[SRU][N/J/F][PATCH 0/1] CVE-2024-36016
Bethany Jamison
bethany.jamison at canonical.com
Fri Jun 21 21:18:03 UTC 2024
[Impact]
tty: n_gsm: fix possible out-of-bounds in gsm0_receive()
Assuming the following:
- side A configures the n_gsm in basic option mode
- side B sends the header of a basic option mode frame with data length 1
- side A switches to advanced option mode
- side B sends 2 data bytes which exceeds gsm->len
Reason: gsm->len is not used in advanced option mode.
- side A switches to basic option mode
- side B keeps sending until gsm0_receive() writes past gsm->buf
Reason: Neither gsm->state nor gsm->len have been reset after
reconfiguration.
Fix this by changing gsm->count to gsm->len comparison from equal to less
than. Also add upper limit checks against the constant MAX_MRU in
gsm0_receive() and gsm1_receive() to harden against memory corruption of
gsm->len and gsm->mru.
All other checks remain as we still need to limit the data according to the
user configuration and actual payload size.
[Fix]
Noble: Clean cherry-pick from linux-6.8.y
Jammy: Noble patch applied cleanly
Focal: Clean cherry-pick from linux-5.10.y
Bionic: fix sent to esm ML
Xenial: fix sent to esm ML
Trusty: not going to be fixed by us
[Test Case]
Compile and boot tested
[Where problems could occur]
This fix affects those who use the GSM 0710 tty multiplexor, an
issue with this fix would be visible to the user via unexpected
system behavior or a system crash.
Daniel Starke (1):
tty: n_gsm: fix possible out-of-bounds in gsm0_receive()
drivers/tty/n_gsm.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--
2.34.1
More information about the kernel-team
mailing list