← Back to team overview

kernel-packages team mailing list archive

[Bug 1316729] [NEW] CVE-2014-1737

 

*** This bug is a security vulnerability ***

Public security bug reported:

The first issue lies in the driver's processing of FDRAWCMD ioctls,
specifically in its handling of copying floppy_raw_cmd ioctl argument
structures from and to userspace. There are four relevant functions in
drivers/block/floppy.c: raw_cmd_{ioctl,copyin,copyout,free}. First,
raw_cmd_ioctl calls raw_cmd_copyin. This function kmallocs space for a
floppy_raw_cmd structure and stores the resulting allocation in the
"rcmd" pointer argument. It then attempts to copy_from_user the
structure from userspace. If this fails, an early EFAULT return is
taken. The problem is that even if the early return is taken, the
pointer to the non-/partially-initialized floppy_raw_cmd structure has
already been returned via the "rcmd" pointer. Back out in raw_cmd_ioctl,
it attempts to raw_cmd_free this pointer. raw_cmd_free attempts to free
any DMA pages allocated for the raw command, kfrees the raw command
structure itself, and follows the linked list, if any, of further raw
commands (a user can specify the FD_RAW_MORE flag to signal that there
are more raw commands to follow in a single FDRAWCMD ioctl). So, a
malicious user can send a FDRAWCMD ioctl with a raw command argument
structure that has some bytes inaccessible (ie. off the end of an
allocated page). The copy_from_user will fail but raw_cmd_free will
attempt to process the floppy_raw_cmd as if it had been fully
initialized by the rest of raw_cmd_copyin. The user can control the
arguments passed to fd_dma_mem_free and kfree (by making use of the
linked-list feature and specifying the target address as a next-in-list
structure).

Break-Fix: - ef87dbe7614341c2e7bfe8d32fcb7028cc97442c

** Affects: linux (Ubuntu)
     Importance: High
         Status: New

** Affects: linux-armadaxp (Ubuntu)
     Importance: High
         Status: Invalid

** Affects: linux-ec2 (Ubuntu)
     Importance: High
         Status: Invalid

** Affects: linux-fsl-imx51 (Ubuntu)
     Importance: High
         Status: Invalid

** Affects: linux-lts-backport-maverick (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: linux-lts-backport-natty (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: linux-lts-quantal (Ubuntu)
     Importance: High
         Status: Invalid

