CVE-2013-1774: Linux kernel Edgeport USB Serial Converter NULL Pointer Dereference
This is a vulnerability fixed by Wolfgang Frisch and the buggy code resides in drivers/usb/serial/io_ti.c as you can see below.
static void chase_port(struct edgeport_port *port, unsigned long timeout,
int flush)
{
int baud_rate;
struct tty_struct *tty = tty_port_tty_get(&port->port->port);
struct usb_serial *serial = port->port->serial;
wait_queue_t wait;
unsigned long flags;
...
remove_wait_queue(&tty->write_wait, &wait);
...
tty_kref_put(tty);
...
}
If the equivalent /dev/ttyUSB device file is in use while the device is disconnected then any call to chase_port() (used to chase the port, close and flush it) will lead to NULL pointer dereference since there is no longer a ‘tty’ associated with it. The fix was to add a simple check for this case.
unsigned long flags; + if (!tty) + return; + if (!timeout)
xorl %eax, %eax 
Leave a comment