[Karmic] [CVE-2010-4074] [PATCH 1/1] USB: serial/mos*: prevent reading uninitialized stack memory
Tim Gardner
tim.gardner at canonical.com
Tue Jan 25 15:17:00 UTC 2011
On 01/24/2011 01:00 PM, Tim Gardner wrote:
> On 01/24/2011 11:57 AM, Brad Figg wrote:
>> From: Dan Rosenberg<drosenberg at vsecurity.com>
>>
>> CVE-2010-4074
>>
>> BugLink: http://bugs.launchpad.net/bugs/706149
>>
>> The TIOCGICOUNT device ioctl in both mos7720.c and mos7840.c allows
>> unprivileged users to read uninitialized stack memory, because the
>> "reserved" member of the serial_icounter_struct struct declared on the
>> stack is not altered or zeroed before being copied back to the user.
>> This patch takes care of it.
>>
>> Signed-off-by: Dan Rosenberg<dan.j.rosenberg at gmail.com>
>> Cc: stable<stable at kernel.org>
>> Signed-off-by: Greg Kroah-Hartman<gregkh at suse.de>
>> Signed-off-by: Brad Figg<brad.figg at canonical.com>
>> ---
>> drivers/usb/serial/mos7720.c | 3 +++
>> drivers/usb/serial/mos7840.c | 3 +++
>> 2 files changed, 6 insertions(+), 0 deletions(-)
>>
>> diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c
>> index ccd4dd3..6571077 100644
>> --- a/drivers/usb/serial/mos7720.c
>> +++ b/drivers/usb/serial/mos7720.c
>> @@ -1431,6 +1431,9 @@ static int mos7720_ioctl(struct tty_struct *tty,
>> struct file *file,
>>
>> case TIOCGICOUNT:
>> cnow = mos7720_port->icount;
>> +
>> + memset(&icount, 0, sizeof(struct serial_icounter_struct));
>> +
>> icount.cts = cnow.cts;
>> icount.dsr = cnow.dsr;
>> icount.rng = cnow.rng;
>> diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c
>> index 270009a..879bacb 100644
>> --- a/drivers/usb/serial/mos7840.c
>> +++ b/drivers/usb/serial/mos7840.c
>> @@ -2357,6 +2357,9 @@ static int mos7840_ioctl(struct tty_struct *tty,
>> struct file *file,
>> case TIOCGICOUNT:
>> cnow = mos7840_port->icount;
>> smp_rmb();
>> +
>> + memset(&icount, 0, sizeof(struct serial_icounter_struct));
>> +
>> icount.cts = cnow.cts;
>> icount.dsr = cnow.dsr;
>> icount.rng = cnow.rng;
>
> I'd like to see the upstream commit from which this patch was either
> cherry-picked or backported in the commit log. Its also of interest to
> know if it was actually accepted into one or more stable kernels. That
> provides some assurance that the patch has passed by some maintainer
> eyeballs. Otherwise,
>
> Acked-by: Tim Gardner tim.gardner at canonical.com>
>
applied and pushed
--
Tim Gardner tim.gardner at canonical.com
More information about the kernel-team
mailing list