APPLIED: [SRU][N/J/F][PATCH 0/1] CVE-2024-36016

Stefan Bader stefan.bader at canonical.com
Wed Jun 26 09:08:22 UTC 2024 

On 21.06.24 23:18, Bethany Jamison wrote:
> [Impact]
> 
> tty: n_gsm: fix possible out-of-bounds in gsm0_receive()
> 
> Assuming the following:
> - side A configures the n_gsm in basic option mode
> - side B sends the header of a basic option mode frame with data length 1
> - side A switches to advanced option mode
> - side B sends 2 data bytes which exceeds gsm->len
>    Reason: gsm->len is not used in advanced option mode.
> - side A switches to basic option mode
> - side B keeps sending until gsm0_receive() writes past gsm->buf
>    Reason: Neither gsm->state nor gsm->len have been reset after
>    reconfiguration.
> 
> Fix this by changing gsm->count to gsm->len comparison from equal to less
> than. Also add upper limit checks against the constant MAX_MRU in
> gsm0_receive() and gsm1_receive() to harden against memory corruption of
> gsm->len and gsm->mru.
> 
> All other checks remain as we still need to limit the data according to the
> user configuration and actual payload size.
> 
> [Fix]
> 
> Noble:	Clean cherry-pick from linux-6.8.y
> Jammy:	Noble patch applied cleanly
> Focal: 	Clean cherry-pick from linux-5.10.y
> Bionic:	fix sent to esm ML
> Xenial:	fix sent to esm ML
> Trusty: not going to be fixed by us
> 
> [Test Case]
> 
> Compile and boot tested
> 
> [Where problems could occur]
> 
> This fix affects those who use the GSM 0710 tty multiplexor, an
> issue with this fix would be visible to the user via unexpected
> system behavior or a system crash.
> 
> Daniel Starke (1):
>    tty: n_gsm: fix possible out-of-bounds in gsm0_receive()
> 
>   drivers/tty/n_gsm.c | 7 +++++--
>   1 file changed, 5 insertions(+), 2 deletions(-)
> 

Applied to noble,jammy,focal:linux/master-next. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240626/8788b05d/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240626/8788b05d/attachment-0001.sig>

More information about the kernel-team mailing list