CVE-2014-1737

The raw_cmd_copyin function in drivers/block/floppy.c in the Linux kernel
through 3.14.3 does not properly handle error conditions during processing
of an FDRAWCMD ioctl call, which allows local users to trigger kfree
operations and gain privileges by leveraging write access to a /dev/fd
device.
First, raw_cmd_ioctl calls raw_cmd_copyin. This function kmallocs
space for a floppy_raw_cmd structure and stores the resulting
allocation in the “rcmd” pointer argument. It then attempts to
copy_from_user the structure from userspace. If this fails, an early
EFAULT return is taken.
The problem is that even if the early return is taken, the pointer to
the non-/partially-initialized floppy_raw_cmd structure has already
been returned via the “rcmd” pointer. Back out in raw_cmd_ioctl, it
attempts to raw_cmd_free this pointer.
raw_cmd_free attempts to free any DMA pages allocated for the raw
command, kfrees the raw command structure itself, and follows the
linked list, if any, of further raw commands (a user can specify the
FD_RAW_MORE flag to signal that there are more raw commands to follow
in a single FDRAWCMD ioctl).
So, a malicious user can send a FDRAWCMD ioctl with a raw command
argument structure that has some bytes inaccessible (ie. off the end
of an allocated page). The copy_from_user will fail but raw_cmd_free
will attempt to process the floppy_raw_cmd as if it had been fully
initialized by the rest of raw_cmd_copyin. The user can control the
arguments passed to fd_dma_mem_free and kfree (by making use of the
linked-list feature and specifying the target address as a
next-in-list structure).

Bugs

• <https://launchpad.net/bugs/1316729&gt;

Notes