** Affects: linux-lts-raring (Ubuntu)
     Importance: High
         Status: Invalid

** Affects: linux-lts-saucy (Ubuntu)
     Importance: High
         Status: Invalid

** Affects: linux-mvl-dove (Ubuntu)
     Importance: High
         Status: Invalid

** Affects: linux-ti-omap4 (Ubuntu)
     Importance: High
         Status: Invalid

** Affects: linux (Ubuntu Lucid)
     Importance: High
         Status: New

** Affects: linux-armadaxp (Ubuntu Lucid)
     Importance: High
         Status: Invalid

** Affects: linux-ec2 (Ubuntu Lucid)
     Importance: High
         Status: New

** Affects: linux-fsl-imx51 (Ubuntu Lucid)
     Importance: High
         Status: Invalid

** Affects: linux-lts-backport-maverick (Ubuntu Lucid)
     Importance: Undecided
         Status: New

** Affects: linux-lts-backport-natty (Ubuntu Lucid)
     Importance: Undecided
         Status: New

** Affects: linux-lts-quantal (Ubuntu Lucid)
     Importance: High
         Status: Invalid

** Affects: linux-lts-raring (Ubuntu Lucid)
     Importance: High
         Status: Invalid

** Affects: linux-lts-saucy (Ubuntu Lucid)
     Importance: High
         Status: Invalid

** Affects: linux-mvl-dove (Ubuntu Lucid)
     Importance: High
         Status: Invalid

** Affects: linux-ti-omap4 (Ubuntu Lucid)
     Importance: High
         Status: Invalid

** Affects: linux (Ubuntu Precise)
     Importance: High
         Status: New

** Affects: linux-armadaxp (Ubuntu Precise)
     Importance: High
         Status: New

** Affects: linux-ec2 (Ubuntu Precise)
     Importance: High
         Status: Invalid

** Affects: linux-fsl-imx51 (Ubuntu Precise)
     Importance: High
         Status: Invalid

** Affects: linux-lts-backport-maverick (Ubuntu Precise)
     Importance: Undecided
         Status: New

** Affects: linux-lts-backport-natty (Ubuntu Precise)
     Importance: Undecided
         Status: New

** Affects: linux-lts-quantal (Ubuntu Precise)
     Importance: High
         Status: New

** Affects: linux-lts-raring (Ubuntu Precise)
     Importance: High
         Status: New

** Affects: linux-lts-saucy (Ubuntu Precise)
     Importance: High
         Status: New

** Affects: linux-mvl-dove (Ubuntu Precise)
     Importance: High
         Status: Invalid

** Affects: linux-ti-omap4 (Ubuntu Precise)
     Importance: High
         Status: New

** Affects: linux (Ubuntu Quantal)
     Importance: High
         Status: New

** Affects: linux-armadaxp (Ubuntu Quantal)
     Importance: High
         Status: New

** Affects: linux-ec2 (Ubuntu Quantal)
     Importance: High
         Status: Invalid

** Affects: linux-fsl-imx51 (Ubuntu Quantal)
     Importance: High
         Status: Invalid

** Affects: linux-lts-backport-maverick (Ubuntu Quantal)
     Importance: Undecided
         Status: New

** Affects: linux-lts-backport-natty (Ubuntu Quantal)
     Importance: Undecided
         Status: New

** Affects: linux-lts-quantal (Ubuntu Quantal)
     Importance: High
         Status: Invalid

** Affects: linux-lts-raring (Ubuntu Quantal)
     Importance: High
         Status: Invalid

** Affects: linux-lts-saucy (Ubuntu Quantal)
     Importance: High
         Status: Invalid

** Affects: linux-mvl-dove (Ubuntu Quantal)
     Importance: High
         Status: Invalid

** Affects: linux-ti-omap4 (Ubuntu Quantal)
     Importance: High
         Status: New

** Affects: linux (Ubuntu Saucy)
     Importance: High
         Status: New

** Affects: linux-armadaxp (Ubuntu Saucy)
     Importance: High
         Status: Invalid

** Affects: linux-ec2 (Ubuntu Saucy)
     Importance: High
         Status: Invalid

** Affects: linux-fsl-imx51 (Ubuntu Saucy)
     Importance: High
         Status: Invalid

** Affects: linux-lts-backport-maverick (Ubuntu Saucy)
     Importance: Undecided
         Status: New

** Affects: linux-lts-backport-natty (Ubuntu Saucy)
     Importance: Undecided
         Status: New

** Affects: linux-lts-quantal (Ubuntu Saucy)
     Importance: High
         Status: Invalid

** Affects: linux-lts-raring (Ubuntu Saucy)
     Importance: High
         Status: Invalid

** Affects: linux-lts-saucy (Ubuntu Saucy)
     Importance: High
         Status: Invalid

** Affects: linux-mvl-dove (Ubuntu Saucy)
     Importance: High
         Status: Invalid

** Affects: linux-ti-omap4 (Ubuntu Saucy)
     Importance: High
         Status: New

** Affects: linux (Ubuntu Trusty)
     Importance: High
         Status: New

** Affects: linux-armadaxp (Ubuntu Trusty)
     Importance: High
         Status: Invalid

** Affects: linux-ec2 (Ubuntu Trusty)
     Importance: High
         Status: Invalid

** Affects: linux-fsl-imx51 (Ubuntu Trusty)
     Importance: High
         Status: Invalid

** Affects: linux-lts-backport-maverick (Ubuntu Trusty)
     Importance: Undecided
         Status: New

** Affects: linux-lts-backport-natty (Ubuntu Trusty)
     Importance: Undecided
         Status: New

** Affects: linux-lts-quantal (Ubuntu Trusty)
     Importance: High
         Status: Invalid

** Affects: linux-lts-raring (Ubuntu Trusty)
     Importance: High
         Status: Invalid

** Affects: linux-lts-saucy (Ubuntu Trusty)
     Importance: High
         Status: Invalid

** Affects: linux-mvl-dove (Ubuntu Trusty)
     Importance: High
         Status: Invalid

** Affects: linux-ti-omap4 (Ubuntu Trusty)
     Importance: High
         Status: Invalid

** Affects: linux (Ubuntu Utopic)
     Importance: High
         Status: New

** Affects: linux-armadaxp (Ubuntu Utopic)
     Importance: High
         Status: Invalid

** Affects: linux-ec2 (Ubuntu Utopic)
     Importance: High
         Status: Invalid

** Affects: linux-fsl-imx51 (Ubuntu Utopic)
     Importance: High
         Status: Invalid

