[PATCH 0/1][SRU][T] CVE-2017-18360: Local DoS in io_ti serial driver

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH 0/1][SRU][T] CVE-2017-18360: Local DoS in io_ti serial driver

Tyler Hicks-2
 In change_port_settings in drivers/usb/serial/io_ti.c in the Linux kernel
 before 4.11.3, local users could cause a denial of service by
 division-by-zero in the serial device layer by trying to set very high baud
 rates.

 - https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18360.html

Clean cherry pick to Trusty. Build logs are clean. I was able to ensure that
the module loads but don't have the hardware to test the code change.

Tyler

Johan Hovold (1):
  USB: serial: io_ti: fix div-by-zero in set_termios

 drivers/usb/serial/io_ti.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH 1/1] USB: serial: io_ti: fix div-by-zero in set_termios

Tyler Hicks-2
From: Johan Hovold <[hidden email]>

Fix a division-by-zero in set_termios when debugging is enabled and a
high-enough speed has been requested so that the divisor value becomes
zero.

Instead of just fixing the offending debug statement, cap the baud rate
at the base as a zero divisor value also appears to crash the firmware.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable <[hidden email]>     # 2.6.12
Reviewed-by: Greg Kroah-Hartman <[hidden email]>
Signed-off-by: Johan Hovold <[hidden email]>

CVE-2017-18360

(cherry picked from commit 6aeb75e6adfaed16e58780309613a578fe1ee90b)
Signed-off-by: Tyler Hicks <[hidden email]>
---
 drivers/usb/serial/io_ti.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c
index 8c2b58ace70a..cbc1b3afca01 100644
--- a/drivers/usb/serial/io_ti.c
+++ b/drivers/usb/serial/io_ti.c
@@ -2233,8 +2233,11 @@ static void change_port_settings(struct tty_struct *tty,
  if (!baud) {
  /* pick a default, any default... */
  baud = 9600;
- } else
+ } else {
+ /* Avoid a zero divisor. */
+ baud = min(baud, 461550);
  tty_encode_baud_rate(tty, baud, baud);
+ }
 
  edge_port->baud_rate = baud;
  config->wBaudRate = (__u16)((461550L + baud/2) / baud);
--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [PATCH 1/1] USB: serial: io_ti: fix div-by-zero in set_termios

Colin Ian King-2
On 11/02/2019 17:40, Tyler Hicks wrote:

> From: Johan Hovold <[hidden email]>
>
> Fix a division-by-zero in set_termios when debugging is enabled and a
> high-enough speed has been requested so that the divisor value becomes
> zero.
>
> Instead of just fixing the offending debug statement, cap the baud rate
> at the base as a zero divisor value also appears to crash the firmware.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable <[hidden email]>     # 2.6.12
> Reviewed-by: Greg Kroah-Hartman <[hidden email]>
> Signed-off-by: Johan Hovold <[hidden email]>
>
> CVE-2017-18360
>
> (cherry picked from commit 6aeb75e6adfaed16e58780309613a578fe1ee90b)
> Signed-off-by: Tyler Hicks <[hidden email]>
> ---
>  drivers/usb/serial/io_ti.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c
> index 8c2b58ace70a..cbc1b3afca01 100644
> --- a/drivers/usb/serial/io_ti.c
> +++ b/drivers/usb/serial/io_ti.c
> @@ -2233,8 +2233,11 @@ static void change_port_settings(struct tty_struct *tty,
>   if (!baud) {
>   /* pick a default, any default... */
>   baud = 9600;
> - } else
> + } else {
> + /* Avoid a zero divisor. */
> + baud = min(baud, 461550);
>   tty_encode_baud_rate(tty, baud, baud);
> + }
>  
>   edge_port->baud_rate = baud;
>   config->wBaudRate = (__u16)((461550L + baud/2) / baud);
>

Clean cherry pick, looks OK to me.

Acked-by: Colin Ian King <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [PATCH 1/1] USB: serial: io_ti: fix div-by-zero in set_termios

Marcelo Henrique Cerri
In reply to this post by Tyler Hicks-2
Acked-by: Marcelo Henrique Cerri <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (499 bytes) Download Attachment