not yet public, via linux-distros / security@kernel.org

Heads-up on low-priority memory contents leak (CVE-2013-6055). No
official patch yet, but fix looks trivial.

As an aside -- I've been forwarding all stuff from
security@kernel.org, even when it seems low priority like this. Should
I do this, or should I only forward "high priority" issues, as
outlined in the Wiki page?

-Kees

On Wed, Oct 9, 2013 at 11:22 AM, Salva Peir363 <speiro@ai2.upv.es> wrote:
> Hello
>
> I'm reporting a security bug I've found on the Linux kernel.
> I've included below a report of the issue, with the bug details.
>
> Affected Kernel versions: from current kernel version 3.12-rc4 back to the
> introduction of mxser.c code.
> Affected files:
> drivers/tty/mxser.c,drivers/tty/moxa.c,drivers/tty/cyclades.c
> Impact: Given the bug driver specific code only users of affected serial
> cards are affected.
>
> Bug Description:
>
> mxser: Detect 20-byte kernel info leak in mxser_get_serial_info()
> The serial_struct struct has a 2-byte hole after ->iomem_reg_shift so
> stack information could be leaked to the user.
>
> In addition, several fields of serial_struct below the ->closing_wait
> field are not properly initialised resulting in a 20-bytes info leak of
> the stack.
>
> After closer investigation of the files under drivers/tty/ directory
> I've found this problem is also present in the get_serial_info()
> functions of other drivers: drivers/tty/moxa.c drivers/tty/cyclades.c.
>
> Bug Fix:
>
> The suggested fix use is to memset(&tmp, 0, sizeof(serial_struct) to
> zero out the serial_struct data on the stack before to filling the the
> struct fields as in the other tty drivers: drivers/tty/amiserial.c.
>
> This was assigned CVE-2013-6055.
>
> In addition, I'd like know is if is possible to get credit for finding
> and reporting the bug when filling the CVE entry.
>
> Best,
> --
> salva