[CVE-2010-4076/CVE-2010-4077] tty: icount changeover for other main devices
Tim Gardner
tim.gardner at canonical.com
Thu Jun 9 15:30:11 UTC 2011
On 06/07/2011 10:13 AM, Andy Whitcroft wrote:
> CVE-2010-4076
> The rs_ioctl function in drivers/char/amiserial.c in the Linux
> kernel 2.6.36.1 and earlier does not properly initialize a certain
> structure member, which allows local users to obtain potentially
> sensitive information from kernel stack memory via a TIOCGICOUNT
> ioctl call.
>
> CVE-2010-4077
> The ntty_ioctl_tiocgicount function in drivers/char/nozomi.c in
> the Linux kernel 2.6.36.1 and earlier does not properly initialize
> a certain structure member, which allows local users to obtain
> potentially sensitive information from kernel stack memory via
> a TIOCGICOUNT ioctl call.
>
> The above two CVEs were though fixed by upstream commit below (also the fix
> for CVE-2010-4075):
>
> commit d281da7ff6f70efca0553c288bb883e8605b3862
> Author: Alan Cox<alan at linux.intel.com>
> Date: Thu Sep 16 18:21:24 2010 +0100
>
> tty: Make tiocgicount a handler
>
> However until the drivers themselves are converted by a follow up commit
> they do not make use of the new functionality. This is done for all the
> main drivers in the following commit:
>
> commit 0587102cf9f427c185bfdeb2cef41e13ee0264b1
> Author: Alan Cox<alan at linux.intel.com>
> Date: Thu Sep 16 18:21:52 2010 +0100
>
> tty: icount changeover for other main devices
>
> This commit is already applied for Natty and later arriving via
> mainline. Following this email are patches for Hardy, Lucid,
> Lucid/fsl-imx51, and Maverick.
>
> NOTE: these are all backports with conflicts, are huge, and therefore
> deserve some real review before application.
>
> -apw
>
Acked-by: Tim Gardner <tim.gardner at canonical.com>
--
Tim Gardner tim.gardner at canonical.com
More information about the kernel-team
mailing list