mirrors
/
anolis-cloud-kernel
mirror of https://gitee.com/anolis/cloud-kernel.git
8
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
anolis-cloud-kernel/drivers/tty
History
Daniel Starke 6c2d2b56d3 tty: n_gsm: fix possible out-of-bounds in gsm0_receive() 
ANBZ: #12836

commit 47388e807f upstream.

Assuming the following:
- side A configures the n_gsm in basic option mode
- side B sends the header of a basic option mode frame with data length 1
- side A switches to advanced option mode
- side B sends 2 data bytes which exceeds gsm->len
  Reason: gsm->len is not used in advanced option mode.
- side A switches to basic option mode
- side B keeps sending until gsm0_receive() writes past gsm->buf
  Reason: Neither gsm->state nor gsm->len have been reset after
  reconfiguration.

Fix this by changing gsm->count to gsm->len comparison from equal to less
than. Also add upper limit checks against the constant MAX_MRU in
gsm0_receive() and gsm1_receive() to harden against memory corruption of
gsm->len and gsm->mru.

All other checks remain as we still need to limit the data according to the
user configuration and actual payload size.

Reported-by: j51569436@gmail.com
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218708
Tested-by: j51569436@gmail.com
Fixes: e1eaea46bb ("tty: n_gsm line discipline")
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Starke <daniel.starke@siemens.com>
Link: https://lore.kernel.org/r/20240424054842.7741-1-daniel.starke@siemens.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fixes: CVE-2024-36016
Signed-off-by: Guanghui Feng <guanghuifeng@linux.alibaba.com>
Reviewed-by: Guixin Liu <kanie@linux.alibaba.com>
Link: https://gitee.com/anolis/cloud-kernel/pulls/4996
 		2025-03-31 02:38:11 +00:00
..
hvc
ipwireless
serdev
serial serial: 8250_omap: Implementation of Errata i2310 2025-03-31 02:29:36 +00:00
vt vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF 2024-09-10 03:08:53 +00:00
Kconfig
Makefile
amiserial.c
cyclades.c tty: drivers/tty/, stop using tty_schedule_flip() 2022-07-29 17:19:27 +02:00
ehv_bytechan.c
goldfish.c tty: drivers/tty/, stop using tty_schedule_flip() 2022-07-29 17:19:27 +02:00
isicom.c
mips_ejtag_fdc.c
moxa.c tty: drivers/tty/, stop using tty_schedule_flip() 2022-07-29 17:19:27 +02:00
moxa.h
mxser.c
mxser.h
n_gsm.c tty: n_gsm: fix possible out-of-bounds in gsm0_receive() 2025-03-31 02:38:11 +00:00
n_hdlc.c
n_null.c
n_r3964.c
n_tracerouter.c
n_tracesink.c
n_tracesink.h
n_tty.c anolis: pstore: fix ttyprobe hook 2023-03-10 06:12:21 +00:00
nozomi.c
pty.c tty: use new tty_insert_flip_string_and_push_buffer() in pty_write() 2022-07-29 17:19:28 +02:00
rocket.c
rocket.h
rocket_int.h
synclink.c
synclink_gt.c tty: synclink_gt: Fix null-pointer-dereference in slgt_clean() 2022-06-14 18:32:41 +02:00
synclinkmp.c
sysrq.c sysrq: do not omit current cpu when showing backtrace of all active CPUs 2022-06-14 18:32:42 +02:00
tty_audit.c
tty_baudrate.c
tty_buffer.c tty: use new tty_insert_flip_string_and_push_buffer() in pty_write() 2022-07-29 17:19:28 +02:00
tty_io.c
tty_ioctl.c
tty_jobctrl.c
tty_ldisc.c
tty_ldsem.c
tty_mutex.c
tty_port.c
ttynull.c
vcc.c tty: vcc: Add check for kstrdup() in vcc_probe() 2025-03-25 11:10:13 +00:00