Patchwork [Karmic,CVE-2010-4242,1/1] bluetooth: Fix missing NULL check, CVE-2010-4242

login
register
mail settings
Submitter Brad Figg
Date Feb. 11, 2011, 8:35 p.m.
Message ID <1297456520-4811-4-git-send-email-brad.figg@canonical.com>
Download mbox | patch
Permalink /patch/82827/
State Accepted
Commit b1d4fa1acd8312be4a5c8033b651b39725995043
Headers show

Comments

Brad Figg - Feb. 11, 2011, 8:35 p.m.
From: Alan Cox <alan@linux.intel.com>

CVE-2010-4242

BugLink: http://bugs.launchpad.net/bugs/714846

Fortunately this is only exploitable on very unusual hardware.

[Reported a while ago but nothing happened so just fixing it]

Signed-off-by: Alan Cox <alan@linux.intel.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

(cherry-picked from commit c19483cc5e56ac5e22dd19cf25ba210ab1537773)
Signed-off-by: Brad Figg <brad.figg@canonical.com>
---
 drivers/bluetooth/hci_ldisc.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

Patch

diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index 998833d..17361ba 100644
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -256,9 +256,16 @@  static int hci_uart_tty_open(struct tty_struct *tty)
 
 	BT_DBG("tty %p", tty);
 
+	/* FIXME: This btw is bogus, nothing requires the old ldisc to clear
+	   the pointer */
 	if (hu)
 		return -EEXIST;
 
+	/* Error if the tty has no write op instead of leaving an exploitable
+	   hole */
+	if (tty->ops->write == NULL)
+		return -EOPNOTSUPP;
+
 	if (!(hu = kzalloc(sizeof(struct hci_uart), GFP_KERNEL))) {
 		BT_ERR("Can't allocate control structure");
 		return -ENFILE;