7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.0004 Low
EPSS
Percentile
10.1%
The raw_cmd_copyin function in drivers/block/floppy.c in the Linux kernel
through 3.14.3 does not properly handle error conditions during processing
of an FDRAWCMD ioctl call, which allows local users to trigger kfree
operations and gain privileges by leveraging write access to a /dev/fd
device.
First, raw_cmd_ioctl calls raw_cmd_copyin. This function kmallocs
space for a floppy_raw_cmd structure and stores the resulting
allocation in the “rcmd” pointer argument. It then attempts to
copy_from_user the structure from userspace. If this fails, an early
EFAULT return is taken.
The problem is that even if the early return is taken, the pointer to
the non-/partially-initialized floppy_raw_cmd structure has already
been returned via the “rcmd” pointer. Back out in raw_cmd_ioctl, it
attempts to raw_cmd_free this pointer.
raw_cmd_free attempts to free any DMA pages allocated for the raw
command, kfrees the raw command structure itself, and follows the
linked list, if any, of further raw commands (a user can specify the
FD_RAW_MORE flag to signal that there are more raw commands to follow
in a single FDRAWCMD ioctl).
So, a malicious user can send a FDRAWCMD ioctl with a raw command
argument structure that has some bytes inaccessible (ie. off the end
of an allocated page). The copy_from_user will fail but raw_cmd_free
will attempt to process the floppy_raw_cmd as if it had been fully
initialized by the rest of raw_cmd_copyin. The user can control the
arguments passed to fd_dma_mem_free and kfree (by making use of the
linked-list feature and specifying the target address as a
next-in-list structure).
Author | Note |
---|---|
jdstrand | android kernels (goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 13.10 preview kernels android kernels (flo, goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 14.04 preview kernels |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 10.04 | noarch | linux | < 2.6.32-60.122 | UNKNOWN |
ubuntu | 12.04 | noarch | linux | < 3.2.0-63.95 | UNKNOWN |
ubuntu | 13.10 | noarch | linux | < 3.11.0-22.38 | UNKNOWN |
ubuntu | 14.04 | noarch | linux | < 3.13.0-27.50 | UNKNOWN |
ubuntu | 12.04 | noarch | linux-armadaxp | < 3.2.0-1633.47 | UNKNOWN |
ubuntu | 10.04 | noarch | linux-ec2 | < 2.6.32-364.77 | UNKNOWN |
ubuntu | 12.04 | noarch | linux-lts-quantal | < 3.5.0-51.76~precise1 | UNKNOWN |
ubuntu | 12.04 | noarch | linux-lts-raring | < 3.8.0-41.60~precise1 | UNKNOWN |
ubuntu | 12.04 | noarch | linux-lts-saucy | < 3.11.0-22.38~precise1 | UNKNOWN |
ubuntu | 12.04 | noarch | linux-lts-trusty | < 3.13.0-27.50~precise1 | UNKNOWN |
launchpad.net/bugs/cve/CVE-2014-1737
nvd.nist.gov/vuln/detail/CVE-2014-1737
security-tracker.debian.org/tracker/CVE-2014-1737
ubuntu.com/security/notices/USN-2219-1
ubuntu.com/security/notices/USN-2220-1
ubuntu.com/security/notices/USN-2221-1
ubuntu.com/security/notices/USN-2223-1
ubuntu.com/security/notices/USN-2224-1
ubuntu.com/security/notices/USN-2225-1
ubuntu.com/security/notices/USN-2226-1
ubuntu.com/security/notices/USN-2227-1
ubuntu.com/security/notices/USN-2228-1
ubuntu.com/security/notices/USN-2260-1
www.cve.org/CVERecord?id=CVE-2014-1737