FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team

 
 
LinkBack Thread Tools
 
Old 02-17-2011, 05:00 PM
 
Default Karmic CVE: tty: Make tiocgicount a handler, CVE-2010-4076

The following changes since commit 9c40f6a021668061c2bcfaf2e74c1596eee74cd0:
Tim Gardner (1):
UBUNTU: Bump ABI

are available in the git repository at:

git://kernel.ubuntu.com/rtg/ubuntu-karmic.git CVE-2010-4076

Alan Cox (1):
tty: Make tiocgicount a handler, CVE-2010-4076

drivers/char/tty_io.c | 21 +++++++++++++++++++++
drivers/serial/serial_core.c | 37 +++++++++++++++++--------------------
drivers/usb/serial/usb-serial.c | 13 +++++++++++++
include/linux/tty_driver.h | 9 +++++++++
include/linux/usb/serial.h | 2 ++
5 files changed, 62 insertions(+), 20 deletions(-)
 
Old 02-18-2011, 12:10 PM
Stefan Bader
 
Default Karmic CVE: tty: Make tiocgicount a handler, CVE-2010-4076

On 02/17/2011 07:00 PM, Tim Gardner wrote:
> The following changes since commit 9c40f6a021668061c2bcfaf2e74c1596eee74cd0:
> Tim Gardner (1):
> UBUNTU: Bump ABI
>
> are available in the git repository at:
>
> git://kernel.ubuntu.com/rtg/ubuntu-karmic.git CVE-2010-4076
>
> Alan Cox (1):
> tty: Make tiocgicount a handler, CVE-2010-4076
>
> drivers/char/tty_io.c | 21 +++++++++++++++++++++
> drivers/serial/serial_core.c | 37 +++++++++++++++++--------------------
> drivers/usb/serial/usb-serial.c | 13 +++++++++++++
> include/linux/tty_driver.h | 9 +++++++++
> include/linux/usb/serial.h | 2 ++
> 5 files changed, 62 insertions(+), 20 deletions(-)
>
> From 807e98d20e26876bb0fa003d8d9b32428a8d8b97 Mon Sep 17 00:00:00 2001
> From: Alan Cox <alan@linux.intel.com>
> Date: Thu, 16 Sep 2010 18:21:24 +0100
> Subject: [PATCH] tty: Make tiocgicount a handler, CVE-2010-4076
>
> BugLink: http://bugs.launchpad.net/bugs/720189
>
> CVE-2010-4076
>
> Dan Rosenberg noted that various drivers return the struct with uncleared
> fields. Instead of spending forever trying to stomp all the drivers that
> get it wrong (and every new driver) do the job in one place.
>
> This first patch adds the needed operations and hooks them up, including
> the needed USB midlayer and serial core plumbing.
>
> Signed-off-by: Alan Cox <alan@linux.intel.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
>
> (cherry picked from commit d281da7ff6f70efca0553c288bb883e8605b3862)
>
> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
> ---
> drivers/char/tty_io.c | 21 +++++++++++++++++++++
> drivers/serial/serial_core.c | 37 +++++++++++++++++--------------------
> drivers/usb/serial/usb-serial.c | 13 +++++++++++++
> include/linux/tty_driver.h | 9 +++++++++
> include/linux/usb/serial.h | 2 ++
> 5 files changed, 62 insertions(+), 20 deletions(-)
>
> diff --git a/drivers/char/tty_io.c b/drivers/char/tty_io.c
> index e5704e1..1cc3563 100644
> --- a/drivers/char/tty_io.c
> +++ b/drivers/char/tty_io.c
> @@ -96,6 +96,7 @@
> #include <linux/bitops.h>
> #include <linux/delay.h>
> #include <linux/seq_file.h>
> +#include <linux/serial.h>
>
> #include <linux/uaccess.h>
> #include <asm/system.h>
> @@ -2418,6 +2419,20 @@ static int tty_tiocmset(struct tty_struct *tty, struct file *file, unsigned int
> return tty->ops->tiocmset(tty, file, set, clear);
> }
>
> +static int tty_tiocgicount(struct tty_struct *tty, void __user *arg)
> +{
> + int retval = -EINVAL;
> + struct serial_icounter_struct icount;
> + memset(&icount, 0, sizeof(icount));
> + if (tty->ops->get_icount)
> + retval = tty->ops->get_icount(tty, &icount);
> + if (retval != 0)
> + return retval;
> + if (copy_to_user(arg, &icount, sizeof(icount)))
> + return -EFAULT;
> + return 0;
> +}
> +
> struct tty_struct *tty_pair_get_tty(struct tty_struct *tty)
> {
> if (tty->driver->type == TTY_DRIVER_TYPE_PTY &&
> @@ -2538,6 +2553,12 @@ long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
> case TIOCMBIC:
> case TIOCMBIS:
> return tty_tiocmset(tty, file, cmd, p);
> + case TIOCGICOUNT:
> + retval = tty_tiocgicount(tty, p);
> + /* For the moment allow fall through to the old method */
> + if (retval != -EINVAL)
> + return retval;
> + break;
> case TCFLSH:
> switch (arg) {
> case TCIFLUSH:
> diff --git a/drivers/serial/serial_core.c b/drivers/serial/serial_core.c
> index b0bb29d..216272a 100644
> --- a/drivers/serial/serial_core.c
> +++ b/drivers/serial/serial_core.c
> @@ -1059,10 +1059,10 @@ uart_wait_modem_status(struct uart_state *state, unsigned long arg)
> * NB: both 1->0 and 0->1 transitions are counted except for
> * RI where only 0->1 is counted.
> */
> -static int uart_get_count(struct uart_state *state,
> - struct serial_icounter_struct __user *icnt)
> +static int uart_get_icount(struct tty_struct *tty,
> + struct serial_icounter_struct *icount)
