CVE-2014-1737, CVE-2014-1738 kernel: floppy: ignore kernel-only members in FDRAWCMD

This document (7015062) is provided subject to the disclaimer at the end of this document.

Environment


SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)

Situation

The first issue is a critical security issue reported as CVE-2014-1737. In this one, a malicious user can send a FDRAWCMD ioctl with a raw command argument that has some bytes inaccessible, e.g. off the end of an allocated page. The copy_from_user will fail, but the raw_cmd_free will attempt to process the floppy_raw_cmd as if it had been fully initialized by the rest of raw_cmd_copyin. The user can control the arguments passed to fd_dma_mem_free nd kfree (by making use of the linked_list feature and specifying the target address as next_in_list structure). 

The second critical issue reported as CVE-2014-1738 is linked to the above one.
In raw_cmd_copyout, the entire floppy_raw_cmd structure is copy_to_user'd back to userspace after raw_command processing. A malicious user can send a FDRAWCMD ioctl with the FD_RAW_MORE flag set and, upon inspecting the result in the command argument, find the address of the last floppy_raw_cmd allocation on the kmalloc_nnn slab.

The combination of both issues does give different possibilities to exploit the vulnerabilities of kfree of any desired object, and the leak of the address of a temporary kmalloc() allocation. 

Resolution

The fixes for both issues are available and have been published. Update the kernel to the current version, or at least to 3.0.101-0.29.1 by using the usual update channels. 

Cause


Additional Information


Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7015062
  • Creation Date: 15-May-2014
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center