** Affects: linux-lts-backport-maverick (Ubuntu Utopic)
     Importance: Undecided
         Status: New

** Affects: linux-lts-backport-natty (Ubuntu Utopic)
     Importance: Undecided
         Status: New

** Affects: linux-lts-quantal (Ubuntu Utopic)
     Importance: High
         Status: Invalid

** Affects: linux-lts-raring (Ubuntu Utopic)
     Importance: High
         Status: Invalid

** Affects: linux-lts-saucy (Ubuntu Utopic)
     Importance: High
         Status: Invalid

** Affects: linux-mvl-dove (Ubuntu Utopic)
     Importance: High
         Status: Invalid

** Affects: linux-ti-omap4 (Ubuntu Utopic)
     Importance: High
         Status: Invalid


** Tags: kernel-cve-tracking-bug

** Tags added: kernel-cve-tracking-bug

** Information type changed from Public to Public Security

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-1737

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1316729

Title:
  CVE-2014-1737

Status in “linux” package in Ubuntu:
  New
Status in “linux-armadaxp” package in Ubuntu:
  Invalid
Status in “linux-ec2” package in Ubuntu:
  Invalid
Status in “linux-fsl-imx51” package in Ubuntu:
  Invalid
Status in “linux-lts-backport-maverick” package in Ubuntu:
  New
Status in “linux-lts-backport-natty” package in Ubuntu:
  New
Status in “linux-lts-quantal” package in Ubuntu:
  Invalid
Status in “linux-lts-raring” package in Ubuntu:
  Invalid
Status in “linux-lts-saucy” package in Ubuntu:
  Invalid
Status in “linux-mvl-dove” package in Ubuntu:
  Invalid
Status in “linux-ti-omap4” package in Ubuntu:
  Invalid
Status in “linux” source package in Lucid:
  New
Status in “linux-armadaxp” source package in Lucid:
  Invalid
Status in “linux-ec2” source package in Lucid:
  New
Status in “linux-fsl-imx51” source package in Lucid:
  Invalid
Status in “linux-lts-backport-maverick” source package in Lucid:
  New
Status in “linux-lts-backport-natty” source package in Lucid:
  New
Status in “linux-lts-quantal” source package in Lucid:
  Invalid
Status in “linux-lts-raring” source package in Lucid:
  Invalid
Status in “linux-lts-saucy” source package in Lucid:
  Invalid
Status in “linux-mvl-dove” source package in Lucid:
  Invalid
Status in “linux-ti-omap4” source package in Lucid:
  Invalid
Status in “linux” source package in Precise:
  New
Status in “linux-armadaxp” source package in Precise:
  New
Status in “linux-ec2” source package in Precise:
  Invalid
Status in “linux-fsl-imx51” source package in Precise:
  Invalid
Status in “linux-lts-backport-maverick” source package in Precise:
  New
Status in “linux-lts-backport-natty” source package in Precise:
  New
Status in “linux-lts-quantal” source package in Precise:
  New
Status in “linux-lts-raring” source package in Precise:
  New
Status in “linux-lts-saucy” source package in Precise:
  New
Status in “linux-mvl-dove” source package in Precise:
  Invalid
Status in “linux-ti-omap4” source package in Precise:
  New
Status in “linux” source package in Quantal:
  New
Status in “linux-armadaxp” source package in Quantal:
  New
Status in “linux-ec2” source package in Quantal:
  Invalid
Status in “linux-fsl-imx51” source package in Quantal:
  Invalid
Status in “linux-lts-backport-maverick” source package in Quantal:
  New
Status in “linux-lts-backport-natty” source package in Quantal:
  New
Status in “linux-lts-quantal” source package in Quantal:
  Invalid
Status in “linux-lts-raring” source package in Quantal:
  Invalid
Status in “linux-lts-saucy” source package in Quantal:
  Invalid
Status in “linux-mvl-dove” source package in Quantal:
  Invalid
Status in “linux-ti-omap4” source package in Quantal:
  New
Status in “linux” source package in Saucy:
  New
Status in “linux-armadaxp” source package in Saucy:
  Invalid
Status in “linux-ec2” source package in Saucy:
  Invalid
Status in “linux-fsl-imx51” source package in Saucy:
  Invalid
Status in “linux-lts-backport-maverick” source package in Saucy:
  New
Status in “linux-lts-backport-natty” source package in Saucy:
  New
Status in “linux-lts-quantal” source package in Saucy:
  Invalid
Status in “linux-lts-raring” source package in Saucy:
  Invalid
Status in “linux-lts-saucy” source package in Saucy:
  Invalid
Status in “linux-mvl-dove” source package in Saucy:
  Invalid
Status in “linux-ti-omap4” source package in Saucy:
  New
Status in “linux” source package in Trusty:
  New
Status in “linux-armadaxp” source package in Trusty:
  Invalid
Status in “linux-ec2” source package in Trusty:
  Invalid
Status in “linux-fsl-imx51” source package in Trusty:
  Invalid
Status in “linux-lts-backport-maverick” source package in Trusty:
  New
Status in “linux-lts-backport-natty” source package in Trusty:
  New
Status in “linux-lts-quantal” source package in Trusty:
  Invalid
Status in “linux-lts-raring” source package in Trusty:
  Invalid
Status in “linux-lts-saucy” source package in Trusty:
  Invalid
Status in “linux-mvl-dove” source package in Trusty:
  Invalid
Status in “linux-ti-omap4” source package in Trusty:
  Invalid
Status in “linux” source package in Utopic:
  New
Status in “linux-armadaxp” source package in Utopic:
  Invalid
Status in “linux-ec2” source package in Utopic:
  Invalid
Status in “linux-fsl-imx51” source package in Utopic:
  Invalid
Status in “linux-lts-backport-maverick” source package in Utopic:
  New
Status in “linux-lts-backport-natty” source package in Utopic:
  New
Status in “linux-lts-quantal” source package in Utopic:
  Invalid
Status in “linux-lts-raring” source package in Utopic:
  Invalid
Status in “linux-lts-saucy” source package in Utopic:
  Invalid
Status in “linux-mvl-dove” source package in Utopic:
  Invalid
Status in “linux-ti-omap4” source package in Utopic:
  Invalid

