[PATCH] isdn: Disable IIOCDBGVAR

From: Kees Cook
Date: Wed Aug 15 2018 - 15:14:12 EST

Next message: Greg Kroah-Hartman: "Re: [PATCH 4.9 000/107] 4.9.120-stable review"
Previous message: Greg Kroah-Hartman: "Re: [PATCH 4.9 000/107] 4.9.120-stable review"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It was possible to directly leak the kernel address where the isdn_dev
structure pointer was stored. This is a kernel ASLR bypass for anyone
with access to the ioctl. The code had been present since the beginning
of git history, though this shouldn't ever be needed for normal operation,
therefore remove it.

Reported-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
Cc: Karsten Keil <isdn@xxxxxxxxxxxxxx>
Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
---
netdev doesn't like explict stable markings, so I'll just ask here that it
get included in -stable please. :)
---
drivers/isdn/i4l/isdn_common.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/drivers/isdn/i4l/isdn_common.c b/drivers/isdn/i4l/isdn_common.c
index 7a501dbe7123..6a5b3f00f9ad 100644
--- a/drivers/isdn/i4l/isdn_common.c
+++ b/drivers/isdn/i4l/isdn_common.c
@@ -1640,13 +1640,7 @@ isdn_ioctl(struct file *file, uint cmd, ulong arg)
} else
return -EINVAL;
case IIOCDBGVAR:
- if (arg) {
- if (copy_to_user(argp, &dev, sizeof(ulong)))
- return -EFAULT;
- return 0;
- } else
- return -EINVAL;
- break;
+ return -EINVAL;
default:
if ((cmd & IIOCDRVCTL) == IIOCDRVCTL)
cmd = ((cmd >> _IOC_NRSHIFT) & _IOC_NRMASK) & ISDN_DRVIOCTL_MASK;
--
2.17.1

--
Kees Cook
Pixel Security

Next message: Greg Kroah-Hartman: "Re: [PATCH 4.9 000/107] 4.9.120-stable review"
Previous message: Greg Kroah-Hartman: "Re: [PATCH 4.9 000/107] 4.9.120-stable review"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]