Linux Disabling Raw Access To Floppy Disks "FDRAWCMD" By Default
Earlier this year the Linux floppy disk driver in the 5.17 kernel saw a fix to avoid hanging if trying to read and then eject a broken floppy. Last year was also a Linux floppy fix for a regression that had been around for a half-year before being noticed.
The latest floppy pain is a concurrency use-after-free issue being uncovered within the floppy code when using its raw command ioctl (FDRAWCMD). The FDRAWCMD ioctl is used for sending raw commands to the floppy disk controller. This can be used for dealing with non-standard disks, interacting with copy-protected disks, and other non-standard usage.
This use-after-free vulnerability it turns out has been known for years from previous reports and Kernel Address Sanitizer detection. But not many people care about the floppy disk driver these days. Given the FDRAWCMD is just used for non-standard use-cases, the easiest fix is just disabling that interface by default.
Willy Tarreau commented, "The problem is, this driver tends to break very easily and nowadays, nobody is expected to use FDRAWCMD anyway since it was used to manipulate non-standard formats. The risk of breaking the driver is higher than the risk presented by this race, and accessing the device requires privileges anyway."
So added today to Linux Git is now BLK_DEV_FD_RAWCMD that by default keeps this ioctl disabled unless you need to send raw floppy disk commands in 2022 to your floppy disk controller in which case you can enable it. The ioctl is being considered deprecated and will be removed outright in the future.
This change due to being security in nature was merged today to mainline for Linux 5.18.