| From a0846f1868b11cd827bdfeaf4527d8b1b1c0b098 Mon Sep 17 00:00:00 2001 |
| From: Dan Rosenberg <drosenberg@vsecurity.com> |
| Date: Wed, 15 Sep 2010 17:44:16 -0400 |
| Subject: USB: serial/mos*: prevent reading uninitialized stack memory |
| |
| From: Dan Rosenberg <drosenberg@vsecurity.com> |
| |
| commit a0846f1868b11cd827bdfeaf4527d8b1b1c0b098 upstream. |
| |
| The TIOCGICOUNT device ioctl in both mos7720.c and mos7840.c allows |
| unprivileged users to read uninitialized stack memory, because the |
| "reserved" member of the serial_icounter_struct struct declared on the |
| stack is not altered or zeroed before being copied back to the user. |
| This patch takes care of it. |
| |
| Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| drivers/usb/serial/mos7720.c | 3 +++ |
| drivers/usb/serial/mos7840.c | 3 +++ |
| 2 files changed, 6 insertions(+) |
| |
| --- a/drivers/usb/serial/mos7720.c |
| +++ b/drivers/usb/serial/mos7720.c |
| @@ -1466,6 +1466,9 @@ static int mos7720_ioctl(struct tty_stru |
| |
| case TIOCGICOUNT: |
| cnow = mos7720_port->icount; |
| + |
| + memset(&icount, 0, sizeof(struct serial_icounter_struct)); |
| + |
| icount.cts = cnow.cts; |
| icount.dsr = cnow.dsr; |
| icount.rng = cnow.rng; |
| --- a/drivers/usb/serial/mos7840.c |
| +++ b/drivers/usb/serial/mos7840.c |
| @@ -2287,6 +2287,9 @@ static int mos7840_ioctl(struct tty_stru |
| case TIOCGICOUNT: |
| cnow = mos7840_port->icount; |
| smp_rmb(); |
| + |
| + memset(&icount, 0, sizeof(struct serial_icounter_struct)); |
| + |
| icount.cts = cnow.cts; |
| icount.dsr = cnow.dsr; |
| icount.rng = cnow.rng; |