* [PATCH] fix infoleak in wireless @ 2016-05-03 20:40 Kangjie Lu 2016-05-03 20:40 ` Johannes Berg 0 siblings, 1 reply; 5+ messages in thread From: Kangjie Lu @ 2016-05-03 20:40 UTC (permalink / raw) To: johannes; +Cc: davem, linux-wireless, linux-kernel, netdev, Kangjie Lu The 6-bytes array “mac_addr” is not initialized in the dump_station implementations of “drivers/staging/wilc1000/wilc_wfi_cfgoperations.c” and “drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c”, so all 6 bytes may be leaked. Signed-off-by: Kangjie Lu <kjlu@gatech.edu> --- net/wireless/nl80211.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 056a730..2e92d14 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -3905,6 +3905,7 @@ static int nl80211_dump_station(struct sk_buff *skb, while (1) { memset(&sinfo, 0, sizeof(sinfo)); + eth_zero_addr(mac_addr); err = rdev_dump_station(rdev, wdev->netdev, sta_idx, mac_addr, &sinfo); if (err == -ENOENT) -- 1.9.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] fix infoleak in wireless 2016-05-03 20:40 [PATCH] fix infoleak in wireless Kangjie Lu @ 2016-05-03 20:40 ` Johannes Berg [not found] ` <CABEk9YxqyBxnqOseJ3-d-aKxnREZBFt1z89nOjHf=DvNQy_hTw@mail.gmail.com> 0 siblings, 1 reply; 5+ messages in thread From: Johannes Berg @ 2016-05-03 20:40 UTC (permalink / raw) To: Kangjie Lu; +Cc: davem, linux-wireless, linux-kernel, netdev, Kangjie Lu On Tue, 2016-05-03 at 16:40 -0400, Kangjie Lu wrote: > The 6-bytes array “mac_addr” is not initialized in the dump_station > implementations of > “drivers/staging/wilc1000/wilc_wfi_cfgoperations.c” > and “drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c”, so all 6 > bytes may be leaked. Like I said to you before, this makes those implementations completely broken. I'm not going to apply this patch. If you want, feel free to send patches to Greg to remove those dump_station implementations that are completely broken and that can never do anything useful. johannes ^ permalink raw reply [flat|nested] 5+ messages in thread
[parent not found: <CABEk9YxqyBxnqOseJ3-d-aKxnREZBFt1z89nOjHf=DvNQy_hTw@mail.gmail.com>]
* Re: [PATCH] fix infoleak in wireless [not found] ` <CABEk9YxqyBxnqOseJ3-d-aKxnREZBFt1z89nOjHf=DvNQy_hTw@mail.gmail.com> @ 2016-05-03 21:00 ` Greg Kroah-Hartman [not found] ` <CABEk9YwiqpP+Ahxax3AC7tbPcmpUQnrB-Nwsb4rixhVjcL4Crw@mail.gmail.com> 0 siblings, 1 reply; 5+ messages in thread From: Greg Kroah-Hartman @ 2016-05-03 21:00 UTC (permalink / raw) To: Kangjie Lu Cc: Johannes Berg, davem, linux-wireless, linux-kernel, netdev, Kangjie Lu A: No. Q: Should I include quotations after my reply? http://daringfireball.net/2007/07/on_top On Tue, May 03, 2016 at 04:47:16PM -0400, Kangjie Lu wrote: > Hi Greg, > > Could you please take a look at this issue. > mac_addr is not initialized is some implementations of dump_station(), which > can be exploited by attackers for leaking information. You are going to have to give me more context here... Like the patch itself? thanks, greg k-h ^ permalink raw reply [flat|nested] 5+ messages in thread
[parent not found: <CABEk9YwiqpP+Ahxax3AC7tbPcmpUQnrB-Nwsb4rixhVjcL4Crw@mail.gmail.com>]
