From: "Volodymyr G. Lukiianyk" <volodymyrgl@gmail.com>
To: "Luis R. Rodriguez" <mcgrof@gmail.com>
Cc: linux-wireless@vger.kernel.org, Jean Tourrilhes <jt@hpl.hp.com>
Subject: Re: [PATCH] WEXT: Correct the size of the buffer to be copied to user-space in standard GET WE ioctls.
Date: Mon, 21 Jan 2008 18:07:29 +0200 [thread overview]
Message-ID: <4794C341.2020300@gmail.com> (raw)
In-Reply-To: <43e72e890801201104o5d2e395du558037179156e80b@mail.gmail.com>
Luis R. Rodriguez wrote:
> Adding Jean.
>
> Luis
>
> On Jan 20, 2008 1:30 PM, Volodymyr G. Lukiianyk <volodymyrgl@gmail.com> wrote:
>> For the most of standard WE GET ioctls the size of the buffer to store driver's
>> response is calculated on base of the call's descriptor (.token_size and
>> .max_tokens fields) without taking into consideration the size of the buffer
>> provided by application in struct iwreq. But when the response is being copied to
>> userspace, its size is calculated from the length provided by application. This
>> can lead to kernel internal data leak into userspace, and oopses when the buffer
>> is located near the end of the available memory. To prevent these situations the
>> size used during copying is set to the same one used during allocation.
>>
>>
>> Signed-off-by: Volodymyr G Lukiianyk <volodymyrgl@gmail.com>
>> ---
>>
>> I've actually seen those oopses on the system with 32MB of memory, when 1k
>> object at address c1fffc00 was returned by the SLAB while handling request for
>> allocating 568 bytes buffer (struct iw_range). Later, copy_to_user() (instructed
>> to copy 1136 bytes, since iwlist uses 2x buffer) crashed trying to access
>> c2000000, which is beyond the bounds of available 32MB.
>>
>> The patch attached is against the Linus's tree.
>>
>>
>> diff --git a/net/wireless/wext.c b/net/wireless/wext.c
>> index 47e80cc..c6ce59b 100644
>> --- a/net/wireless/wext.c
>> +++ b/net/wireless/wext.c
>> @@ -866,8 +866,7 @@ static int ioctl_standard_call(struct net_device * dev,
>> }
>>
>> err = copy_to_user(iwr->u.data.pointer, extra,
>> - iwr->u.data.length *
>> - descr->token_size);
>> + extra_size);
>> if (err)
>> ret = -EFAULT;
>> }
>>
>>
>
Please, ignore this patch. I didn't notice that the driver's handler should set
iwr->u.data.length appropriately. But is there any possibility for compiler to
temporarily save the value of this field in the register and not re-read it after
handler call?
next prev parent reply other threads:[~2008-01-21 16:10 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-01-20 18:30 [PATCH] WEXT: Correct the size of the buffer to be copied to user-space in standard GET WE ioctls Volodymyr G. Lukiianyk
2008-01-20 19:04 ` Luis R. Rodriguez
2008-01-21 16:07 ` Volodymyr G. Lukiianyk [this message]
2008-01-22 18:16 ` Jean Tourrilhes
2008-01-22 18:14 ` Jean Tourrilhes
2008-01-23 20:30 ` Volodymyr G. Lukiianyk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4794C341.2020300@gmail.com \
--to=volodymyrgl@gmail.com \
--cc=jt@hpl.hp.com \
--cc=linux-wireless@vger.kernel.org \
--cc=mcgrof@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.