[Hardy] [CVE-2010-4074] [Patch 1/1] USB: serial/mos*: prevent reading uninitialized stack memory

Tim Gardner tim.gardner at canonical.com
Tue Jan 25 15:05:12 UTC 2011 

On 01/24/2011 11:57 AM, Brad Figg wrote:
> From: Dan Rosenberg<drosenberg at vsecurity.com>
>
> CVE-2010-4074
>
> BugLink: http://bugs.launchpad.net/bugs/706149
>
> The TIOCGICOUNT device ioctl in both mos7720.c and mos7840.c allows
> unprivileged users to read uninitialized stack memory, because the
> "reserved" member of the serial_icounter_struct struct declared on the
> stack is not altered or zeroed before being copied back to the user.
> This patch takes care of it.
>
> Signed-off-by: Dan Rosenberg<dan.j.rosenberg at gmail.com>
> Cc: stable<stable at kernel.org>
> Signed-off-by: Greg Kroah-Hartman<gregkh at suse.de>
> Signed-off-by: Brad Figg<brad.figg at canonical.com>
> ---
>   drivers/usb/serial/mos7720.c |    3 +++
>   drivers/usb/serial/mos7840.c |    3 +++
>   2 files changed, 6 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c
> index e02c198..ddefce5 100644
> --- a/drivers/usb/serial/mos7720.c
> +++ b/drivers/usb/serial/mos7720.c
> @@ -1487,6 +1487,9 @@ static int mos7720_ioctl(struct usb_serial_port *port, struct file *file,
>
>   	case TIOCGICOUNT:
>   		cnow = mos7720_port->icount;
> +
> +		memset(&icount, 0, sizeof(struct serial_icounter_struct));
> +
>   		icount.cts = cnow.cts;
>   		icount.dsr = cnow.dsr;
>   		icount.rng = cnow.rng;
> diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c
> index c29c912..dd1ccdd 100644
> --- a/drivers/usb/serial/mos7840.c
> +++ b/drivers/usb/serial/mos7840.c
> @@ -2433,6 +2433,9 @@ static int mos7840_ioctl(struct usb_serial_port *port, struct file *file,
>   	case TIOCGICOUNT:
>   		cnow = mos7840_port->icount;
>   		smp_rmb();
> +
> +		memset(&icount, 0, sizeof(struct serial_icounter_struct));
> +
>   		icount.cts = cnow.cts;
>   		icount.dsr = cnow.dsr;
>   		icount.rng = cnow.rng;

Applied and pushed with minor commit log edits. The advantage of adding 
the CVE number to the commit subject is that it then automatically shows 
up in the changelog. On the Cc: stable line I added the oldest kernel to 
which this patch was backported, e.g., 2.6.32.22

rtg
-- 
Tim Gardner tim.gardner at canonical.com

More information about the kernel-team mailing list