← Back to team overview

kernel-packages team mailing list archive

[Bug 1316729] Re: CVE-2014-1737

 

** No longer affects: linux-armadaxp (Ubuntu Quantal)

** No longer affects: linux-ec2 (Ubuntu Quantal)

** No longer affects: linux-lts-saucy (Ubuntu Quantal)

** No longer affects: linux-lts-quantal (Ubuntu Quantal)

** No longer affects: linux-mvl-dove (Ubuntu Quantal)

** No longer affects: linux (Ubuntu Quantal)

** No longer affects: linux-fsl-imx51 (Ubuntu Quantal)

** No longer affects: linux-ti-omap4 (Ubuntu Quantal)

** No longer affects: linux-lts-raring (Ubuntu Quantal)

** Changed in: linux (Ubuntu Utopic)
       Status: New => Fix Committed

** Description changed:

- The first issue lies in the driver's processing of FDRAWCMD ioctls,
- specifically in its handling of copying floppy_raw_cmd ioctl argument
- structures from and to userspace. There are four relevant functions in
- drivers/block/floppy.c: raw_cmd_{ioctl,copyin,copyout,free}. First,
- raw_cmd_ioctl calls raw_cmd_copyin. This function kmallocs space for a
- floppy_raw_cmd structure and stores the resulting allocation in the
- "rcmd" pointer argument. It then attempts to copy_from_user the
- structure from userspace. If this fails, an early EFAULT return is
- taken. The problem is that even if the early return is taken, the
- pointer to the non-/partially-initialized floppy_raw_cmd structure has
- already been returned via the "rcmd" pointer. Back out in raw_cmd_ioctl,
- it attempts to raw_cmd_free this pointer. raw_cmd_free attempts to free
- any DMA pages allocated for the raw command, kfrees the raw command
- structure itself, and follows the linked list, if any, of further raw
- commands (a user can specify the FD_RAW_MORE flag to signal that there
- are more raw commands to follow in a single FDRAWCMD ioctl). So, a
- malicious user can send a FDRAWCMD ioctl with a raw command argument
- structure that has some bytes inaccessible (ie. off the end of an
- allocated page). The copy_from_user will fail but raw_cmd_free will
+ The raw_cmd_copyin function in drivers/block/floppy.c in the Linux
+ kernel through 3.14.3 does not properly handle error conditions during
+ processing of an FDRAWCMD ioctl call, which allows local users to
+ trigger kfree operations and gain privileges by leveraging write access
+ to a /dev/fd device. First, raw_cmd_ioctl calls raw_cmd_copyin. This
+ function kmallocs space for a floppy_raw_cmd structure and stores the
+ resulting allocation in the "rcmd" pointer argument. It then attempts to
+ copy_from_user the structure from userspace. If this fails, an early
+ EFAULT return is taken. The problem is that even if the early return is
+ taken, the pointer to the non-/partially-initialized floppy_raw_cmd
+ structure has already been returned via the "rcmd" pointer. Back out in
+ raw_cmd_ioctl, it attempts to raw_cmd_free this pointer. raw_cmd_free
+ attempts to free any DMA pages allocated for the raw command, kfrees the
+ raw command structure itself, and follows the linked list, if any, of
+ further raw commands (a user can specify the FD_RAW_MORE flag to signal
+ that there are more raw commands to follow in a single FDRAWCMD ioctl).
+ So, a malicious user can send a FDRAWCMD ioctl with a raw command
+ argument structure that has some bytes inaccessible (ie. off the end of
+ an allocated page). The copy_from_user will fail but raw_cmd_free will
  attempt to process the floppy_raw_cmd as if it had been fully
  initialized by the rest of raw_cmd_copyin. The user can control the
  arguments passed to fd_dma_mem_free and kfree (by making use of the
  linked-list feature and specifying the target address as a next-in-list
  structure).
  
