diff options
author | Dan Rosenberg <drosenberg@vsecurity.com> | 2010-09-15 17:44:16 -0400 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2010-09-20 16:05:00 -0700 |
commit | a0846f1868b11cd827bdfeaf4527d8b1b1c0b098 (patch) | |
tree | 01ca49ce4f0c11d1a8274dce1484f039a41781e9 | |
parent | fc8f2a7608d855b911e35a33e771e6358c705c43 (diff) | |
download | linux-stable-a0846f1868b11cd827bdfeaf4527d8b1b1c0b098.tar.gz linux-stable-a0846f1868b11cd827bdfeaf4527d8b1b1c0b098.tar.bz2 linux-stable-a0846f1868b11cd827bdfeaf4527d8b1b1c0b098.zip |
USB: serial/mos*: prevent reading uninitialized stack memory
The TIOCGICOUNT device ioctl in both mos7720.c and mos7840.c allows
unprivileged users to read uninitialized stack memory, because the
"reserved" member of the serial_icounter_struct struct declared on the
stack is not altered or zeroed before being copied back to the user.
This patch takes care of it.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r-- | drivers/usb/serial/mos7720.c | 3 | ||||
-rw-r--r-- | drivers/usb/serial/mos7840.c | 3 |
2 files changed, 6 insertions, 0 deletions
diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c index 30922a7e3347..aa665817a272 100644 --- a/drivers/usb/serial/mos7720.c +++ b/drivers/usb/serial/mos7720.c @@ -2024,6 +2024,9 @@ static int mos7720_ioctl(struct tty_struct *tty, struct file *file, case TIOCGICOUNT: cnow = mos7720_port->icount; + + memset(&icount, 0, sizeof(struct serial_icounter_struct)); + icount.cts = cnow.cts; icount.dsr = cnow.dsr; icount.rng = cnow.rng; diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c index 1c9b6e9b2386..1a42bc213799 100644 --- a/drivers/usb/serial/mos7840.c +++ b/drivers/usb/serial/mos7840.c @@ -2285,6 +2285,9 @@ static int mos7840_ioctl(struct tty_struct *tty, struct file *file, case TIOCGICOUNT: cnow = mos7840_port->icount; smp_rmb(); + + memset(&icount, 0, sizeof(struct serial_icounter_struct)); + icount.cts = cnow.cts; icount.dsr = cnow.dsr; icount.rng = cnow.rng; |