Bug 1553216 (CVE-2018-7755)

Summary: CVE-2018-7755 kernel: Information exposure in fd_locked_ioctl function in drivers/block/floppy.c
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: airlied, ajax, aquini, bhu, blc, bskeggs, dhoward, ewk, fhrbata, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jforbes, jglisse, jkacur, joe.lawrence, john.j5live, jonathan, josef, jross, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, mmezynsk, nmurray, plougher, pmatouse, rt-maint, rvrbovsk, skozina, slawomir, steved, vdronov, williams, yozone
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data and bypass kernel security protections such as KASLR.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-08 16:01:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1553217, 1555356, 1555419, 1555420, 1555421    
Bug Blocks: 1553219    

Description Pedro Sampaio 2018-03-08 14:18:18 UTC 
An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel through 4.15.7. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data and bypass kernel security protections such as KASLR.

References:

https://lkml.org/lkml/2018/3/7/1116

https://marc.info/?l=linux-kernel&m=152046737321740&w=2
Comment 1 Pedro Sampaio 2018-03-08 14:19:39 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1553217]
Comment 9 errata-xmlrpc 2019-08-06 12:03:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2029 https://access.redhat.com/errata/RHSA-2019:2029
Comment 10 errata-xmlrpc 2019-08-06 12:06:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2043 https://access.redhat.com/errata/RHSA-2019:2043