[arch-security] Kernel floppy ioctl kernel code execution

Mark Lee mark at markelee.com
Fri May 9 03:18:04 EDT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

To all,

Usage of a floppy device can allow users to get root access in the Linux
Kernel. Supposedly this has been posted to the Linux distros already,
but I'm posting it here just in case.

Regards,
Mark

> Hi,
> 
> As this was posted to linux-distros, and was supposed to be made public
> earlier this week, but so far wasn't published on oss-sec ...
> 
> Reported by Matthew Daley to security at kernel.org.
> 
> There apparently exists a proof of concept root exploit, that allows
> local users with access to a floppy device to execute code in the linux
> kernel.
> 
> (I think this needs a floppy driver to actually allow access to a floppy
>  device. My machine only says "floppy0: no floppy controllers found" today.)
> 
> Linux Kernel Mainline commits:
> 
> 2145e15e0557a01b9195d1c7199a1b92cb9be81f
> Author: Matthew Daley <mattd at bugfuzz.com>
> Date:   Mon Apr 28 19:05:21 2014 +1200
> 
>     floppy: don't write kernel-only members to FDRAWCMD ioctl output
> 
>     Do not leak kernel-only floppy_raw_cmd structure members to userspace.
>     This includes the linked-list pointer and the pointer to the allocated
>     DMA space.
> 
>     Signed-off-by: Matthew Daley <mattd at bugfuzz.com>
>     References: CVE-2014-1738
>     Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
> 
> commit ef87dbe7614341c2e7bfe8d32fcb7028cc97442c
> Author: Matthew Daley <mattd at bugfuzz.com>
> Date:   Mon Apr 28 19:05:20 2014 +1200
> 
>     floppy: ignore kernel-only members in FDRAWCMD ioctl input
> 
>     Always clear out these floppy_raw_cmd struct members after copying the
>     entire structure from userspace so that the in-kernel version is always
>     valid and never left in an interdeterminate state.
> 
>     Signed-off-by: Matthew Daley <mattd at bugfuzz.com>
>     References: CVE-2014-1737
>     Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
> 
> Ciao, Marcus

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iF4EAREIAAYFAlNsgSsACgkQZ/Z80n6+J/ZEugD+PQHpcvqb9vKhkZRpfBIEkC9c
zJOaYQZ087dTZXZALIUBAIkxSbWuz+8vOowk/5OfcsySi+wu7afqwvuXDjKn78qO
=UxRa
-----END PGP SIGNATURE-----


More information about the arch-security mailing list