Hi,
As this was posted to linux-distros, and was supposed to be made public
earlier this week, but so far wasn't published on oss-sec …
Reported by Matthew Daley to [email protected].
There apparently exists a proof of concept root exploit, that allows
local users with access to a floppy device to execute code in the linux
kernel.
(I think this needs a floppy driver to actually allow access to a floppy
device. My machine only says "floppy0: no floppy controllers found" today.)
Linux Kernel Mainline commits:
2145e15e0557a01b9195d1c7199a1b92cb9be81f
Author: Matthew Daley <[email protected]>
Date: Mon Apr 28 19:05:21 2014 +1200
floppy: don't write kernel-only members to FDRAWCMD ioctl output
Do not leak kernel-only floppy_raw_cmd structure members to userspace.
This includes the linked-list pointer and the pointer to the allocated
DMA space.
Signed-off-by: Matthew Daley <[email protected]>
References: CVE-2014-1738
Signed-off-by: Linus Torvalds <[email protected]>
commit ef87dbe7614341c2e7bfe8d32fcb7028cc97442c
Author: Matthew Daley <[email protected]>
Date: Mon Apr 28 19:05:20 2014 +1200
floppy: ignore kernel-only members in FDRAWCMD ioctl input
Always clear out these floppy_raw_cmd struct members after copying the
entire structure from userspace so that the in-kernel version is always
valid and never left in an interdeterminate state.
Signed-off-by: Matthew Daley <[email protected]>
References: CVE-2014-1737
Signed-off-by: Linus Torvalds <[email protected]>
Ciao, Marcus