Return-path: Received: from he.sipsolutions.net ([78.46.109.217]:33412 "EHLO sipsolutions.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751666Ab0IOXLF (ORCPT ); Wed, 15 Sep 2010 19:11:05 -0400 Subject: Re: [vendor-sec] [PATCH] wireless: fix 64K kernel heap content leak via ioctl From: Johannes Berg To: Greg KH Cc: Kees Cook , linux-kernel@vger.kernel.org, "John W. Linville" , "David S. Miller" , Eric Dumazet , Joe Perches , Jean Tourrilhes , Tejun Heo , linux-wireless@vger.kernel.org, netdev@vger.kernel.org In-Reply-To: <20100915224836.GF19835@kroah.com> References: <20100827210240.GC4703@outflux.net> <20100915224836.GF19835@kroah.com> Content-Type: text/plain; charset="UTF-8" Date: Thu, 16 Sep 2010 01:11:07 +0200 Message-ID: <1284592267.3707.7.camel@jlt3.sipsolutions.net> Mime-Version: 1.0 Sender: linux-wireless-owner@vger.kernel.org List-ID: On Wed, 2010-09-15 at 15:48 -0700, Greg KH wrote: > On Fri, Aug 27, 2010 at 02:02:41PM -0700, Kees Cook wrote: > > This problem was originally tracked down by Brad Spengler. > > > > When calling wireless ioctls, if a driver does not correctly > > validate/shrink iwp->length, the resulting copy_to_user can leak up to > > 64K of kernel heap contents. > > > > It seems that this is triggerable[1] in 2.6.32 at least on ath5k, but > > I was not able to track down how. The twisty maze of ioctl handlers > > stumped me. :) Other drivers I checked did not appear to have any problems, > > but the potential remains. I'm not sure if this patch is the right approach; > > it was fixed differently[2] in grsecurity. > > > > [1] http://forums.grsecurity.net/viewtopic.php?f=3&t=2290&start=0 > > [2] http://grsecurity.net/~spender/wireless-infoleak-fix2.patch > > Is this fixed differently upstream in the kernel with commit id > 42da2f948d949efd0111309f5827bf0298bcc9a4? Yes, that's the fix for this. johannes