On Tue, Jun 04, 2013 at 06:09:55AM -0700, Dan Carpenter wrote: > The patch a910e4a94f69: "cw1200: add driver for the ST-E CW1100 & > CW1200 WLAN chipsets" from May 24, 2013, has poor input validation > so the user could write to arbitrary memory. > Also I think this API looks like things which should be done with > normal ioctls. This driver only lets you load the firmware using a > very ugly custom debugfs interface? No, this is a debugging interface designed to interact with the vendor-supplied testing tool and the passthrough API it requires. The vendor tool controls the device init sequence, including special engineering firmware. Support for the ETF hooks is optional, and even if compiled in has to be explicitly enabled with a module parameter. > drivers/net/wireless/cw1200/debug.c > 454 > 455 if (!count) > 456 goto done; > 457 > 458 if (copy_from_user(etf->buf + etf->written, user_buf + written, > 459 count)) { > > "count" isn't capped so we could overwrite etf->written on the first > write and then write to arbitrary memery on the second write. Okay, that's easy enough to fix. Thanks for pointing this out. I'll try to robustify this rather ugly interface as much as possible. - Solomon -- Solomon Peachy pizza at shaftnet dot org Delray Beach, FL ^^ (email/xmpp) ^^ Quidquid latine dictum sit, altum viditur.