| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20200224083838.306381-1-ebiggers@kernel.org>
Date: Mon, 24 Feb 2020 00:38:38 -0800
From: Eric Biggers <ebiggers@...nel.org>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Jiri Slaby <jslaby@...e.com>
Cc: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
Al Viro <viro@...iv.linux.org.uk>
Subject: [PATCH] tty: fix compat TIOCGSERIAL leaking uninitialized memory
From: Eric Biggers <ebiggers@...gle.com>
Commit 77654350306a ("take compat TIOC[SG]SERIAL treatment into
tty_compat_ioctl()") changed the compat version of TIOCGSERIAL to start
copying a whole struct to userspace rather than individual fields, but
failed to initialize all padding and fields -- namely the hole after the
'iomem_reg_shift' field, and the 'reserved' field.
Fix this by initializing the struct to zero.
Reported-by: syzbot+8da9175e28eadcb203ce@...kaller.appspotmail.com
Fixes: 77654350306a ("take compat TIOC[SG]SERIAL treatment into tty_compat_ioctl()")
Cc: <stable@...r.kernel.org> # v4.20+
Signed-off-by: Eric Biggers <ebiggers@...gle.com>
---
drivers/tty/tty_io.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
index 1fcf7ad83dfa0..d24c250312edf 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -2731,6 +2731,7 @@ static int compat_tty_tiocgserial(struct tty_struct *tty,
struct serial_struct v;
int err;
memset(&v, 0, sizeof(struct serial_struct));
+ memset(&v32, 0, sizeof(struct serial_struct32));
if (!tty->ops->set_serial)
return -ENOTTY;
--
2.25.1
Powered by blists - more mailing lists