Описание
The raw_cmd_copyin function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly handle error conditions during processing of an FDRAWCMD ioctl call, which allows local users to trigger kfree operations and gain privileges by leveraging write access to a /dev/fd device.
The raw_cmd_copyin function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly handle error conditions during processing of an FDRAWCMD ioctl call, which allows local users to trigger kfree operations and gain privileges by leveraging write access to a /dev/fd device.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2014-1737
- https://github.com/torvalds/linux/commit/ef87dbe7614341c2e7bfe8d32fcb7028cc97442c
- https://bugzilla.redhat.com/show_bug.cgi?id=1094299
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=ef87dbe7614341c2e7bfe8d32fcb7028cc97442c
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ef87dbe7614341c2e7bfe8d32fcb7028cc97442c
- http://linux.oracle.com/errata/ELSA-2014-0771.html
- http://linux.oracle.com/errata/ELSA-2014-3043.html
- http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00007.html
- http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00012.html
- http://rhn.redhat.com/errata/RHSA-2014-0800.html
- http://rhn.redhat.com/errata/RHSA-2014-0801.html
- http://secunia.com/advisories/59262
- http://secunia.com/advisories/59309
- http://secunia.com/advisories/59406
- http://secunia.com/advisories/59599
- http://www.debian.org/security/2014/dsa-2926
- http://www.debian.org/security/2014/dsa-2928
- http://www.openwall.com/lists/oss-security/2014/05/09/2
- http://www.securityfocus.com/bid/67300
- http://www.securitytracker.com/id/1030474
Связанные уязвимости
The raw_cmd_copyin function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly handle error conditions during processing of an FDRAWCMD ioctl call, which allows local users to trigger kfree operations and gain privileges by leveraging write access to a /dev/fd device. First, raw_cmd_ioctl calls raw_cmd_copyin. This function kmallocs space for a floppy_raw_cmd structure and stores the resulting allocation in the "rcmd" pointer argument. It then attempts to copy_from_user the structure from userspace. If this fails, an early EFAULT return is taken. The problem is that even if the early return is taken, the pointer to the non-/partially-initialized floppy_raw_cmd structure has already been returned via the "rcmd" pointer. Back out in raw_cmd_ioctl, it attempts to raw_cmd_free this pointer. raw_cmd_free attempts to free any DMA pages allocated for the raw command, kfrees the raw command structure itself, and follows the linked list, if any, of further raw com...
The raw_cmd_copyin function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly handle error conditions during processing of an FDRAWCMD ioctl call, which allows local users to trigger kfree operations and gain privileges by leveraging write access to a /dev/fd device.
The raw_cmd_copyin function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly handle error conditions during processing of an FDRAWCMD ioctl call, which allows local users to trigger kfree operations and gain privileges by leveraging write access to a /dev/fd device.
The raw_cmd_copyin function in drivers/block/floppy.c in the Linux ker ...
Уязвимость операционной системы Linux, позволяющая злоумышленнику вызвать отказ в обслуживании или повысить свои привилегии