wireless-extensions-fix-kernel-heap-content-leak.patch (CVE-2010-2955)
This commit is contained in:
Chuck Ebbert
parent
9f10c3d7e5
commit
a950d805dc
|
|
@ -769,6 +769,7 @@ Patch12480: kprobes-x86-fix-kprobes-to-skip-prefixes-correctly.patch
|
|||
|
||||
Patch12490: dell-wmi-add-support-for-eject-key.patch
|
||||
Patch12500: irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
|
||||
Patch12510: wireless-extensions-fix-kernel-heap-content-leak.patch
|
||||
|
||||
%endif
|
||||
|
||||
|
|
@ -1435,6 +1436,9 @@ ApplyPatch dell-wmi-add-support-for-eject-key.patch
|
|||
# cve-2010-2954
|
||||
ApplyPatch irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
|
||||
|
||||
# cve-2010-2955
|
||||
ApplyPatch wireless-extensions-fix-kernel-heap-content-leak.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -2060,6 +2064,7 @@ fi
|
|||
- Re-enable I2O, but only for 32-bit x86 (#629676)
|
||||
- Add support for eject key on Dell laptops (#513530)
|
||||
- irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch (CVE-2010-2954)
|
||||
- wireless-extensions-fix-kernel-heap-content-leak.patch (CVE-2010-2955)
|
||||
|
||||
* Thu Sep 02 2010 Dave Airlie <airlied@redhat.com> 2.6.34.6-49
|
||||
- fix radeon suspend/resume issues and two other minor patches
|
||||
|
|
|
|||
|
|
@ -0,0 +1,77 @@
|
|||
From: Johannes Berg <johannes.berg@intel.com>
|
||||
Date: Mon, 30 Aug 2010 10:24:54 +0000 (+0200)
|
||||
Subject: wireless extensions: fix kernel heap content leak
|
||||
X-Git-Tag: master-2010-08-30
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Flinville%2Fwireless-2.6.git;a=commitdiff_plain;h=42da2f948d949efd0111309f5827bf0298bcc9a4
|
||||
|
||||
wireless extensions: fix kernel heap content leak
|
||||
|
||||
Wireless extensions have an unfortunate, undocumented
|
||||
requirement which requires drivers to always fill
|
||||
iwp->length when returning a successful status. When
|
||||
a driver doesn't do this, it leads to a kernel heap
|
||||
content leak when userspace offers a larger buffer
|
||||
than would have been necessary.
|
||||
|
||||
Arguably, this is a driver bug, as it should, if it
|
||||
returns 0, fill iwp->length, even if it separately
|
||||
indicated that the buffer contents was not valid.
|
||||
|
||||
However, we can also at least avoid the memory content
|
||||
leak if the driver doesn't do this by setting the iwp
|
||||
length to max_tokens, which then reflects how big the
|
||||
buffer is that the driver may fill, regardless of how
|
||||
big the userspace buffer is.
|
||||
|
||||
To illustrate the point, this patch also fixes a
|
||||
corresponding cfg80211 bug (since this requirement
|
||||
isn't documented nor was ever pointed out by anyone
|
||||
during code review, I don't trust all drivers nor
|
||||
all cfg80211 handlers to implement it correctly).
|
||||
|
||||
Cc: stable@kernel.org [all the way back]
|
||||
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
||||
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
||||
---
|
||||
|
||||
diff --git a/net/wireless/wext-compat.c b/net/wireless/wext-compat.c
|
||||
index bb5e0a5..7e5c3a4 100644
|
||||
--- a/net/wireless/wext-compat.c
|
||||
+++ b/net/wireless/wext-compat.c
|
||||
@@ -1420,6 +1420,9 @@ int cfg80211_wext_giwessid(struct net_device *dev,
|
||||
{
|
||||
struct wireless_dev *wdev = dev->ieee80211_ptr;
|
||||
|
||||
+ data->flags = 0;
|
||||
+ data->length = 0;
|
||||
+
|
||||
switch (wdev->iftype) {
|
||||
case NL80211_IFTYPE_ADHOC:
|
||||
return cfg80211_ibss_wext_giwessid(dev, info, data, ssid);
|
||||
diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
|
||||
index 0ef17bc..8f5116f 100644
|
||||
--- a/net/wireless/wext-core.c
|
||||
+++ b/net/wireless/wext-core.c
|
||||
@@ -782,6 +782,22 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd,
|
||||
}
|
||||
}
|
||||
|
||||
+ if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
|
||||
+ /*
|
||||
+ * If this is a GET, but not NOMAX, it means that the extra
|
||||
+ * data is not bounded by userspace, but by max_tokens. Thus
|
||||
+ * set the length to max_tokens. This matches the extra data
|
||||
+ * allocation.
|
||||
+ * The driver should fill it with the number of tokens it
|
||||
+ * provided, and it may check iwp->length rather than having
|
||||
+ * knowledge of max_tokens. If the driver doesn't change the
|
||||
+ * iwp->length, this ioctl just copies back max_token tokens
|
||||
+ * filled with zeroes. Hopefully the driver isn't claiming
|
||||
+ * them to be valid data.
|
||||
+ */
|
||||
+ iwp->length = descr->max_tokens;
|
||||
+ }
|
||||
+
|
||||
err = handler(dev, info, (union iwreq_data *) iwp, extra);
|
||||
|
||||
iwp->length += essid_compat;
|
||||
Loading…
Reference in New Issue