[Hardy] [CVE-2010-4074] [Patch 1/1] USB: serial/mos*: prevent reading uninitialized stack memory
Tim Gardner
tim.gardner at canonical.com
Mon Jan 24 20:00:59 UTC 2011
On 01/24/2011 11:57 AM, Brad Figg wrote:
> From: Dan Rosenberg<drosenberg at vsecurity.com>
>
> CVE-2010-4074
>
> BugLink: http://bugs.launchpad.net/bugs/706149
>
> The TIOCGICOUNT device ioctl in both mos7720.c and mos7840.c allows
> unprivileged users to read uninitialized stack memory, because the
> "reserved" member of the serial_icounter_struct struct declared on the
> stack is not altered or zeroed before being copied back to the user.
> This patch takes care of it.
>
> Signed-off-by: Dan Rosenberg<dan.j.rosenberg at gmail.com>
> Cc: stable<stable at kernel.org>
> Signed-off-by: Greg Kroah-Hartman<gregkh at suse.de>
> Signed-off-by: Brad Figg<brad.figg at canonical.com>
> ---
> drivers/usb/serial/mos7720.c | 3 +++
> drivers/usb/serial/mos7840.c | 3 +++
> 2 files changed, 6 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c
> index e02c198..ddefce5 100644
> --- a/drivers/usb/serial/mos7720.c
> +++ b/drivers/usb/serial/mos7720.c
> @@ -1487,6 +1487,9 @@ static int mos7720_ioctl(struct usb_serial_port *port, struct file *file,
>
> case TIOCGICOUNT:
> cnow = mos7720_port->icount;
> +
> + memset(&icount, 0, sizeof(struct serial_icounter_struct));
> +
> icount.cts = cnow.cts;
> icount.dsr = cnow.dsr;
> icount.rng = cnow.rng;
> diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c
> index c29c912..dd1ccdd 100644
> --- a/drivers/usb/serial/mos7840.c
> +++ b/drivers/usb/serial/mos7840.c
> @@ -2433,6 +2433,9 @@ static int mos7840_ioctl(struct usb_serial_port *port, struct file *file,
> case TIOCGICOUNT:
> cnow = mos7840_port->icount;
> smp_rmb();
> +
> + memset(&icount, 0, sizeof(struct serial_icounter_struct));
> +
> icount.cts = cnow.cts;
> icount.dsr = cnow.dsr;
> icount.rng = cnow.rng;
Same comment as for Karmic.
Acked-by: Tim Gardner tim.gardner at canonical.com>
--
Tim Gardner tim.gardner at canonical.com
More information about the kernel-team
mailing list