Hello There, Guest! Login Register
Logo
Dismiss this notice
MaDLeeTs is not responsible for any attacks that are carried out on networks, websites or servers.
MaDLeeTs staff members cannot be held responsible.
All information on this forum is for educational purposes only.


Linux Kernel 3.14.3 /dev/fd gain privileges

  • 0 Vote(s) - 0 Average


05-12-2014, 08:26 PM #1
the nightmare Offline TeaM MaDLeeTs ***
TeaM MaDLeeTs
Posts:301 Threads:49 Joined:Apr 2014 Reputation: 8
Mood: Hacker
Always clear out these floppy_raw_cmd struct members after copying the entire structure from userspace so that the
in-kernel version is always valid and never left in an interdeterminate state.

drivers/block/floppy.c 6
1 files changed, 3 insertions, 3 deletions
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
index 8f5565b..12251a6 100644
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -3121,10 +3121,11 @@ loop:
return -ENOMEM;
*rcmd = ptr;
ret = copy_from_user(ptr, param, sizeof(*ptr));
- if (ret)
- return -EFAULT;
ptr->next = NULL;
ptr->buffer_length = 0;
+ ptr->kernel_data = NULL;
+ if (ret)
+ return -EFAULT;
param += sizeof(struct floppy_raw_cmd);
if (ptr->cmd_count > 33)
/* the command may now also take up the space
@@ -3140,7 +3141,6 @@ loop:
for (i = 0; i < 16; i++)
ptr->reply[i] = 0;
ptr->resultcode = 0;
- ptr->kernel_data = NULL;

if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) {
if (ptr->length <= 0)

10-11-2014, 03:09 AM #2
gujjar(pcp) Offline MadLeets Vip ******
V.I.P
Posts:177 Threads:46 Joined:Aug 2012 Reputation: 3
Mood: None
Any POC for this bro Worriedsmiley






Forum Jump:


Users browsing this thread:1 Guest(s)