* Re: [PATCH] fix infoleak in wireless [not found] ` <CABEk9YwiqpP+Ahxax3AC7tbPcmpUQnrB-Nwsb4rixhVjcL4Crw@mail.gmail.com> @ 2016-05-03 21:34 ` Greg Kroah-Hartman [not found] ` <CABEk9YwmQt9bQb_KXgYRj=irq9-edtdOeANs7+Z4qZp1zmqpxg@mail.gmail.com> 0 siblings, 1 reply; 5+ messages in thread From: Greg Kroah-Hartman @ 2016-05-03 21:34 UTC (permalink / raw) To: Kangjie Lu Cc: Johannes Berg, davem, linux-wireless, linux-kernel, netdev, Kangjie Lu On Tue, May 03, 2016 at 05:11:07PM -0400, Kangjie Lu wrote: > Opps, I did not notice the patch is not attached. > > From 34a82a734388d07eb10f91770f86938e38f7575a Mon Sep 17 00:00:00 2001 > From: Kangjie Lu <kjlu@gatech.edu> > Date: Tue, 3 May 2016 14:15:18 -0400 > Subject: [PATCH] fix infoleak in wireless > MIME-Version: 1.0 > Content-Type: text/plain; charset=UTF-8 > Content-Transfer-Encoding: 8bit > > The 6-bytes array “mac_addr” is not initialized in the dump_station > implementations of “drivers/staging/wilc1000/wilc_wfi_cfgoperations.c” > and “drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c”, so all 6 > bytes may be leaked. > > Signed-off-by: Kangjie Lu <kjlu@gatech.edu> > --- > net/wireless/nl80211.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c > index 056a730..2e92d14 100644 > --- a/net/wireless/nl80211.c > +++ b/net/wireless/nl80211.c > @@ -3905,6 +3905,7 @@ static int nl80211_dump_station(struct sk_buff *skb, > > while (1) { > memset(&sinfo, 0, sizeof(sinfo)); > + eth_zero_addr(mac_addr); > err = rdev_dump_station(rdev, wdev->netdev, sta_idx, > mac_addr, &sinfo); > if (err == -ENOENT) Patch is corrupted :( Why not fix up the staging drivers, they are the real problem here, which is what I think the networking maintainers were telling you to do. thanks, greg k-h ^ permalink raw reply [flat|nested] 5+ messages in thread
[parent not found: <CABEk9YwmQt9bQb_KXgYRj=irq9-edtdOeANs7+Z4qZp1zmqpxg@mail.gmail.com>]
* Re: [PATCH] fix infoleak in wireless [not found] ` <CABEk9YwmQt9bQb_KXgYRj=irq9-edtdOeANs7+Z4qZp1zmqpxg@mail.gmail.com> @ 2016-05-03 21:46 ` Greg Kroah-Hartman 0 siblings, 0 replies; 5+ messages in thread From: Greg Kroah-Hartman @ 2016-05-03 21:46 UTC (permalink / raw) To: Kangjie Lu Cc: Johannes Berg, davem, linux-wireless, linux-kernel, netdev, Kangjie Lu A: http://en.wikipedia.org/wiki/Top_post Q: Were do I find info about this thing called top-posting? A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? A: No. Q: Should I include quotations after my reply? http://daringfireball.net/2007/07/on_top On Tue, May 03, 2016 at 05:41:46PM -0400, Kangjie Lu wrote: > You are right. But wouldn't it be more general/better if we initialize the > allocation at very beginning? > To avoid information leaks, I think we are supposed to initialize all > allocations properly if > we are not sure how they are used. But the networking maintainers told you to fix the broken drivers instead. So please do that and send those patches to the correct developers and mailing lists. The fact that only 2 staging drivers got this wrong means that everyone knows how to use this api properly, so I agree with the maintainers here. thanks, greg k-h ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-05-03 21:46 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-05-03 20:40 [PATCH] fix infoleak in wireless Kangjie Lu
2016-05-03 20:40 ` Johannes Berg
[not found] ` <CABEk9YxqyBxnqOseJ3-d-aKxnREZBFt1z89nOjHf=DvNQy_hTw@mail.gmail.com>
2016-05-03 21:00 ` Greg Kroah-Hartman
[not found] ` <CABEk9YwiqpP+Ahxax3AC7tbPcmpUQnrB-Nwsb4rixhVjcL4Crw@mail.gmail.com>
2016-05-03 21:34 ` Greg Kroah-Hartman
[not found] ` <CABEk9YwmQt9bQb_KXgYRj=irq9-edtdOeANs7+Z4qZp1zmqpxg@mail.gmail.com>
2016-05-03 21:46 ` Greg Kroah-Hartman
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).