[Dapper,CVE-2010-4242,1/1] bluetooth: Fix missing NULL check, CVE-2010-4242

Message ID 1297456520-4811-2-git-send-email-brad.figg@canonical.com
State Accepted
Commit 2b4d107cba9ec532e112376537273155825999cf
Headers show

Commit Message

Brad Figg Feb. 11, 2011, 8:35 p.m.
From: Alan Cox <alan@linux.intel.com>


BugLink: http://bugs.launchpad.net/bugs/714846

Fortunately this is only exploitable on very unusual hardware.

[Reported a while ago but nothing happened so just fixing it]

Signed-off-by: Alan Cox <alan@linux.intel.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

(backported from commit c19483cc5e56ac5e22dd19cf25ba210ab1537773)
Signed-off-by: Brad Figg <brad.figg@canonical.com>
 drivers/bluetooth/hci_ldisc.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)


diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index 573ff6c..68a4649 100644
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -269,9 +269,16 @@  static int hci_uart_tty_open(struct tty_struct *tty)
 	BT_DBG("tty %p", tty);
+	/* FIXME: This btw is bogus, nothing requires the old ldisc to clear
+	   the pointer */
 	if (hu)
 		return -EEXIST;
+	/* Error if the tty has no write op instead of leaving an exploitable
+	   hole */
+	if (tty->driver->write == NULL)
+		return -EOPNOTSUPP;
 	if (!(hu = kzalloc(sizeof(struct hci_uart), GFP_KERNEL))) {
 		BT_ERR("Can't allocate controll structure");
 		return -ENFILE;