* [PATCH] drivers/usb/serial/mos*: prevent reading uninitialized stack memory
@ 2010-09-15 21:44 Dan Rosenberg
2010-09-16 8:39 ` Alan Cox
0 siblings, 1 reply; 2+ messages in thread
From: Dan Rosenberg @ 2010-09-15 21:44 UTC (permalink / raw)
To: linux-usb; +Cc: linux-kernel, security, stable
The TIOCGICOUNT device ioctl in both mos7720.c and mos7840.c allows
unprivileged users to read uninitialized stack memory, because the
"reserved" member of the serial_icounter_struct struct declared on the
stack is not altered or zeroed before being copied back to the user.
This patch takes care of it.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
diff -urp linux-2.6.35.4.orig/drivers/usb/serial/mos7720.c linux-2.6.35.4/drivers/usb/serial/mos7720.c
--- linux-2.6.35.4.orig/drivers/usb/serial/mos7720.c 2010-08-26 19:47:12.000000000 -0400
+++ linux-2.6.35.4/drivers/usb/serial/mos7720.c 2010-09-15 11:42:01.877375361 -0400
@@ -2024,6 +2024,9 @@ static int mos7720_ioctl(struct tty_stru
case TIOCGICOUNT:
cnow = mos7720_port->icount;
+
+ memset(&icount, 0, sizeof(struct serial_icounter_struct));
+
icount.cts = cnow.cts;
icount.dsr = cnow.dsr;
icount.rng = cnow.rng;
diff -urp linux-2.6.35.4.orig/drivers/usb/serial/mos7840.c linux-2.6.35.4/drivers/usb/serial/mos7840.c
--- linux-2.6.35.4.orig/drivers/usb/serial/mos7840.c 2010-08-26 19:47:12.000000000 -0400
+++ linux-2.6.35.4/drivers/usb/serial/mos7840.c 2010-09-15 11:42:39.237375173 -0400
@@ -2273,6 +2273,9 @@ static int mos7840_ioctl(struct tty_stru
case TIOCGICOUNT:
cnow = mos7840_port->icount;
smp_rmb();
+
+ memset(&icount, 0, sizeof(struct serial_icounter_struct));
+
icount.cts = cnow.cts;
icount.dsr = cnow.dsr;
icount.rng = cnow.rng;
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] drivers/usb/serial/mos*: prevent reading uninitialized stack memory
2010-09-15 21:44 [PATCH] drivers/usb/serial/mos*: prevent reading uninitialized stack memory Dan Rosenberg
@ 2010-09-16 8:39 ` Alan Cox
0 siblings, 0 replies; 2+ messages in thread
From: Alan Cox @ 2010-09-16 8:39 UTC (permalink / raw)
To: Dan Rosenberg; +Cc: linux-usb, linux-kernel, security, stable
On Wed, 15 Sep 2010 17:44:16 -0400
Dan Rosenberg <drosenberg@vsecurity.com> wrote:
> The TIOCGICOUNT device ioctl in both mos7720.c and mos7840.c allows
> unprivileged users to read uninitialized stack memory, because the
> "reserved" member of the serial_icounter_struct struct declared on the
> stack is not altered or zeroed before being copied back to the user.
> This patch takes care of it.
ACK ... but this is the wrong way to fix these. We'll be squashing new
ones between here and eternity if we just stick memsets in. It wants
making a tty operation off the tty ioctl code so that there is one place
that clears it and copies it to the user.
I'll have a look at what is needed - I don't think very much.
Alan
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2010-09-16 8:19 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-09-15 21:44 [PATCH] drivers/usb/serial/mos*: prevent reading uninitialized stack memory Dan Rosenberg
2010-09-16 8:39 ` Alan Cox
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox