diff options
| author | Dan Rosenberg <drosenberg@vsecurity.com> | 2010-09-15 17:44:16 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@suse.de> | 2010-09-26 17:21:14 -0700 |
| commit | f2ba1916d33431e42f4ef440c903aeb5dbac62fb (patch) | |
| tree | f5a52eaadc120f53e1bd0cac60ef465c00b99930 /drivers | |
| parent | eaa1ace05aaf4503589a3111a6f5401e85716d51 (diff) | |
USB: serial/mos*: prevent reading uninitialized stack memory
commit a0846f1868b11cd827bdfeaf4527d8b1b1c0b098 upstream.
The TIOCGICOUNT device ioctl in both mos7720.c and mos7840.c allows
unprivileged users to read uninitialized stack memory, because the
"reserved" member of the serial_icounter_struct struct declared on the
stack is not altered or zeroed before being copied back to the user.
This patch takes care of it.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/usb/serial/mos7720.c | 3 | ||||
| -rw-r--r-- | drivers/usb/serial/mos7840.c | 3 |
2 files changed, 6 insertions, 0 deletions
diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c index 763e32a44be0..f3a73e7b948c 100644 --- a/drivers/usb/serial/mos7720.c +++ b/drivers/usb/serial/mos7720.c @@ -1466,6 +1466,9 @@ static int mos7720_ioctl(struct tty_struct *tty, struct file *file, case TIOCGICOUNT: cnow = mos7720_port->icount; + + memset(&icount, 0, sizeof(struct serial_icounter_struct)); + icount.cts = cnow.cts; icount.dsr = cnow.dsr; icount.rng = cnow.rng; diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c index cf79fb2be288..9fdcee2eca99 100644 --- a/drivers/usb/serial/mos7840.c +++ b/drivers/usb/serial/mos7840.c @@ -2287,6 +2287,9 @@ static int mos7840_ioctl(struct tty_struct *tty, struct file *file, case TIOCGICOUNT: cnow = mos7840_port->icount; smp_rmb(); + + memset(&icount, 0, sizeof(struct serial_icounter_struct)); + icount.cts = cnow.cts; icount.dsr = cnow.dsr; icount.rng = cnow.rng; |