From: David Miller <davem@davemloft.net>
To: mpe@ellerman.id.au
Cc: netdev@vger.kernel.org, linux-wireless@vger.kernel.org,
kvalo@codeaurora.org, linux-kernel@vger.kernel.org,
security@kernel.org, ivansprundel@ioactive.com
Subject: Re: [PATCH 1/2] airo: Fix possible info leak in AIROOLDIOCTL/SIOCDEVPRIVATE
Date: Thu, 23 Jan 2020 11:03:34 +0100 (CET) [thread overview]
Message-ID: <20200123.110334.575852757631951738.davem@davemloft.net> (raw)
In-Reply-To: <20200122040728.8437-1-mpe@ellerman.id.au>
From: Michael Ellerman <mpe@ellerman.id.au>
Date: Wed, 22 Jan 2020 15:07:27 +1100
> The driver for Cisco Aironet 4500 and 4800 series cards (airo.c),
> implements AIROOLDIOCTL/SIOCDEVPRIVATE in airo_ioctl().
>
> The ioctl handler copies an aironet_ioctl struct from userspace, which
> includes a command and a length. Some of the commands are handled in
> readrids(), which kmalloc()'s a buffer of RIDSIZE (2048) bytes.
>
> That buffer is then passed to PC4500_readrid(), which has two cases.
> The else case does some setup and then reads up to RIDSIZE bytes from
> the hardware into the kmalloc()'ed buffer.
>
> Here len == RIDSIZE, pBuf is the kmalloc()'ed buffer:
>
> // read the rid length field
> bap_read(ai, pBuf, 2, BAP1);
> // length for remaining part of rid
> len = min(len, (int)le16_to_cpu(*(__le16*)pBuf)) - 2;
> ...
> // read remainder of the rid
> rc = bap_read(ai, ((__le16*)pBuf)+1, len, BAP1);
>
> PC4500_readrid() then returns to readrids() which does:
>
> len = comp->len;
> if (copy_to_user(comp->data, iobuf, min(len, (int)RIDSIZE))) {
>
> Where comp->len is the user controlled length field.
>
> So if the "rid length field" returned by the hardware is < 2048, and
> the user requests 2048 bytes in comp->len, we will leak the previous
> contents of the kmalloc()'ed buffer to userspace.
>
> Fix it by kzalloc()'ing the buffer.
>
> Found by Ilja by code inspection, not tested as I don't have the
> required hardware.
>
> Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Applied and queued up for -stable.
prev parent reply other threads:[~2020-01-23 10:03 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-22 4:07 [PATCH 1/2] airo: Fix possible info leak in AIROOLDIOCTL/SIOCDEVPRIVATE Michael Ellerman
2020-01-22 4:07 ` [PATCH 2/2] airo: Add missing CAP_NET_ADMIN check " Michael Ellerman
2020-01-23 10:03 ` David Miller
2020-01-23 10:03 ` David Miller [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200123.110334.575852757631951738.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=ivansprundel@ioactive.com \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=mpe@ellerman.id.au \
--cc=netdev@vger.kernel.org \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).