diff options
author | Dan Rosenberg <drosenberg@vsecurity.com> | 2010-09-15 17:44:16 -0400 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2010-09-20 19:05:00 -0400 |
commit | a0846f1868b11cd827bdfeaf4527d8b1b1c0b098 (patch) | |
tree | 01ca49ce4f0c11d1a8274dce1484f039a41781e9 /drivers | |
parent | fc8f2a7608d855b911e35a33e771e6358c705c43 (diff) |
USB: serial/mos*: prevent reading uninitialized stack memory
The TIOCGICOUNT device ioctl in both mos7720.c and mos7840.c allows
unprivileged users to read uninitialized stack memory, because the
"reserved" member of the serial_icounter_struct struct declared on the
stack is not altered or zeroed before being copied back to the user.
This patch takes care of it.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/usb/serial/mos7720.c | 3 | ||||
-rw-r--r-- | drivers/usb/serial/mos7840.c | 3 |
2 files changed, 6 insertions, 0 deletions
diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c index 30922a7e3347..aa665817a272 100644 --- a/drivers/usb/serial/mos7720.c +++ b/drivers/usb/serial/mos7720.c | |||
@@ -2024,6 +2024,9 @@ static int mos7720_ioctl(struct tty_struct *tty, struct file *file, | |||
2024 | 2024 | ||
2025 | case TIOCGICOUNT: | 2025 | case TIOCGICOUNT: |
2026 | cnow = mos7720_port->icount; | 2026 | cnow = mos7720_port->icount; |
2027 | |||
2028 | memset(&icount, 0, sizeof(struct serial_icounter_struct)); | ||
2029 | |||
2027 | icount.cts = cnow.cts; | 2030 | icount.cts = cnow.cts; |
2028 | icount.dsr = cnow.dsr; | 2031 | icount.dsr = cnow.dsr; |
2029 | icount.rng = cnow.rng; | 2032 | icount.rng = cnow.rng; |
diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c index 1c9b6e9b2386..1a42bc213799 100644 --- a/drivers/usb/serial/mos7840.c +++ b/drivers/usb/serial/mos7840.c | |||
@@ -2285,6 +2285,9 @@ static int mos7840_ioctl(struct tty_struct *tty, struct file *file, | |||
2285 | case TIOCGICOUNT: | 2285 | case TIOCGICOUNT: |
2286 | cnow = mos7840_port->icount; | 2286 | cnow = mos7840_port->icount; |
2287 | smp_rmb(); | 2287 | smp_rmb(); |
2288 | |||
2289 | memset(&icount, 0, sizeof(struct serial_icounter_struct)); | ||
2290 | |||
2288 | icount.cts = cnow.cts; | 2291 | icount.cts = cnow.cts; |
2289 | icount.dsr = cnow.dsr; | 2292 | icount.dsr = cnow.dsr; |
2290 | icount.rng = cnow.rng; | 2293 | icount.rng = cnow.rng; |