Описание
The raw_cmd_copyin function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly handle error conditions during processing of an FDRAWCMD ioctl call, which allows local users to trigger kfree operations and gain privileges by leveraging write access to a /dev/fd device.
A flaw was found in the way the Linux kernel's floppy driver handled user space provided data in certain error code paths while processing FDRAWCMD IOCTL commands. A local user with write access to /dev/fdX could use this flaw to free (using the kfree() function) arbitrary kernel memory. (CVE-2014-1737, Important)
It was found that the Linux kernel's floppy driver leaked internal kernel memory addresses to user space during the processing of the FDRAWCMD IOCTL command. A local user with write access to /dev/fdX could use this flaw to obtain information about the kernel heap arrangement. (CVE-2014-1738, Low)
Note: A local user with write access to /dev/fdX could use these two flaws (CVE-2014-1737 in combination with CVE-2014-1738) to escalate their privileges on the system.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux Extended Update Support 5.6 | kernel | Affected | ||
| Red Hat Enterprise Linux Extended Update Support 6.3 | kernel | Affected | ||
| Red Hat Enterprise Linux 5 | kernel | Fixed | RHSA-2014:0740 | 10.06.2014 |
| Red Hat Enterprise Linux 5.6 Long Life | kernel | Fixed | RHSA-2014:0801 | 26.06.2014 |
| Red Hat Enterprise Linux 5.9 Extended Update Support | kernel | Fixed | RHSA-2014:0772 | 19.06.2014 |
| Red Hat Enterprise Linux 6 | kernel | Fixed | RHSA-2014:0771 | 19.06.2014 |
| Red Hat Enterprise Linux 6.2 Advanced Update Support | kernel | Fixed | RHSA-2014:0800 | 26.06.2014 |
| Red Hat Enterprise Linux 6.4 Extended Update Support | kernel | Fixed | RHSA-2014:0900 | 17.07.2014 |
| Red Hat Enterprise Linux 7 | kernel | Fixed | RHSA-2014:0786 | 24.06.2014 |
| Red Hat Enterprise MRG 2 | kernel-rt | Fixed | RHSA-2014:0557 | 27.05.2014 |
Показывать по
Дополнительная информация
Статус:
6.6 Medium
CVSS2
Связанные уязвимости
The raw_cmd_copyin function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly handle error conditions during processing of an FDRAWCMD ioctl call, which allows local users to trigger kfree operations and gain privileges by leveraging write access to a /dev/fd device.
The raw_cmd_copyin function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly handle error conditions during processing of an FDRAWCMD ioctl call, which allows local users to trigger kfree operations and gain privileges by leveraging write access to a /dev/fd device.
The raw_cmd_copyin function in drivers/block/floppy.c in the Linux ker ...
The raw_cmd_copyin function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly handle error conditions during processing of an FDRAWCMD ioctl call, which allows local users to trigger kfree operations and gain privileges by leveraging write access to a /dev/fd device.
Уязвимость операционной системы Linux, позволяющая злоумышленнику вызвать отказ в обслуживании или повысить свои привилегии
6.6 Medium
CVSS2