[kernel] r16586 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Sun Nov 21 01:25:34 UTC 2010


Author: dannf
Date: Sun Nov 21 01:25:31 2010
New Revision: 16586

Log:
USB: serial/mos*: prevent reading uninitialized stack memory (CVE-2010-4074)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/usb-serial-mosfoo-prevent-reading-uninitialized-stack-memory.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/25lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Sun Nov 21 01:22:20 2010	(r16585)
+++ dists/lenny-security/linux-2.6/debian/changelog	Sun Nov 21 01:25:31 2010	(r16586)
@@ -32,6 +32,7 @@
   * ipc: shm: fix information leak to userland (CVE-2010-4072)
   * ipc: initialize structure memory to zero for compat functions
     (CVE-2010-4073)
+  * USB: serial/mos*: prevent reading uninitialized stack memory (CVE-2010-4074)
 
  -- dann frazier <dannf at debian.org>  Thu, 30 Sep 2010 21:42:24 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/usb-serial-mosfoo-prevent-reading-uninitialized-stack-memory.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/usb-serial-mosfoo-prevent-reading-uninitialized-stack-memory.patch	Sun Nov 21 01:25:31 2010	(r16586)
@@ -0,0 +1,44 @@
+commit f34a022b4ad4074098e41d6ffe2349a07b5e7237
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date:   Wed Sep 15 17:44:16 2010 -0400
+
+    USB: serial/mos*: prevent reading uninitialized stack memory
+    
+    The TIOCGICOUNT device ioctl in both mos7720.c and mos7840.c allows
+    unprivileged users to read uninitialized stack memory, because the
+    "reserved" member of the serial_icounter_struct struct declared on the
+    stack is not altered or zeroed before being copied back to the user.
+    This patch takes care of it.
+    
+    Signed-off-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+    Cc: stable <stable at kernel.org>
+    Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c
+index 50f1fe2..c3e6058 100644
+--- a/drivers/usb/serial/mos7720.c
++++ b/drivers/usb/serial/mos7720.c
+@@ -1479,6 +1479,9 @@ static int mos7720_ioctl(struct usb_serial_port *port, struct file *file,
+ 
+ 	case TIOCGICOUNT:
+ 		cnow = mos7720_port->icount;
++
++		memset(&icount, 0, sizeof(struct serial_icounter_struct));
++
+ 		icount.cts = cnow.cts;
+ 		icount.dsr = cnow.dsr;
+ 		icount.rng = cnow.rng;
+diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c
+index 78f2f6d..34c05b1 100644
+--- a/drivers/usb/serial/mos7840.c
++++ b/drivers/usb/serial/mos7840.c
+@@ -2446,6 +2446,9 @@ static int mos7840_ioctl(struct usb_serial_port *port, struct file *file,
+ 	case TIOCGICOUNT:
+ 		cnow = mos7840_port->icount;
+ 		smp_rmb();
++
++		memset(&icount, 0, sizeof(struct serial_icounter_struct));
++
+ 		icount.cts = cnow.cts;
+ 		icount.dsr = cnow.dsr;
+ 		icount.rng = cnow.rng;

Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Sun Nov 21 01:22:20 2010	(r16585)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Sun Nov 21 01:25:31 2010	(r16586)
@@ -25,3 +25,4 @@
 + bugfix/all/inet_diag-make-sure-we-actually-run-the-same-bytecode-we-audited.patch
 + bugfix/all/ipc-shm-fix-information-leak-to-userland.patch
 + bugfix/all/ipc-initialize-structure-memory-to-zero-for-compat-functions.patch
++ bugfix/all/usb-serial-mosfoo-prevent-reading-uninitialized-stack-memory.patch



More information about the Kernel-svn-changes mailing list