[CVE-2010-4076/CVE-2010-4077] tty: icount changeover for other main devices
Andy Whitcroft
apw at canonical.com
Tue Jun 7 16:13:37 UTC 2011
CVE-2010-4076
The rs_ioctl function in drivers/char/amiserial.c in the Linux
kernel 2.6.36.1 and earlier does not properly initialize a certain
structure member, which allows local users to obtain potentially
sensitive information from kernel stack memory via a TIOCGICOUNT
ioctl call.
CVE-2010-4077
The ntty_ioctl_tiocgicount function in drivers/char/nozomi.c in
the Linux kernel 2.6.36.1 and earlier does not properly initialize
a certain structure member, which allows local users to obtain
potentially sensitive information from kernel stack memory via
a TIOCGICOUNT ioctl call.
The above two CVEs were though fixed by upstream commit below (also the fix
for CVE-2010-4075):
commit d281da7ff6f70efca0553c288bb883e8605b3862
Author: Alan Cox <alan at linux.intel.com>
Date: Thu Sep 16 18:21:24 2010 +0100
tty: Make tiocgicount a handler
However until the drivers themselves are converted by a follow up commit
they do not make use of the new functionality. This is done for all the
main drivers in the following commit:
commit 0587102cf9f427c185bfdeb2cef41e13ee0264b1
Author: Alan Cox <alan at linux.intel.com>
Date: Thu Sep 16 18:21:52 2010 +0100
tty: icount changeover for other main devices
This commit is already applied for Natty and later arriving via
mainline. Following this email are patches for Hardy, Lucid,
Lucid/fsl-imx51, and Maverick.
NOTE: these are all backports with conflicts, are huge, and therefore
deserve some real review before application.
-apw
More information about the kernel-team
mailing list