CVE-2014-1737, CVE-2014-1738 kernel: floppy: ignore kernel-only members in FDRAWCMD
This document (7015062) is provided subject to the disclaimer at the end of this document.
SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)
The second critical issue reported as CVE-2014-1738 is linked to the above one.
In raw_cmd_copyout, the entire floppy_raw_cmd structure is copy_to_user'd back to userspace after raw_command processing. A malicious user can send a FDRAWCMD ioctl with the FD_RAW_MORE flag set and, upon inspecting the result in the command argument, find the address of the last floppy_raw_cmd allocation on the kmalloc_nnn slab.
The combination of both issues does give different possibilities to exploit the vulnerabilities of kfree of any desired object, and the leak of the address of a temporary kmalloc() allocation.
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7015062
- Creation Date: 15-May-2014
- Modified Date:03-Mar-2020
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: firstname.lastname@example.org