From: Dan Rosenberg Date: Wed, 15 Sep 2010 21:44:16 +0000 (-0400) Subject: USB: serial/mos*: prevent reading uninitialized stack memory X-Git-Tag: v2.6.34.8~153 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2a3b699885d83ab285b2a8ef7ab7800f56012bd3;p=thirdparty%2Fkernel%2Fstable.git USB: serial/mos*: prevent reading uninitialized stack memory commit a0846f1868b11cd827bdfeaf4527d8b1b1c0b098 upstream. The TIOCGICOUNT device ioctl in both mos7720.c and mos7840.c allows unprivileged users to read uninitialized stack memory, because the "reserved" member of the serial_icounter_struct struct declared on the stack is not altered or zeroed before being copied back to the user. This patch takes care of it. Signed-off-by: Dan Rosenberg Signed-off-by: Greg Kroah-Hartman Signed-off-by: Paul Gortmaker --- diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c index 0d47f2c4d59f2..623a6d35f1638 100644 --- a/drivers/usb/serial/mos7720.c +++ b/drivers/usb/serial/mos7720.c @@ -1566,6 +1566,9 @@ static int mos7720_ioctl(struct tty_struct *tty, struct file *file, case TIOCGICOUNT: cnow = mos7720_port->icount; + + memset(&icount, 0, sizeof(struct serial_icounter_struct)); + icount.cts = cnow.cts; icount.dsr = cnow.dsr; icount.rng = cnow.rng; diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c index a73f2f57922ad..16f0548f5f3d3 100644 --- a/drivers/usb/serial/mos7840.c +++ b/drivers/usb/serial/mos7840.c @@ -2286,6 +2286,9 @@ static int mos7840_ioctl(struct tty_struct *tty, struct file *file, case TIOCGICOUNT: cnow = mos7840_port->icount; smp_rmb(); + + memset(&icount, 0, sizeof(struct serial_icounter_struct)); + icount.cts = cnow.cts; icount.dsr = cnow.dsr; icount.rng = cnow.rng;