> {
> - struct serial_icounter_struct icount;
> + struct uart_state *state = tty->driver_data;
> struct uart_icount cnow;
> struct uart_port *port = state->port;
>
> @@ -1070,19 +1070,19 @@ static int uart_get_count(struct uart_state *state,
> memcpy(&cnow, &port->icount, sizeof(struct uart_icount));
> spin_unlock_irq(&port->lock);
>
> - icount.cts = cnow.cts;
> - icount.dsr = cnow.dsr;
> - icount.rng = cnow.rng;
> - icount.dcd = cnow.dcd;
> - icount.rx = cnow.rx;
> - icount.tx = cnow.tx;
> - icount.frame = cnow.frame;
> - icount.overrun = cnow.overrun;
> - icount.parity = cnow.parity;
> - icount.brk = cnow.brk;
> - icount.buf_overrun = cnow.buf_overrun;
> + icount->cts = cnow.cts;
> + icount->dsr = cnow.dsr;
> + icount->rng = cnow.rng;
> + icount->dcd = cnow.dcd;
> + icount->rx = cnow.rx;
> + icount->tx = cnow.tx;
> + icount->frame = cnow.frame;
> + icount->overrun = cnow.overrun;
> + icount->parity = cnow.parity;
> + icount->brk = cnow.brk;
> + icount->buf_overrun = cnow.buf_overrun;
>
> - return copy_to_user(icnt, &icount, sizeof(icount)) ? -EFAULT : 0;
> + return 0;
> }
>
> /*
> @@ -1134,10 +1134,6 @@ uart_ioctl(struct tty_struct *tty, struct file *filp, unsigned int cmd,
> case TIOCMIWAIT:
> ret = uart_wait_modem_status(state, arg);
> break;
> -
> - case TIOCGICOUNT:
> - ret = uart_get_count(state, uarg);
> - break;
> }
>
> if (ret != -ENOIOCTLCMD)
> @@ -2299,6 +2295,7 @@ static const struct tty_operations uart_ops = {
> #endif
> .tiocmget = uart_tiocmget,
> .tiocmset = uart_tiocmset,
> + .get_icount = uart_get_icount,
> #ifdef CONFIG_CONSOLE_POLL
> .poll_init = uart_poll_init,
> .poll_get_char = uart_poll_get_char,
> diff --git a/drivers/usb/serial/usb-serial.c b/drivers/usb/serial/usb-serial.c
> index 3292e03..10d5d35 100644
> --- a/drivers/usb/serial/usb-serial.c
> +++ b/drivers/usb/serial/usb-serial.c
> @@ -569,6 +569,18 @@ static int serial_tiocmset(struct tty_struct *tty, struct file *file,
> return -EINVAL;
> }
>
> +static int serial_get_icount(struct tty_struct *tty,
> + struct serial_icounter_struct *icount)
> +{
> + struct usb_serial_port *port = tty->driver_data;
> +
> + dbg("%s - port %d", __func__, port->number);
> +
> + if (port->serial->type->get_icount)
> + return port->serial->type->get_icount(tty, icount);
> + return -EINVAL;
> +}
> +
> /*
> * We would be calling tty_wakeup here, but unfortunately some line
> * disciplines have an annoying habit of calling tty->write from
> @@ -1210,6 +1222,7 @@ static const struct tty_operations serial_ops = {
> .tiocmget = serial_tiocmget,
> .tiocmset = serial_tiocmset,
> .shutdown = serial_release,
> + .get_icount = serial_get_icount,
> .install = serial_install,
> .proc_fops = &serial_proc_fops,
> };
> diff --git a/include/linux/tty_driver.h b/include/linux/tty_driver.h
> index 3566129..c6a8bda 100644
> --- a/include/linux/tty_driver.h
> +++ b/include/linux/tty_driver.h
> @@ -216,6 +216,12 @@
> * unless the tty also has a valid tty->termiox pointer.
> *
> * Optional: Called under the termios lock
> + *
> + * int (*get_icount)(struct tty_struct *tty, struct serial_icounter *icount);
> + *
> + * Called when the device receives a TIOCGICOUNT ioctl. Passed a kernel
> + * structure to complete. This method is optional and will only be called
> + * if provided (otherwise EINVAL will be returned).
> */
>
> #include <linux/fs.h>
> @@ -224,6 +230,7 @@
>
> struct tty_struct;
> struct tty_driver;
> +struct serial_icounter_struct;
>
> struct tty_operations {
> struct tty_struct * (*lookup)(struct tty_driver *driver,
> @@ -259,6 +266,8 @@ struct tty_operations {
> unsigned int set, unsigned int clear);
> int (*resize)(struct tty_struct *tty, struct winsize *ws);
> int (*set_termiox)(struct tty_struct *tty, struct termiox *tnew);
> + int (*get_icount)(struct tty_struct *tty,
> + struct serial_icounter_struct *icount);
> #ifdef CONFIG_CONSOLE_POLL
> int (*poll_init)(struct tty_driver *driver, int line, char *options);
> int (*poll_get_char)(struct tty_driver *driver, int line);
> diff --git a/include/linux/usb/serial.h b/include/linux/usb/serial.h
> index 20b12f3..25cb53d 100644
> --- a/include/linux/usb/serial.h
> +++ b/include/linux/usb/serial.h
> @@ -258,6 +258,8 @@ struct usb_serial_driver {
> int (*tiocmget)(struct tty_struct *tty, struct file *file);
> int (*tiocmset)(struct tty_struct *tty, struct file *file,
> unsigned int set, unsigned int clear);
> + int (*get_icount)(struct tty_struct *tty,
> + struct serial_icounter_struct *icount);
> /* Called by the tty layer for port level work. There may or may not
> be an attached tty at this point */
> void (*dtr_rts)(struct usb_serial_port *port, int on);


