kernel-packages team mailing list archive

Thread
Date
[Bug 1316735] Re: CVE-2014-1738

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: John Johansen <john.johansen@xxxxxxxxxxxxx>
Date: Tue, 20 May 2014 18:56:51 -0000
Reply-to: Bug 1316735 <1316735@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** No longer affects: linux-armadaxp (Ubuntu Quantal)

** No longer affects: linux-ec2 (Ubuntu Quantal)

** No longer affects: linux-lts-saucy (Ubuntu Quantal)

** No longer affects: linux-lts-quantal (Ubuntu Quantal)

** No longer affects: linux-mvl-dove (Ubuntu Quantal)

** No longer affects: linux (Ubuntu Quantal)

** No longer affects: linux-fsl-imx51 (Ubuntu Quantal)

** No longer affects: linux-ti-omap4 (Ubuntu Quantal)

** No longer affects: linux-lts-raring (Ubuntu Quantal)

** Changed in: linux (Ubuntu Utopic)
       Status: New => Fix Committed

** Description changed:

- There is also another issue which greatly helps in the exploitation of
- this other issue. In raw_cmd_copyout, the entire floppy_raw_cmd
- structure is copy_to_user'd back to userspace after raw command
- processing. The issue is that the entire structure is copied back, which
- leaks to userspace the address of the allocated DMA pages, if any, and
- the address of the next-in-list command structure, if any. A malicious
- user can send a FDRAWCMD ioctl with the FD_RAW_MORE flag set and, upon
- inspecting the result in the command argument, find the address of the
- last floppy_raw_cmd allocation on the kmalloc-nnn slab.
+ The raw_cmd_copyout function in drivers/block/floppy.c in the Linux
+ kernel through 3.14.3 does not properly restrict access to certain
+ pointers during processing of an FDRAWCMD ioctl call, which allows local
+ users to obtain sensitive information from kernel heap memory by
+ leveraging write access to a /dev/fd device.
  
  Break-Fix: - 2145e15e0557a01b9195d1c7199a1b92cb9be81f

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1316735

Title:
  CVE-2014-1738

Status in “linux” package in Ubuntu:
  Fix Committed
Status in “linux-armadaxp” package in Ubuntu:
  Invalid
Status in “linux-ec2” package in Ubuntu:
  Invalid
Status in “linux-fsl-imx51” package in Ubuntu:
  Invalid
Status in “linux-lts-backport-maverick” package in Ubuntu:
  New
Status in “linux-lts-backport-natty” package in Ubuntu:
  New
Status in “linux-lts-quantal” package in Ubuntu:
  Invalid
Status in “linux-lts-raring” package in Ubuntu:
  Invalid
Status in “linux-lts-saucy” package in Ubuntu:
  Invalid
Status in “linux-mvl-dove” package in Ubuntu:
  Invalid
Status in “linux-ti-omap4” package in Ubuntu:
  Invalid
Status in “linux” source package in Lucid:
  Fix Committed
Status in “linux-armadaxp” source package in Lucid:
  Invalid
Status in “linux-ec2” source package in Lucid:
  Fix Committed
Status in “linux-fsl-imx51” source package in Lucid:
  Invalid
Status in “linux-lts-backport-maverick” source package in Lucid:
  New
Status in “linux-lts-backport-natty” source package in Lucid:
  New
Status in “linux-lts-quantal” source package in Lucid:
  Invalid
Status in “linux-lts-raring” source package in Lucid:
  Invalid
Status in “linux-lts-saucy” source package in Lucid:
  Invalid
Status in “linux-mvl-dove” source package in Lucid:
  Invalid
Status in “linux-ti-omap4” source package in Lucid:
  Invalid
Status in “linux” source package in Precise:
  Fix Committed
Status in “linux-armadaxp” source package in Precise:
  Fix Committed
Status in “linux-ec2” source package in Precise:
  Invalid
Status in “linux-fsl-imx51” source package in Precise:
  Invalid
Status in “linux-lts-backport-maverick” source package in Precise:
  New
Status in “linux-lts-backport-natty” source package in Precise:
  New
Status in “linux-lts-quantal” source package in Precise:
  Fix Committed
Status in “linux-lts-raring” source package in Precise:
  Fix Committed
Status in “linux-lts-saucy” source package in Precise:
  Fix Committed
Status in “linux-mvl-dove” source package in Precise:
  Invalid
Status in “linux-ti-omap4” source package in Precise:
  Fix Committed
Status in “linux-lts-backport-maverick” source package in Quantal:
  New
Status in “linux-lts-backport-natty” source package in Quantal:
  New
Status in “linux” source package in Saucy:
  Fix Committed
Status in “linux-armadaxp” source package in Saucy:
  Invalid
Status in “linux-ec2” source package in Saucy:
  Invalid
Status in “linux-fsl-imx51” source package in Saucy:
  Invalid
Status in “linux-lts-backport-maverick” source package in Saucy:
  New
Status in “linux-lts-backport-natty” source package in Saucy:
  New
Status in “linux-lts-quantal” source package in Saucy:
  Invalid
Status in “linux-lts-raring” source package in Saucy:
  Invalid
Status in “linux-lts-saucy” source package in Saucy:
  Invalid
Status in “linux-mvl-dove” source package in Saucy:
  Invalid
Status in “linux-ti-omap4” source package in Saucy:
  Fix Committed
Status in “linux” source package in Trusty:
  Fix Committed
Status in “linux-armadaxp” source package in Trusty:
  Invalid
Status in “linux-ec2” source package in Trusty:
  Invalid
Status in “linux-fsl-imx51” source package in Trusty:
  Invalid
Status in “linux-lts-backport-maverick” source package in Trusty:
  New
Status in “linux-lts-backport-natty” source package in Trusty:
  New
Status in “linux-lts-quantal” source package in Trusty:
  Invalid
Status in “linux-lts-raring” source package in Trusty:
  Invalid
Status in “linux-lts-saucy” source package in Trusty:
  Invalid
Status in “linux-mvl-dove” source package in Trusty:
  Invalid
Status in “linux-ti-omap4” source package in Trusty:
  Invalid
Status in “linux” source package in Utopic:
  Fix Committed
Status in “linux-armadaxp” source package in Utopic:
  Invalid
Status in “linux-ec2” source package in Utopic:
  Invalid
Status in “linux-fsl-imx51” source package in Utopic:
  Invalid
Status in “linux-lts-backport-maverick” source package in Utopic:
  New
Status in “linux-lts-backport-natty” source package in Utopic:
  New
Status in “linux-lts-quantal” source package in Utopic:
  Invalid
Status in “linux-lts-raring” source package in Utopic:
  Invalid
Status in “linux-lts-saucy” source package in Utopic:
  Invalid
Status in “linux-mvl-dove” source package in Utopic:
  Invalid
Status in “linux-ti-omap4” source package in Utopic:
  Invalid

Bug description:
  The raw_cmd_copyout function in drivers/block/floppy.c in the Linux
  kernel through 3.14.3 does not properly restrict access to certain
  pointers during processing of an FDRAWCMD ioctl call, which allows
  local users to obtain sensitive information from kernel heap memory by
  leveraging write access to a /dev/fd device.

  Break-Fix: - 2145e15e0557a01b9195d1c7199a1b92cb9be81f

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1316735/+subscriptions
References

[Bug 1316735] [NEW] CVE-2014-1738
From: John Johansen, 2014-05-06