[Karmic] [CVE-2010-4074] [PATCH 1/1] USB: serial/mos*: prevent reading uninitialized stack memory

[Stefan Bader]

On 01/24/2011 07:57 PM, Brad Figg wrote:
> From: Dan Rosenberg <drosenberg at vsecurity.com>
> 
> CVE-2010-4074
> 
> BugLink: http://bugs.launchpad.net/bugs/706149
> 
> The TIOCGICOUNT device ioctl in both mos7720.c and mos7840.c allows
> unprivileged users to read uninitialized stack memory, because the
> "reserved" member of the serial_icounter_struct struct declared on the
> stack is not altered or zeroed before being copied back to the user.
> This patch takes care of it.
> 
> Signed-off-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
> Cc: stable <stable at kernel.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
> Signed-off-by: Brad Figg <brad.figg at canonical.com>
Comments like Hardy version
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> ---
>  drivers/usb/serial/mos7720.c |    3 +++
>  drivers/usb/serial/mos7840.c |    3 +++
>  2 files changed, 6 insertions(+), 0 deletions(-)
> 
> diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c
> index ccd4dd3..6571077 100644
> --- a/drivers/usb/serial/mos7720.c
> +++ b/drivers/usb/serial/mos7720.c
> @@ -1431,6 +1431,9 @@ static int mos7720_ioctl(struct tty_struct *tty, struct file *file,
>  
>  	case TIOCGICOUNT:
>  		cnow = mos7720_port->icount;
> +
> +		memset(&icount, 0, sizeof(struct serial_icounter_struct));
> +
>  		icount.cts = cnow.cts;
>  		icount.dsr = cnow.dsr;
>  		icount.rng = cnow.rng;
> diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c
> index 270009a..879bacb 100644
> --- a/drivers/usb/serial/mos7840.c
> +++ b/drivers/usb/serial/mos7840.c
> @@ -2357,6 +2357,9 @@ static int mos7840_ioctl(struct tty_struct *tty, struct file *file,
>  	case TIOCGICOUNT:
>  		cnow = mos7840_port->icount;
>  		smp_rmb();
> +
> +		memset(&icount, 0, sizeof(struct serial_icounter_struct));
> +
>  		icount.cts = cnow.cts;
>  		icount.dsr = cnow.dsr;
>  		icount.rng = cnow.rng;