Message ID | 1399403436-21214-2-git-send-email-apw@canonical.com |
---|---|
State | New |
Headers | show |
On 05/06/2014 12:10 PM, Andy Whitcroft wrote: > From: Matthew Daley <mattd@bugfuzz.com> > > Always clear out these floppy_raw_cmd struct members after copying the > entire structure from userspace so that the in-kernel version is always > valid and never left in an interdeterminate state. > > Signed-off-by: Matthew Daley <mattd@bugfuzz.com> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > > (backported from commit ef87dbe7614341c2e7bfe8d32fcb7028cc97442c upstream) > CVE-2014-1737 > BugLink: http://bugs.launchpad.net/bugs/1316729 > Signed-off-by: Andy Whitcroft <apw@canonical.com> > --- > drivers/block/floppy.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c > index 5c01f74..e0022b1 100644 > --- a/drivers/block/floppy.c > +++ b/drivers/block/floppy.c > @@ -3209,9 +3209,12 @@ static inline int raw_cmd_copyin(int cmd, char __user *param, > if (!ptr) > return -ENOMEM; > *rcmd = ptr; > - COPYIN(*ptr); > + ret = _COPYIN(*ptr); > ptr->next = NULL; > ptr->buffer_length = 0; > + ptr->kernel_data = NULL; > + if (ret) > + return ret; > param += sizeof(struct floppy_raw_cmd); > if (ptr->cmd_count > 33) > /* the command may now also take up the space > @@ -3227,7 +3230,6 @@ static inline int raw_cmd_copyin(int cmd, char __user *param, > for (i = 0; i < 16; i++) > ptr->reply[i] = 0; > ptr->resultcode = 0; > - ptr->kernel_data = NULL; > > if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) { > if (ptr->length <= 0) >
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c index 5c01f74..e0022b1 100644 --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c @@ -3209,9 +3209,12 @@ static inline int raw_cmd_copyin(int cmd, char __user *param, if (!ptr) return -ENOMEM; *rcmd = ptr; - COPYIN(*ptr); + ret = _COPYIN(*ptr); ptr->next = NULL; ptr->buffer_length = 0; + ptr->kernel_data = NULL; + if (ret) + return ret; param += sizeof(struct floppy_raw_cmd); if (ptr->cmd_count > 33) /* the command may now also take up the space @@ -3227,7 +3230,6 @@ static inline int raw_cmd_copyin(int cmd, char __user *param, for (i = 0; i < 16; i++) ptr->reply[i] = 0; ptr->resultcode = 0; - ptr->kernel_data = NULL; if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) { if (ptr->length <= 0)