[CVE-2010-4076/CVE-2010-4077] tty: icount changeover for other main devices

Stefan Bader stefan.bader at canonical.com
Thu Jun 9 12:58:06 UTC 2011 

On 07.06.2011 18:13, Andy Whitcroft wrote:
> CVE-2010-4076
> 	The rs_ioctl function in drivers/char/amiserial.c in the Linux
> 	kernel 2.6.36.1 and earlier does not properly initialize a certain
> 	structure member, which allows local users to obtain potentially
> 	sensitive information from kernel stack memory via a TIOCGICOUNT
> 	ioctl call.
> 
> CVE-2010-4077
> 	The ntty_ioctl_tiocgicount function in drivers/char/nozomi.c in
> 	the Linux kernel 2.6.36.1 and earlier does not properly initialize
> 	a certain structure member, which allows local users to obtain
> 	potentially sensitive information from kernel stack memory via
> 	a TIOCGICOUNT ioctl call.
> 
> The above two CVEs were though fixed by upstream commit below (also the fix
> for CVE-2010-4075):
> 
>   commit d281da7ff6f70efca0553c288bb883e8605b3862
>   Author: Alan Cox <alan at linux.intel.com>
>   Date:   Thu Sep 16 18:21:24 2010 +0100
> 
>     tty: Make tiocgicount a handler
> 
> However until the drivers themselves are converted by a follow up commit
> they do not make use of the new functionality.  This is done for all the
> main drivers in the following commit:
> 
>   commit 0587102cf9f427c185bfdeb2cef41e13ee0264b1
>   Author: Alan Cox <alan at linux.intel.com>
>   Date:   Thu Sep 16 18:21:52 2010 +0100
> 
>     tty: icount changeover for other main devices
> 
> This commit is already applied for Natty and later arriving via
> mainline.  Following this email are patches for Hardy, Lucid,
> Lucid/fsl-imx51, and Maverick.
> 
> NOTE: these are all backports with conflicts, are huge, and therefore
> deserve some real review before application.
> 
> -apw
> 

All backports seem to follow the same pattern of replacing an ioctl function
that copies stuff to userspace to a callback filling the provided struct.
The only sticking out would be the nozomi one as it does not seem to do the
lock, snapshot, unlock sequence other drivers do. But this is the same upstream.

Acked-by: Stefan Bader <stefan.bader at canonical.com>

More information about the kernel-team mailing list