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 02-18-2011, 01:13 PM
Tim Gardner
 
Default Karmic CVE: tty: Make tiocgicount a handler, CVE-2010-4076

This is a multi-part message in MIME format.
Added CVE-2010-4077

--
Tim Gardner tim.gardner@canonical.com
 
Old 02-22-2011, 03:24 PM
Brad Figg
 
Default Karmic CVE: tty: Make tiocgicount a handler, CVE-2010-4076

On 02/17/2011 10:00 AM, Tim Gardner wrote:

The following changes since commit 9c40f6a021668061c2bcfaf2e74c1596eee74cd0:
Tim Gardner (1):
UBUNTU: Bump ABI

are available in the git repository at:

git://kernel.ubuntu.com/rtg/ubuntu-karmic.git CVE-2010-4076

Alan Cox (1):
tty: Make tiocgicount a handler, CVE-2010-4076

drivers/char/tty_io.c | 21 +++++++++++++++++++++
drivers/serial/serial_core.c | 37 +++++++++++++++++--------------------
drivers/usb/serial/usb-serial.c | 13 +++++++++++++
include/linux/tty_driver.h | 9 +++++++++
include/linux/usb/serial.h | 2 ++
5 files changed, 62 insertions(+), 20 deletions(-)

From 807e98d20e26876bb0fa003d8d9b32428a8d8b97 Mon Sep 17 00:00:00 2001
From: Alan Cox<alan@linux.intel.com>
Date: Thu, 16 Sep 2010 18:21:24 +0100
Subject: [PATCH] tty: Make tiocgicount a handler, CVE-2010-4076

BugLink: http://bugs.launchpad.net/bugs/720189

CVE-2010-4076

Dan Rosenberg noted that various drivers return the struct with uncleared
fields. Instead of spending forever trying to stomp all the drivers that
get it wrong (and every new driver) do the job in one place.

