CVE-2014-1737, CVE-2014-1738 kernel: floppy: ignore kernel-only members in FDRAWCMD

  • 7015062
  • 15-May-2014
  • 20-Jul-2014

Environment


SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)

Situation

The first issue is a critical security issue reported as CVE-2014-1737. In this one, a malicious user can send a FDRAWCMD ioctl with a raw command argument that has some bytes inaccessible, e.g. off the end of an allocated page. The copy_from_user will fail, but the raw_cmd_free will attempt to process the floppy_raw_cmd as if it had been fully initialized by the rest of raw_cmd_copyin. The user can control the arguments passed to fd_dma_mem_free nd kfree (by making use of the linked_list feature and specifying the target address as next_in_list structure). 

The second critical issue reported as CVE-2014-1738 is linked to the above one.
In raw_cmd_copyout, the entire floppy_raw_cmd structure is copy_to_user'd back to userspace after raw_command processing. A malicious user can send a FDRAWCMD ioctl with the FD_RAW_MORE flag set and, upon inspecting the result in the command argument, find the address of the last floppy_raw_cmd allocation on the kmalloc_nnn slab.

The combination of both issues does give different possibilities to exploit the vulnerabilities of kfree of any desired object, and the leak of the address of a temporary kmalloc() allocation. 

Resolution

The fixes for both issues are available and have been published. Update the kernel to the current version, or at least to 3.0.101-0.29.1 by using the usual update channels. 

Feedback service temporarily unavailable. For content questions or problems, please contact Support.