Bug description:
  The first issue lies in the driver's processing of FDRAWCMD ioctls,
  specifically in its handling of copying floppy_raw_cmd ioctl argument
  structures from and to userspace. There are four relevant functions in
  drivers/block/floppy.c: raw_cmd_{ioctl,copyin,copyout,free}. First,
  raw_cmd_ioctl calls raw_cmd_copyin. This function kmallocs space for a
  floppy_raw_cmd structure and stores the resulting allocation in the
  "rcmd" pointer argument. It then attempts to copy_from_user the
  structure from userspace. If this fails, an early EFAULT return is
  taken. The problem is that even if the early return is taken, the
  pointer to the non-/partially-initialized floppy_raw_cmd structure has
  already been returned via the "rcmd" pointer. Back out in
  raw_cmd_ioctl, it attempts to raw_cmd_free this pointer. raw_cmd_free
  attempts to free any DMA pages allocated for the raw command, kfrees
  the raw command structure itself, and follows the linked list, if any,
  of further raw commands (a user can specify the FD_RAW_MORE flag to
  signal that there are more raw commands to follow in a single FDRAWCMD
  ioctl). So, a malicious user can send a FDRAWCMD ioctl with a raw
  command argument structure that has some bytes inaccessible (ie. off
  the end of an allocated page). The copy_from_user will fail but
  raw_cmd_free will attempt to process the floppy_raw_cmd as if it had
  been fully initialized by the rest of raw_cmd_copyin. The user can
  control the arguments passed to fd_dma_mem_free and kfree (by making
  use of the linked-list feature and specifying the target address as a
  next-in-list structure).

  Break-Fix: - ef87dbe7614341c2e7bfe8d32fcb7028cc97442c

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1316729/+subscriptions


Follow ups

References