This first patch adds the needed operations and hooks them up, including
the needed USB midlayer and serial core plumbing.

Signed-off-by: Alan Cox<alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman<gregkh@suse.de>

(cherry picked from commit d281da7ff6f70efca0553c288bb883e8605b3862)

Signed-off-by: Tim Gardner<tim.gardner@canonical.com>
---
drivers/char/tty_io.c | 21 +++++++++++++++++++++
drivers/serial/serial_core.c | 37 +++++++++++++++++--------------------
drivers/usb/serial/usb-serial.c | 13 +++++++++++++
include/linux/tty_driver.h | 9 +++++++++
include/linux/usb/serial.h | 2 ++
5 files changed, 62 insertions(+), 20 deletions(-)

diff --git a/drivers/char/tty_io.c b/drivers/char/tty_io.c
index e5704e1..1cc3563 100644
--- a/drivers/char/tty_io.c
+++ b/drivers/char/tty_io.c
@@ -96,6 +96,7 @@
#include<linux/bitops.h>
#include<linux/delay.h>
#include<linux/seq_file.h>
+#include<linux/serial.h>

#include<linux/uaccess.h>
#include<asm/system.h>
@@ -2418,6 +2419,20 @@ static int tty_tiocmset(struct tty_struct *tty, struct file *file, unsigned int
return tty->ops->tiocmset(tty, file, set, clear);
}

+static int tty_tiocgicount(struct tty_struct *tty, void __user *arg)
+{
+ int retval = -EINVAL;
+ struct serial_icounter_struct icount;
+ memset(&icount, 0, sizeof(icount));
+ if (tty->ops->get_icount)
+ retval = tty->ops->get_icount(tty,&icount);
+ if (retval != 0)
+ return retval;
+ if (copy_to_user(arg,&icount, sizeof(icount)))
+ return -EFAULT;
+ return 0;
+}
+
struct tty_struct *tty_pair_get_tty(struct tty_struct *tty)
{
if (tty->driver->type == TTY_DRIVER_TYPE_PTY&&
@@ -2538,6 +2553,12 @@ long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
case TIOCMBIC:
case TIOCMBIS:
return tty_tiocmset(tty, file, cmd, p);
+ case TIOCGICOUNT:
+ retval = tty_tiocgicount(tty, p);
+ /* For the moment allow fall through to the old method */
+ if (retval != -EINVAL)
+ return retval;
+ break;
case TCFLSH:
switch (arg) {
case TCIFLUSH:
diff --git a/drivers/serial/serial_core.c b/drivers/serial/serial_core.c
index b0bb29d..216272a 100644
--- a/drivers/serial/serial_core.c
+++ b/drivers/serial/serial_core.c
@@ -1059,10 +1059,10 @@ uart_wait_modem_status(struct uart_state *state, unsigned long arg)
* NB: both 1->0 and 0->1 transitions are counted except for
* RI where only 0->1 is counted.
*/
-static int uart_get_count(struct uart_state *state,
- struct serial_icounter_struct __user *icnt)
+static int uart_get_icount(struct tty_struct *tty,
+ struct serial_icounter_struct *icount)
{
- struct serial_icounter_struct icount;
+ struct uart_state *state = tty->driver_data;
struct uart_icount cnow;
struct uart_port *port = state->port;

@@ -1070,19 +1070,19 @@ static int uart_get_count(struct uart_state *state,
memcpy(&cnow,&port->icount, sizeof(struct uart_icount));
spin_unlock_irq(&port->lock);

- icount.cts = cnow.cts;
- icount.dsr = cnow.dsr;
- icount.rng = cnow.rng;
- icount.dcd = cnow.dcd;
- icount.rx = cnow.rx;
- icount.tx = cnow.tx;
- icount.frame = cnow.frame;
- icount.overrun = cnow.overrun;
- icount.parity = cnow.parity;
- icount.brk = cnow.brk;
- icount.buf_overrun = cnow.buf_overrun;
+ icount->cts = cnow.cts;
+ icount->dsr = cnow.dsr;
+ icount->rng = cnow.rng;
+ icount->dcd = cnow.dcd;
+ icount->rx = cnow.rx;
+ icount->tx = cnow.tx;
+ icount->frame = cnow.frame;
+ icount->overrun = cnow.overrun;
+ icount->parity = cnow.parity;
+ icount->brk = cnow.brk;
+ icount->buf_overrun = cnow.buf_overrun;

