| From foo@baz Tue Aug 21 07:39:57 CEST 2018 |
| From: Kees Cook <keescook@chromium.org> |
| Date: Wed, 15 Aug 2018 12:14:05 -0700 |
| Subject: isdn: Disable IIOCDBGVAR |
| |
| From: Kees Cook <keescook@chromium.org> |
| |
| [ Upstream commit 5e22002aa8809e2efab2da95855f73f63e14a36c ] |
| |
| It was possible to directly leak the kernel address where the isdn_dev |
| structure pointer was stored. This is a kernel ASLR bypass for anyone |
| with access to the ioctl. The code had been present since the beginning |
| of git history, though this shouldn't ever be needed for normal operation, |
| therefore remove it. |
| |
| Reported-by: Al Viro <viro@zeniv.linux.org.uk> |
| Cc: Karsten Keil <isdn@linux-pingi.de> |
| Signed-off-by: Kees Cook <keescook@chromium.org> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/isdn/i4l/isdn_common.c | 8 +------- |
| 1 file changed, 1 insertion(+), 7 deletions(-) |
| |
| --- a/drivers/isdn/i4l/isdn_common.c |
| +++ b/drivers/isdn/i4l/isdn_common.c |
| @@ -1655,13 +1655,7 @@ isdn_ioctl(struct file *file, uint cmd, |
| } else |
| return -EINVAL; |
| case IIOCDBGVAR: |
| - if (arg) { |
| - if (copy_to_user(argp, &dev, sizeof(ulong))) |
| - return -EFAULT; |
| - return 0; |
| - } else |
| - return -EINVAL; |
| - break; |
| + return -EINVAL; |
| default: |
| if ((cmd & IIOCDRVCTL) == IIOCDRVCTL) |
| cmd = ((cmd >> _IOC_NRSHIFT) & _IOC_NRMASK) & ISDN_DRVIOCTL_MASK; |