Ksawlii/kernel_samsung_a53x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
kernel_samsung_a53x/drivers/tty
History
Daniel Starke 5c838410ee tty: n_gsm: fix possible out-of-bounds in gsm0_receive() 
commit 47388e807f85948eefc403a8a5fdc5b406a65d5a upstream.

Assuming the following:
- side A configures the n_gsm in basic option mode
- side B sends the header of a basic option mode frame with data length 1
- side A switches to advanced option mode
- side B sends 2 data bytes which exceeds gsm->len
  Reason: gsm->len is not used in advanced option mode.
- side A switches to basic option mode
- side B keeps sending until gsm0_receive() writes past gsm->buf
  Reason: Neither gsm->state nor gsm->len have been reset after
  reconfiguration.

Fix this by changing gsm->count to gsm->len comparison from equal to less
than. Also add upper limit checks against the constant MAX_MRU in
gsm0_receive() and gsm1_receive() to harden against memory corruption of
gsm->len and gsm->mru.

All other checks remain as we still need to limit the data according to the
user configuration and actual payload size.

Reported-by: j51569436@gmail.com
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218708
Tested-by: j51569436@gmail.com
Fixes: e1eaea46bb40 ("tty: n_gsm line discipline")
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Starke <daniel.starke@siemens.com>
Link: https://lore.kernel.org/r/20240424054842.7741-1-daniel.starke@siemens.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-11-19 12:26:51 +01:00
..
hvc hvc/xen: prevent concurrent accesses to the shared ring 2024-11-18 22:25:34 +01:00
ipwireless
serdev
serial serial: kgdboc: Fix NMI-safety problems from keyboard reset code 2024-11-19 12:26:50 +01:00
vt vt: fix unicode buffer corruption when deleting characters 2024-11-19 09:22:39 +01:00
amiserial.c
cyclades.c
ehv_bytechan.c
goldfish.c
isicom.c
Kconfig
Makefile
mips_ejtag_fdc.c
moxa.c
moxa.h
mxser.c
mxser.h
n_gsm.c tty: n_gsm: fix possible out-of-bounds in gsm0_receive() 2024-11-19 12:26:51 +01:00
n_hdlc.c
n_null.c
n_r3964.c
n_tracerouter.c
n_tracesink.c
n_tracesink.h
n_tty.c
nozomi.c
pty.c
rocket.c
rocket.h
rocket_int.h
synclink.c
synclink_gt.c
synclinkmp.c
sysrq.c tty/sysrq: replace smp_processor_id() with get_cpu() 2024-11-18 11:43:21 +01:00
tty.h tty: change tty_write_lock()'s ndelay parameter to bool 2024-11-18 12:12:49 +01:00
tty_audit.c
tty_baudrate.c
tty_buffer.c
tty_io.c usb: cdc-acm: return correct error code on unsupported break 2024-11-18 12:12:50 +01:00
tty_ioctl.c tty: allow TIOCSLCKTRMIOS with CAP_CHECKPOINT_RESTORE 2024-11-18 12:13:20 +01:00
tty_jobctrl.c tty: tty_jobctrl: fix pid memleak in disassociate_ctty() 2024-11-18 11:43:05 +01:00
tty_ldisc.c
tty_ldsem.c
tty_mutex.c
tty_port.c
ttynull.c
vcc.c tty: vcc: Add check for kstrdup() in vcc_probe() 2024-11-18 11:43:14 +01:00