CVE-2014-1737

Name of the Vulnerable Software and Affected Versions Linux kernel versions through 3.14.3

Description The issue is related to the raw cmd copyin function in drivers/block/floppy.c, which does not properly handle error conditions during processing of an FDRAWCMD ioctl call. This allows local users to trigger kfree operations and gain privileges by leveraging write access to a /dev/fd device. The problem occurs when the function kmallocs space for a floppy raw cmd structure and stores the resulting allocation in the "rcmd" pointer argument. If the copy from user operation fails, an early EFAULT return is taken, but the pointer to the non-/partially-initialized floppy raw cmd structure has already been returned via the "rcmd" pointer. A malicious user can send a FDRAWCMD ioctl with a raw command argument structure that has some bytes inaccessible, causing the copy from user to fail but allowing raw cmd free to attempt to process the floppy raw cmd as if it had been fully initialized.

Recommendations For Linux kernel versions through 3.14.3, consider disabling the raw cmd copyin function or restricting access to the /dev/fd device to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using the FDRAWCMD ioctl call with raw command argument structures that have inaccessible bytes. Restrict access to the vulnerable module drivers/block/floppy.c to minimize the risk of exploitation.