[Karmic,CVE-2010-4242,1/1] bluetooth: Fix missing NULL check, CVE-2010-4242

Submitted by Brad Figg on Feb. 11, 2011, 8:35 p.m.


Message ID 1297456520-4811-4-git-send-email-brad.figg@canonical.com
State Accepted
Commit b1d4fa1acd8312be4a5c8033b651b39725995043
Headers show

Commit Message

Brad Figg Feb. 11, 2011, 8:35 p.m.
From: Alan Cox <alan@linux.intel.com>


BugLink: http://bugs.launchpad.net/bugs/714846

Fortunately this is only exploitable on very unusual hardware.

[Reported a while ago but nothing happened so just fixing it]

Signed-off-by: Alan Cox <alan@linux.intel.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

(cherry-picked from commit c19483cc5e56ac5e22dd19cf25ba210ab1537773)
Signed-off-by: Brad Figg <brad.figg@canonical.com>
 drivers/bluetooth/hci_ldisc.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

Patch hide | download patch | download mbox

diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index 998833d..17361ba 100644
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -256,9 +256,16 @@  static int hci_uart_tty_open(struct tty_struct *tty)
 	BT_DBG("tty %p", tty);
+	/* FIXME: This btw is bogus, nothing requires the old ldisc to clear
+	   the pointer */
 	if (hu)
 		return -EEXIST;
+	/* Error if the tty has no write op instead of leaving an exploitable
+	   hole */
+	if (tty->ops->write == NULL)
+		return -EOPNOTSUPP;
 	if (!(hu = kzalloc(sizeof(struct hci_uart), GFP_KERNEL))) {
 		BT_ERR("Can't allocate control structure");
 		return -ENFILE;