[Karmic] [CVE-2010-4074] [PATCH 1/1] USB: serial/mos*: prevent reading uninitialized stack memory

Tim Gardner tim.gardner at canonical.com
Mon Jan 24 20:00:20 UTC 2011 

On 01/24/2011 11:57 AM, Brad Figg wrote:
> From: Dan Rosenberg<drosenberg at vsecurity.com>
>
> CVE-2010-4074
>
> BugLink: http://bugs.launchpad.net/bugs/706149
>
> The TIOCGICOUNT device ioctl in both mos7720.c and mos7840.c allows
> unprivileged users to read uninitialized stack memory, because the
> "reserved" member of the serial_icounter_struct struct declared on the
> stack is not altered or zeroed before being copied back to the user.
> This patch takes care of it.
>
> Signed-off-by: Dan Rosenberg<dan.j.rosenberg at gmail.com>
> Cc: stable<stable at kernel.org>
> Signed-off-by: Greg Kroah-Hartman<gregkh at suse.de>
> Signed-off-by: Brad Figg<brad.figg at canonical.com>
> ---
>   drivers/usb/serial/mos7720.c |    3 +++
>   drivers/usb/serial/mos7840.c |    3 +++
>   2 files changed, 6 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c
> index ccd4dd3..6571077 100644
> --- a/drivers/usb/serial/mos7720.c
> +++ b/drivers/usb/serial/mos7720.c
> @@ -1431,6 +1431,9 @@ static int mos7720_ioctl(struct tty_struct *tty, struct file *file,
>
>   	case TIOCGICOUNT:
>   		cnow = mos7720_port->icount;
> +
> +		memset(&icount, 0, sizeof(struct serial_icounter_struct));
> +
>   		icount.cts = cnow.cts;
>   		icount.dsr = cnow.dsr;
>   		icount.rng = cnow.rng;
> diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c
> index 270009a..879bacb 100644
> --- a/drivers/usb/serial/mos7840.c
> +++ b/drivers/usb/serial/mos7840.c
> @@ -2357,6 +2357,9 @@ static int mos7840_ioctl(struct tty_struct *tty, struct file *file,
>   	case TIOCGICOUNT:
>   		cnow = mos7840_port->icount;
>   		smp_rmb();
> +
> +		memset(&icount, 0, sizeof(struct serial_icounter_struct));
> +
>   		icount.cts = cnow.cts;
>   		icount.dsr = cnow.dsr;
>   		icount.rng = cnow.rng;

I'd like to see the upstream commit from which this patch was either 
cherry-picked or backported in the commit log. Its also of interest to 
know if it was actually accepted into one or more stable kernels. That 
provides some assurance that the patch has passed by some maintainer 
eyeballs. Otherwise,

Acked-by: Tim Gardner tim.gardner at canonical.com>

-- 
Tim Gardner tim.gardner at canonical.com

More information about the kernel-team mailing list