[Karmic] [CVE-2010-4074] [PATCH 1/1] USB: serial/mos*: prevent reading uninitialized stack memory
Brad Figg
brad.figg at canonical.com
Mon Jan 24 18:57:18 UTC 2011
From: Dan Rosenberg <drosenberg at vsecurity.com>
CVE-2010-4074
BugLink: http://bugs.launchpad.net/bugs/706149
The TIOCGICOUNT device ioctl in both mos7720.c and mos7840.c allows
unprivileged users to read uninitialized stack memory, because the
"reserved" member of the serial_icounter_struct struct declared on the
stack is not altered or zeroed before being copied back to the user.
This patch takes care of it.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
Cc: stable <stable at kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
Signed-off-by: Brad Figg <brad.figg at canonical.com>
---
drivers/usb/serial/mos7720.c | 3 +++
drivers/usb/serial/mos7840.c | 3 +++
2 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c
index ccd4dd3..6571077 100644
--- a/drivers/usb/serial/mos7720.c
+++ b/drivers/usb/serial/mos7720.c
@@ -1431,6 +1431,9 @@ static int mos7720_ioctl(struct tty_struct *tty, struct file *file,
case TIOCGICOUNT:
cnow = mos7720_port->icount;
+
+ memset(&icount, 0, sizeof(struct serial_icounter_struct));
+
icount.cts = cnow.cts;
icount.dsr = cnow.dsr;
icount.rng = cnow.rng;
diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c
index 270009a..879bacb 100644
--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -2357,6 +2357,9 @@ static int mos7840_ioctl(struct tty_struct *tty, struct file *file,
case TIOCGICOUNT:
cnow = mos7840_port->icount;
smp_rmb();
+
+ memset(&icount, 0, sizeof(struct serial_icounter_struct));
+
icount.cts = cnow.cts;
icount.dsr = cnow.dsr;
icount.rng = cnow.rng;
--
1.7.0.4
More information about the kernel-team
mailing list