  Break-Fix: - ef87dbe7614341c2e7bfe8d32fcb7028cc97442c

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1316729

Title:
  CVE-2014-1737

Status in “linux” package in Ubuntu:
  Fix Committed
Status in “linux-armadaxp” package in Ubuntu:
  Invalid
Status in “linux-ec2” package in Ubuntu:
  Invalid
Status in “linux-fsl-imx51” package in Ubuntu:
  Invalid
Status in “linux-lts-backport-maverick” package in Ubuntu:
  New
Status in “linux-lts-backport-natty” package in Ubuntu:
  New
Status in “linux-lts-quantal” package in Ubuntu:
  Invalid
Status in “linux-lts-raring” package in Ubuntu:
  Invalid
Status in “linux-lts-saucy” package in Ubuntu:
  Invalid
Status in “linux-mvl-dove” package in Ubuntu:
  Invalid
Status in “linux-ti-omap4” package in Ubuntu:
  Invalid
Status in “linux” source package in Lucid:
  Fix Committed
Status in “linux-armadaxp” source package in Lucid:
  Invalid
Status in “linux-ec2” source package in Lucid:
  Fix Committed
Status in “linux-fsl-imx51” source package in Lucid:
  Invalid
Status in “linux-lts-backport-maverick” source package in Lucid:
  New
Status in “linux-lts-backport-natty” source package in Lucid:
  New
Status in “linux-lts-quantal” source package in Lucid:
  Invalid
Status in “linux-lts-raring” source package in Lucid:
  Invalid
Status in “linux-lts-saucy” source package in Lucid:
  Invalid
Status in “linux-mvl-dove” source package in Lucid:
  Invalid
Status in “linux-ti-omap4” source package in Lucid:
  Invalid
Status in “linux” source package in Precise:
  Fix Committed
Status in “linux-armadaxp” source package in Precise:
  Fix Committed
Status in “linux-ec2” source package in Precise:
  Invalid
Status in “linux-fsl-imx51” source package in Precise:
  Invalid
Status in “linux-lts-backport-maverick” source package in Precise:
  New
Status in “linux-lts-backport-natty” source package in Precise:
  New
Status in “linux-lts-quantal” source package in Precise:
  Fix Committed
Status in “linux-lts-raring” source package in Precise:
  Fix Committed
Status in “linux-lts-saucy” source package in Precise:
  Fix Committed
Status in “linux-mvl-dove” source package in Precise:
  Invalid
Status in “linux-ti-omap4” source package in Precise:
  Fix Committed
Status in “linux-lts-backport-maverick” source package in Quantal:
  New
Status in “linux-lts-backport-natty” source package in Quantal:
  New
Status in “linux” source package in Saucy:
  Fix Committed
Status in “linux-armadaxp” source package in Saucy:
  Invalid
Status in “linux-ec2” source package in Saucy:
  Invalid
Status in “linux-fsl-imx51” source package in Saucy:
  Invalid
Status in “linux-lts-backport-maverick” source package in Saucy:
  New
Status in “linux-lts-backport-natty” source package in Saucy:
  New
Status in “linux-lts-quantal” source package in Saucy:
  Invalid
Status in “linux-lts-raring” source package in Saucy:
  Invalid
Status in “linux-lts-saucy” source package in Saucy:
  Invalid
Status in “linux-mvl-dove” source package in Saucy:
  Invalid
Status in “linux-ti-omap4” source package in Saucy:
  Fix Committed
Status in “linux” source package in Trusty:
  Fix Committed
Status in “linux-armadaxp” source package in Trusty:
  Invalid
Status in “linux-ec2” source package in Trusty:
  Invalid
Status in “linux-fsl-imx51” source package in Trusty:
  Invalid
Status in “linux-lts-backport-maverick” source package in Trusty:
  New
Status in “linux-lts-backport-natty” source package in Trusty:
  New
Status in “linux-lts-quantal” source package in Trusty:
  Invalid
Status in “linux-lts-raring” source package in Trusty:
  Invalid
Status in “linux-lts-saucy” source package in Trusty:
  Invalid
Status in “linux-mvl-dove” source package in Trusty:
  Invalid
Status in “linux-ti-omap4” source package in Trusty:
  Invalid
Status in “linux” source package in Utopic:
  Fix Committed
Status in “linux-armadaxp” source package in Utopic:
  Invalid
Status in “linux-ec2” source package in Utopic:
  Invalid
Status in “linux-fsl-imx51” source package in Utopic:
  Invalid
Status in “linux-lts-backport-maverick” source package in Utopic:
  New
Status in “linux-lts-backport-natty” source package in Utopic:
  New
Status in “linux-lts-quantal” source package in Utopic:
  Invalid
Status in “linux-lts-raring” source package in Utopic:
  Invalid
Status in “linux-lts-saucy” source package in Utopic:
  Invalid
Status in “linux-mvl-dove” source package in Utopic:
  Invalid
Status in “linux-ti-omap4” source package in Utopic:
  Invalid

Bug description:
  The raw_cmd_copyin function in drivers/block/floppy.c in the Linux
  kernel through 3.14.3 does not properly handle error conditions during
  processing of an FDRAWCMD ioctl call, which allows local users to
  trigger kfree operations and gain privileges by leveraging write
  access to a /dev/fd device. First, raw_cmd_ioctl calls raw_cmd_copyin.
  This function kmallocs space for a floppy_raw_cmd structure and stores
  the resulting allocation in the "rcmd" pointer argument. It then
  attempts to copy_from_user the structure from userspace. If this
  fails, an early EFAULT return is taken. The problem is that even if
  the early return is taken, the pointer to the non-/partially-
  initialized floppy_raw_cmd structure has already been returned via the
  "rcmd" pointer. Back out in raw_cmd_ioctl, it attempts to raw_cmd_free
  this pointer. raw_cmd_free attempts to free any DMA pages allocated
  for the raw command, kfrees the raw command structure itself, and
  follows the linked list, if any, of further raw commands (a user can
  specify the FD_RAW_MORE flag to signal that there are more raw
  commands to follow in a single FDRAWCMD ioctl). So, a malicious user
  can send a FDRAWCMD ioctl with a raw command argument structure that
  has some bytes inaccessible (ie. off the end of an allocated page).
  The copy_from_user will fail but raw_cmd_free will attempt to process
  the floppy_raw_cmd as if it had been fully initialized by the rest of
  raw_cmd_copyin. The user can control the arguments passed to
  fd_dma_mem_free and kfree (by making use of the linked-list feature
  and specifying the target address as a next-in-list structure).

  Break-Fix: - ef87dbe7614341c2e7bfe8d32fcb7028cc97442c

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1316729/+subscriptions


References