- return copy_to_user(icnt,&icount, sizeof(icount)) ? -EFAULT : 0;
+ return 0;
}

/*
@@ -1134,10 +1134,6 @@ uart_ioctl(struct tty_struct *tty, struct file *filp, unsigned int cmd,
case TIOCMIWAIT:
ret = uart_wait_modem_status(state, arg);
break;
-
- case TIOCGICOUNT:
- ret = uart_get_count(state, uarg);
- break;
}

if (ret != -ENOIOCTLCMD)
@@ -2299,6 +2295,7 @@ static const struct tty_operations uart_ops = {
#endif
.tiocmget = uart_tiocmget,
.tiocmset = uart_tiocmset,
+ .get_icount = uart_get_icount,
#ifdef CONFIG_CONSOLE_POLL
.poll_init = uart_poll_init,
.poll_get_char = uart_poll_get_char,
diff --git a/drivers/usb/serial/usb-serial.c b/drivers/usb/serial/usb-serial.c
index 3292e03..10d5d35 100644
--- a/drivers/usb/serial/usb-serial.c
+++ b/drivers/usb/serial/usb-serial.c
@@ -569,6 +569,18 @@ static int serial_tiocmset(struct tty_struct *tty, struct file *file,
return -EINVAL;
}

+static int serial_get_icount(struct tty_struct *tty,
+ struct serial_icounter_struct *icount)
+{
+ struct usb_serial_port *port = tty->driver_data;
+
+ dbg("%s - port %d", __func__, port->number);
+
+ if (port->serial->type->get_icount)
+ return port->serial->type->get_icount(tty, icount);
+ return -EINVAL;
+}
+
/*
* We would be calling tty_wakeup here, but unfortunately some line
* disciplines have an annoying habit of calling tty->write from
@@ -1210,6 +1222,7 @@ static const struct tty_operations serial_ops = {
.tiocmget = serial_tiocmget,
.tiocmset = serial_tiocmset,
.shutdown = serial_release,
+ .get_icount = serial_get_icount,
.install = serial_install,
.proc_fops = &serial_proc_fops,
};
diff --git a/include/linux/tty_driver.h b/include/linux/tty_driver.h
index 3566129..c6a8bda 100644
--- a/include/linux/tty_driver.h
+++ b/include/linux/tty_driver.h
@@ -216,6 +216,12 @@
* unless the tty also has a valid tty->termiox pointer.
*
* Optional: Called under the termios lock
+ *
+ * int (*get_icount)(struct tty_struct *tty, struct serial_icounter *icount);
+ *
+ * Called when the device receives a TIOCGICOUNT ioctl. Passed a kernel
+ * structure to complete. This method is optional and will only be called
+ * if provided (otherwise EINVAL will be returned).
*/

#include<linux/fs.h>
@@ -224,6 +230,7 @@

struct tty_struct;
struct tty_driver;
+struct serial_icounter_struct;

struct tty_operations {
struct tty_struct * (*lookup)(struct tty_driver *driver,
@@ -259,6 +266,8 @@ struct tty_operations {
unsigned int set, unsigned int clear);
int (*resize)(struct tty_struct *tty, struct winsize *ws);
int (*set_termiox)(struct tty_struct *tty, struct termiox *tnew);
+ int (*get_icount)(struct tty_struct *tty,
+ struct serial_icounter_struct *icount);
#ifdef CONFIG_CONSOLE_POLL
int (*poll_init)(struct tty_driver *driver, int line, char *options);
int (*poll_get_char)(struct tty_driver *driver, int line);
diff --git a/include/linux/usb/serial.h b/include/linux/usb/serial.h
index 20b12f3..25cb53d 100644
--- a/include/linux/usb/serial.h
+++ b/include/linux/usb/serial.h
@@ -258,6 +258,8 @@ struct usb_serial_driver {
int (*tiocmget)(struct tty_struct *tty, struct file *file);
int (*tiocmset)(struct tty_struct *tty, struct file *file,
unsigned int set, unsigned int clear);
+ int (*get_icount)(struct tty_struct *tty,
+ struct serial_icounter_struct *icount);
/* Called by the tty layer for port level work. There may or may not
be an attached tty at this point */
void (*dtr_rts)(struct usb_serial_port *port, int on);


Acked-by: Brad Figg <brad.figg@canonical.com>

--
Brad Figg brad.figg@canonical.com http://www.canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 02-22-2011, 04:17 PM
Tim Gardner
 
Default Karmic CVE: tty: Make tiocgicount a handler, CVE-2010-4076

applied

--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 02:19 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org