags |= FTD_MSG; -- 2.7.4
Powered by blists - more mailing lists