[kernel] r16586 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sun Nov 21 01:25:34 UTC 2010
Author: dannf
Date: Sun Nov 21 01:25:31 2010
New Revision: 16586
Log:
USB: serial/mos*: prevent reading uninitialized stack memory (CVE-2010-4074)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/usb-serial-mosfoo-prevent-reading-uninitialized-stack-memory.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Sun Nov 21 01:22:20 2010 (r16585)
+++ dists/lenny-security/linux-2.6/debian/changelog Sun Nov 21 01:25:31 2010 (r16586)
@@ -32,6 +32,7 @@
* ipc: shm: fix information leak to userland (CVE-2010-4072)
* ipc: initialize structure memory to zero for compat functions
(CVE-2010-4073)
+ * USB: serial/mos*: prevent reading uninitialized stack memory (CVE-2010-4074)
-- dann frazier <dannf at debian.org> Thu, 30 Sep 2010 21:42:24 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/usb-serial-mosfoo-prevent-reading-uninitialized-stack-memory.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/usb-serial-mosfoo-prevent-reading-uninitialized-stack-memory.patch Sun Nov 21 01:25:31 2010 (r16586)
@@ -0,0 +1,44 @@
+commit f34a022b4ad4074098e41d6ffe2349a07b5e7237
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Wed Sep 15 17:44:16 2010 -0400
+
+ USB: serial/mos*: prevent reading uninitialized stack memory
+
+ The TIOCGICOUNT device ioctl in both mos7720.c and mos7840.c allows
+ unprivileged users to read uninitialized stack memory, because the
+ "reserved" member of the serial_icounter_struct struct declared on the
+ stack is not altered or zeroed before being copied back to the user.
+ This patch takes care of it.
+
+ Signed-off-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+ Cc: stable <stable at kernel.org>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c
+index 50f1fe2..c3e6058 100644
+--- a/drivers/usb/serial/mos7720.c
++++ b/drivers/usb/serial/mos7720.c
+@@ -1479,6 +1479,9 @@ static int mos7720_ioctl(struct usb_serial_port *port, struct file *file,
+
+ case TIOCGICOUNT:
+ cnow = mos7720_port->icount;
++
++ memset(&icount, 0, sizeof(struct serial_icounter_struct));
++
+ icount.cts = cnow.cts;
+ icount.dsr = cnow.dsr;
+ icount.rng = cnow.rng;
+diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c
+index 78f2f6d..34c05b1 100644
+--- a/drivers/usb/serial/mos7840.c
++++ b/drivers/usb/serial/mos7840.c
+@@ -2446,6 +2446,9 @@ static int mos7840_ioctl(struct usb_serial_port *port, struct file *file,
+ case TIOCGICOUNT:
+ cnow = mos7840_port->icount;
+ smp_rmb();
++
++ memset(&icount, 0, sizeof(struct serial_icounter_struct));
++
+ icount.cts = cnow.cts;
+ icount.dsr = cnow.dsr;
+ icount.rng = cnow.rng;
Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2 Sun Nov 21 01:22:20 2010 (r16585)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2 Sun Nov 21 01:25:31 2010 (r16586)
@@ -25,3 +25,4 @@
+ bugfix/all/inet_diag-make-sure-we-actually-run-the-same-bytecode-we-audited.patch
+ bugfix/all/ipc-shm-fix-information-leak-to-userland.patch
+ bugfix/all/ipc-initialize-structure-memory-to-zero-for-compat-functions.patch
++ bugfix/all/usb-serial-mosfoo-prevent-reading-uninitialized-stack-memory.patch
More information about the Kernel-svn-changes
mailing list