linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] isdn: Disable IIOCDBGVAR
@ 2018-08-15 19:14 Kees Cook
  2018-08-16 19:26 ` David Miller
  0 siblings, 1 reply; 2+ messages in thread
From: Kees Cook @ 2018-08-15 19:14 UTC (permalink / raw)
  To: David S. Miller; +Cc: Al Viro, Karsten Keil, linux-kernel, netdev

It was possible to directly leak the kernel address where the isdn_dev
structure pointer was stored. This is a kernel ASLR bypass for anyone
with access to the ioctl. The code had been present since the beginning
of git history, though this shouldn't ever be needed for normal operation,
therefore remove it.

Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: Karsten Keil <isdn@linux-pingi.de>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
netdev doesn't like explict stable markings, so I'll just ask here that it
get included in -stable please. :)
---
 drivers/isdn/i4l/isdn_common.c | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/drivers/isdn/i4l/isdn_common.c b/drivers/isdn/i4l/isdn_common.c
index 7a501dbe7123..6a5b3f00f9ad 100644
--- a/drivers/isdn/i4l/isdn_common.c
+++ b/drivers/isdn/i4l/isdn_common.c
@@ -1640,13 +1640,7 @@ isdn_ioctl(struct file *file, uint cmd, ulong arg)
 			} else
 				return -EINVAL;
 		case IIOCDBGVAR:
-			if (arg) {
-				if (copy_to_user(argp, &dev, sizeof(ulong)))
-					return -EFAULT;
-				return 0;
-			} else
-				return -EINVAL;
-			break;
+			return -EINVAL;
 		default:
 			if ((cmd & IIOCDRVCTL) == IIOCDRVCTL)
 				cmd = ((cmd >> _IOC_NRSHIFT) & _IOC_NRMASK) & ISDN_DRVIOCTL_MASK;
-- 
2.17.1


-- 
Kees Cook
Pixel Security

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] isdn: Disable IIOCDBGVAR
  2018-08-15 19:14 [PATCH] isdn: Disable IIOCDBGVAR Kees Cook
@ 2018-08-16 19:26 ` David Miller
  0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2018-08-16 19:26 UTC (permalink / raw)
  To: keescook; +Cc: viro, isdn, linux-kernel, netdev

From: Kees Cook <keescook@chromium.org>
Date: Wed, 15 Aug 2018 12:14:05 -0700

> It was possible to directly leak the kernel address where the isdn_dev
> structure pointer was stored. This is a kernel ASLR bypass for anyone
> with access to the ioctl. The code had been present since the beginning
> of git history, though this shouldn't ever be needed for normal operation,
> therefore remove it.
> 
> Reported-by: Al Viro <viro@zeniv.linux.org.uk>
> Cc: Karsten Keil <isdn@linux-pingi.de>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> netdev doesn't like explict stable markings, so I'll just ask here that it
> get included in -stable please. :)

Applied and queued up for -stable, thanks :)

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2018-08-16 19:26 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-08-15 19:14 [PATCH] isdn: Disable IIOCDBGVAR Kees Cook
2018-08-16 19:26 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).