From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Al Viro <viro@zeniv.linux.org.uk>,
Karsten Keil <isdn@linux-pingi.de>,
Kees Cook <keescook@chromium.org>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.18 28/35] isdn: Disable IIOCDBGVAR
Date: Tue, 21 Aug 2018 08:20:54 +0200 [thread overview]
Message-ID: <20180821055021.198402339@linuxfoundation.org> (raw)
In-Reply-To: <20180821055019.954904905@linuxfoundation.org>
4.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
[ Upstream commit 5e22002aa8809e2efab2da95855f73f63e14a36c ]
It was possible to directly leak the kernel address where the isdn_dev
structure pointer was stored. This is a kernel ASLR bypass for anyone
with access to the ioctl. The code had been present since the beginning
of git history, though this shouldn't ever be needed for normal operation,
therefore remove it.
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: Karsten Keil <isdn@linux-pingi.de>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/isdn/i4l/isdn_common.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
--- a/drivers/isdn/i4l/isdn_common.c
+++ b/drivers/isdn/i4l/isdn_common.c
@@ -1640,13 +1640,7 @@ isdn_ioctl(struct file *file, uint cmd,
} else
return -EINVAL;
case IIOCDBGVAR:
- if (arg) {
- if (copy_to_user(argp, &dev, sizeof(ulong)))
- return -EFAULT;
- return 0;
- } else
- return -EINVAL;
- break;
+ return -EINVAL;
default:
if ((cmd & IIOCDRVCTL) == IIOCDRVCTL)
cmd = ((cmd >> _IOC_NRSHIFT) & _IOC_NRMASK) & ISDN_DRVIOCTL_MASK;
next prev parent reply other threads:[~2018-08-21 6:20 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-21 6:20 [PATCH 4.18 00/35] 4.18.4-stable review Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 01/35] l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 02/35] net_sched: fix NULL pointer dereference when delete tcindex filter Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 03/35] net_sched: Fix missing res info when create new tc_index filter Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 04/35] r8169: dont use MSI-X on RTL8168g Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 05/35] ALSA: hda - Sleep for 10ms after entering D3 on Conexant codecs Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 06/35] ALSA: hda - Turn CX8200 into D3 as well upon reboot Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 07/35] ALSA: vx222: Fix invalid endian conversions Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 08/35] ALSA: virmidi: Fix too long output trigger loop Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 09/35] ALSA: cs5535audio: Fix invalid endian conversion Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 10/35] ALSA: dice: fix wrong copy to rx parameters for Alesis iO26 Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 11/35] ALSA: hda: Correct Asrock B85M-ITX power_save blacklist entry Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 12/35] ALSA: memalloc: Dont exceed over the requested size Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 13/35] ALSA: vxpocket: Fix invalid endian conversions Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 14/35] ALSA: seq: Fix poll() error return Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 16/35] USB: serial: sierra: fix potential deadlock at close Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 17/35] USB: serial: pl2303: add a new device id for ATEN Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 18/35] USB: option: add support for DW5821e Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 19/35] ACPI / PM: save NVS memory for ASUS 1025C laptop Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 20/35] tty: serial: 8250: Revert NXP SC16C2552 workaround Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 21/35] serial: 8250_exar: Read INT0 from slave device, too Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 22/35] serial: 8250_dw: always set baud rate in dw8250_set_termios Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 23/35] serial: 8250_dw: Add ACPI support for uart on Broadcom SoC Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 24/35] uio: fix wrong return value from uio_mmap() Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 25/35] misc: sram: fix resource leaks in probe error path Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 26/35] Revert "uio: use request_threaded_irq instead" Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 27/35] Bluetooth: avoid killing an already killed socket Greg Kroah-Hartman
2018-08-21 6:20 ` Greg Kroah-Hartman [this message]
2018-08-21 6:20 ` [PATCH 4.18 29/35] net: sock_diag: Fix spectre v1 gadget in __sock_diag_cmd() Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 30/35] hv/netvsc: Fix NULL dereference at single queue mode fallback Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 31/35] r8169: dont use MSI-X on RTL8106e Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 32/35] ip_vti: fix a null pointer deferrence when create vti fallback tunnel Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 33/35] net: ethernet: mvneta: Fix napi structure mixup on armada 3700 Greg Kroah-Hartman
2018-08-21 6:21 ` [PATCH 4.18 34/35] net: mvneta: fix mvneta_config_rss " Greg Kroah-Hartman
2018-08-21 6:21 ` [PATCH 4.18 35/35] cls_matchall: fix tcf_unbind_filter missing Greg Kroah-Hartman
2018-08-21 14:59 ` [PATCH 4.18 00/35] 4.18.4-stable review Guenter Roeck
2018-08-21 20:02 ` Greg Kroah-Hartman
2018-08-21 18:03 ` Naresh Kamboju
2018-08-21 20:03 ` Greg Kroah-Hartman
2018-08-21 19:43 ` Shuah Khan
2018-08-21 20:03 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180821055021.198402339@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=isdn@linux-pingi.de \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).