diff mbox series

[1/1] USB: serial: io_ti: fix div-by-zero in set_termios

Message ID 1549906832-27628-2-git-send-email-tyhicks@canonical.com
State New
Headers show
Series CVE-2017-18360: Local DoS in io_ti serial driver | expand

Commit Message

Tyler Hicks Feb. 11, 2019, 5:40 p.m. UTC 
From: Johan Hovold <johan@kernel.org>

Fix a division-by-zero in set_termios when debugging is enabled and a
high-enough speed has been requested so that the divisor value becomes
zero.

Instead of just fixing the offending debug statement, cap the baud rate
at the base as a zero divisor value also appears to crash the firmware.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable <stable@vger.kernel.org>     # 2.6.12
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>

CVE-2017-18360

(cherry picked from commit 6aeb75e6adfaed16e58780309613a578fe1ee90b)
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
---
 drivers/usb/serial/io_ti.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Comments

Colin Ian King Feb. 11, 2019, 5:57 p.m. UTC | #1 
On 11/02/2019 17:40, Tyler Hicks wrote:
> From: Johan Hovold <johan@kernel.org>
> 
> Fix a division-by-zero in set_termios when debugging is enabled and a
> high-enough speed has been requested so that the divisor value becomes
> zero.
> 
> Instead of just fixing the offending debug statement, cap the baud rate
> at the base as a zero divisor value also appears to crash the firmware.
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable <stable@vger.kernel.org>     # 2.6.12
> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Signed-off-by: Johan Hovold <johan@kernel.org>
> 
> CVE-2017-18360
> 
> (cherry picked from commit 6aeb75e6adfaed16e58780309613a578fe1ee90b)
> Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
> ---
>  drivers/usb/serial/io_ti.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c
> index 8c2b58ace70a..cbc1b3afca01 100644
> --- a/drivers/usb/serial/io_ti.c
> +++ b/drivers/usb/serial/io_ti.c
> @@ -2233,8 +2233,11 @@ static void change_port_settings(struct tty_struct *tty,
>  	if (!baud) {
>  		/* pick a default, any default... */
>  		baud = 9600;
> -	} else
> +	} else {
> +		/* Avoid a zero divisor. */
> +		baud = min(baud, 461550);
>  		tty_encode_baud_rate(tty, baud, baud);
> +	}
>  
>  	edge_port->baud_rate = baud;
>  	config->wBaudRate = (__u16)((461550L + baud/2) / baud);
> 

Clean cherry pick, looks OK to me.

Acked-by: Colin Ian King <colin.king@canonical.com>
Marcelo Henrique Cerri Feb. 11, 2019, 7:26 p.m. UTC | #2 
Acked-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
diff mbox series

Patch

diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c
index 8c2b58ace70a..cbc1b3afca01 100644
--- a/drivers/usb/serial/io_ti.c
+++ b/drivers/usb/serial/io_ti.c
@@ -2233,8 +2233,11 @@  static void change_port_settings(struct tty_struct *tty,
 	if (!baud) {
 		/* pick a default, any default... */
 		baud = 9600;
-	} else
+	} else {
+		/* Avoid a zero divisor. */
+		baud = min(baud, 461550);
 		tty_encode_baud_rate(tty, baud, baud);
+	}
 
 	edge_port->baud_rate = baud;
 	config->wBaudRate = (__u16)((461550L + baud/2) / baud);