Commit ffb9f06
committed
tty: n_gsm: fix possible out-of-bounds in gsm0_receive()
jira LE-1907
cve CVE-2024-36016
Rebuild_History Non-Buildable kernel-5.14.0-427.37.1.el9_4
commit-author Daniel Starke <[email protected]>
commit 47388e8
Assuming the following:
- side A configures the n_gsm in basic option mode
- side B sends the header of a basic option mode frame with data length 1
- side A switches to advanced option mode
- side B sends 2 data bytes which exceeds gsm->len
Reason: gsm->len is not used in advanced option mode.
- side A switches to basic option mode
- side B keeps sending until gsm0_receive() writes past gsm->buf
Reason: Neither gsm->state nor gsm->len have been reset after
reconfiguration.
Fix this by changing gsm->count to gsm->len comparison from equal to less
than. Also add upper limit checks against the constant MAX_MRU in
gsm0_receive() and gsm1_receive() to harden against memory corruption of
gsm->len and gsm->mru.
All other checks remain as we still need to limit the data according to the
user configuration and actual payload size.
Reported-by: [email protected]
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218708
Tested-by: [email protected]
Fixes: e1eaea4 ("tty: n_gsm line discipline")
Cc: [email protected]
Signed-off-by: Daniel Starke <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
(cherry picked from commit 47388e8)
Signed-off-by: Jonathan Maple <[email protected]>1 parent 2675b6e commit ffb9f06
1 file changed
+5
-2
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2661 | 2661 | | |
2662 | 2662 | | |
2663 | 2663 | | |
2664 | | - | |
| 2664 | + | |
| 2665 | + | |
| 2666 | + | |
| 2667 | + | |
2665 | 2668 | | |
2666 | 2669 | | |
2667 | 2670 | | |
| |||
2773 | 2776 | | |
2774 | 2777 | | |
2775 | 2778 | | |
2776 | | - | |
| 2779 | + | |
2777 | 2780 | | |
2778 | 2781 | | |
2779 | 2782 | | |
| |||
0 commit comments