Message ID | 1283163894.3691.48.camel@jlt3.sipsolutions.net |
---|---|
State | Not Applicable, archived |
Delegated to: | David Miller |
Headers | show |
Hi Johannes, On Mon, Aug 30, 2010 at 12:24:54PM +0200, Johannes Berg wrote: > --- wireless-testing.orig/net/wireless/wext-compat.c 2010-08-30 12:04:57.000000000 +0200 > +++ wireless-testing/net/wireless/wext-compat.c 2010-08-30 12:11:32.000000000 +0200 > @@ -1420,6 +1420,9 @@ int cfg80211_wext_giwessid(struct net_de > { > struct wireless_dev *wdev = dev->ieee80211_ptr; > > + data->flags = 0; > + data->length = 0; > + > switch (wdev->iftype) { > case NL80211_IFTYPE_ADHOC: > return cfg80211_ibss_wext_giwessid(dev, info, data, ssid); Thanks for all your work on this! Were you able to trigger the leak through cfg80211? If so, then this will need a CVE assigned and sent to stable too, I think. -Kees
On Mon, 2010-08-30 at 11:03 -0700, Kees Cook wrote: > Hi Johannes, > > On Mon, Aug 30, 2010 at 12:24:54PM +0200, Johannes Berg wrote: > > --- wireless-testing.orig/net/wireless/wext-compat.c 2010-08-30 12:04:57.000000000 +0200 > > +++ wireless-testing/net/wireless/wext-compat.c 2010-08-30 12:11:32.000000000 +0200 > > @@ -1420,6 +1420,9 @@ int cfg80211_wext_giwessid(struct net_de > > { > > struct wireless_dev *wdev = dev->ieee80211_ptr; > > > > + data->flags = 0; > > + data->length = 0; > > + > > switch (wdev->iftype) { > > case NL80211_IFTYPE_ADHOC: > > return cfg80211_ibss_wext_giwessid(dev, info, data, ssid); > > Thanks for all your work on this! Were you able to trigger the leak > through cfg80211? If so, then this will need a CVE assigned and sent to > stable too, I think. Yes, I was, very easily, by doing an SIOCGIWESSID while unassociated, with a large iwq->length set by userspace. I did CC stable on my patch, but we can amend the commit by a CVE if so desired. johannes -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
--- wireless-testing.orig/net/wireless/wext-core.c 2010-08-30 12:04:57.000000000 +0200 +++ wireless-testing/net/wireless/wext-core.c 2010-08-30 12:10:35.000000000 +0200 @@ -782,6 +782,22 @@ static int ioctl_standard_iw_point(struc } } + if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) { + /* + * If this is a GET, but not NOMAX, it means that the extra + * data is not bounded by userspace, but by max_tokens. Thus + * set the length to max_tokens. This matches the extra data + * allocation. + * The driver should fill it with the number of tokens it + * provided, and it may check iwp->length rather than having + * knowledge of max_tokens. If the driver doesn't change the + * iwp->length, this ioctl just copies back max_token tokens + * filled with zeroes. Hopefully the driver isn't claiming + * them to be valid data. + */ + iwp->length = descr->max_tokens; + } + err = handler(dev, info, (union iwreq_data *) iwp, extra); iwp->length += essid_compat; --- wireless-testing.orig/net/wireless/wext-compat.c 2010-08-30 12:04:57.000000000 +0200 +++ wireless-testing/net/wireless/wext-compat.c 2010-08-30 12:11:32.000000000 +0200 @@ -1420,6 +1420,9 @@ int cfg80211_wext_giwessid(struct net_de { struct wireless_dev *wdev = dev->ieee80211_ptr; + data->flags = 0; + data->length = 0; + switch (wdev->iftype) { case NL80211_IFTYPE_ADHOC: return cfg80211_ibss_wext_giwessid(dev, info, data, ssid);