[kernel/f13/master] wireless-extensions-fix-kernel-heap-content-leak.patch (CVE-2010-2955)

Chuck Ebbert cebbert at fedoraproject.org
Fri Sep 3 12:17:05 UTC 2010 

commit a950d805dc6289c2b15b9037b807591c56088ada
Author: Chuck Ebbert <cebbert at redhat.com>
Date:   Fri Sep 3 08:17:26 2010 -0400

    wireless-extensions-fix-kernel-heap-content-leak.patch (CVE-2010-2955)

 kernel.spec                                        |    5 ++
 ...s-extensions-fix-kernel-heap-content-leak.patch |   77 ++++++++++++++++++++
 2 files changed, 82 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index d9925f1..35aba9d 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -769,6 +769,7 @@ Patch12480: kprobes-x86-fix-kprobes-to-skip-prefixes-correctly.patch
 
 Patch12490: dell-wmi-add-support-for-eject-key.patch
 Patch12500: irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
+Patch12510: wireless-extensions-fix-kernel-heap-content-leak.patch
 
 %endif
 
@@ -1435,6 +1436,9 @@ ApplyPatch dell-wmi-add-support-for-eject-key.patch
 # cve-2010-2954
 ApplyPatch irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
 
+# cve-2010-2955
+ApplyPatch wireless-extensions-fix-kernel-heap-content-leak.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2060,6 +2064,7 @@ fi
 - Re-enable I2O, but only for 32-bit x86 (#629676)
 - Add support for eject key on Dell laptops (#513530)
 - irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch (CVE-2010-2954)
+- wireless-extensions-fix-kernel-heap-content-leak.patch (CVE-2010-2955)
 
 * Thu Sep 02 2010 Dave Airlie <airlied at redhat.com> 2.6.34.6-49
 - fix radeon suspend/resume issues and two other minor patches
diff --git a/wireless-extensions-fix-kernel-heap-content-leak.patch b/wireless-extensions-fix-kernel-heap-content-leak.patch
new file mode 100644
index 0000000..27cc4fc
--- /dev/null
+++ b/wireless-extensions-fix-kernel-heap-content-leak.patch
@@ -0,0 +1,77 @@
+From: Johannes Berg <johannes.berg at intel.com>
+Date: Mon, 30 Aug 2010 10:24:54 +0000 (+0200)
+Subject: wireless extensions: fix kernel heap content leak
+X-Git-Tag: master-2010-08-30
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Flinville%2Fwireless-2.6.git;a=commitdiff_plain;h=42da2f948d949efd0111309f5827bf0298bcc9a4
+
+wireless extensions: fix kernel heap content leak
+
+Wireless extensions have an unfortunate, undocumented
+requirement which requires drivers to always fill
+iwp->length when returning a successful status. When
+a driver doesn't do this, it leads to a kernel heap
+content leak when userspace offers a larger buffer
+than would have been necessary.
+
+Arguably, this is a driver bug, as it should, if it
+returns 0, fill iwp->length, even if it separately
+indicated that the buffer contents was not valid.
+
+However, we can also at least avoid the memory content
+leak if the driver doesn't do this by setting the iwp
+length to max_tokens, which then reflects how big the
+buffer is that the driver may fill, regardless of how
+big the userspace buffer is.
+
+To illustrate the point, this patch also fixes a
+corresponding cfg80211 bug (since this requirement
+isn't documented nor was ever pointed out by anyone
+during code review, I don't trust all drivers nor
+all cfg80211 handlers to implement it correctly).
+
+Cc: stable at kernel.org [all the way back]
+Signed-off-by: Johannes Berg <johannes.berg at intel.com>
+Signed-off-by: John W. Linville <linville at tuxdriver.com>
+---
+
+diff --git a/net/wireless/wext-compat.c b/net/wireless/wext-compat.c
+index bb5e0a5..7e5c3a4 100644
+--- a/net/wireless/wext-compat.c
++++ b/net/wireless/wext-compat.c
+@@ -1420,6 +1420,9 @@ int cfg80211_wext_giwessid(struct net_device *dev,
+ {
+ 	struct wireless_dev *wdev = dev->ieee80211_ptr;
+ 
++	data->flags = 0;
++	data->length = 0;
++
+ 	switch (wdev->iftype) {
+ 	case NL80211_IFTYPE_ADHOC:
+ 		return cfg80211_ibss_wext_giwessid(dev, info, data, ssid);
+diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
+index 0ef17bc..8f5116f 100644
+--- a/net/wireless/wext-core.c
++++ b/net/wireless/wext-core.c
+@@ -782,6 +782,22 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd,
+ 		}
+ 	}
+ 
++	if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
++		/*
++		 * If this is a GET, but not NOMAX, it means that the extra
++		 * data is not bounded by userspace, but by max_tokens. Thus
++		 * set the length to max_tokens. This matches the extra data
++		 * allocation.
++		 * The driver should fill it with the number of tokens it
++		 * provided, and it may check iwp->length rather than having
++		 * knowledge of max_tokens. If the driver doesn't change the
++		 * iwp->length, this ioctl just copies back max_token tokens
++		 * filled with zeroes. Hopefully the driver isn't claiming
++		 * them to be valid data.
++		 */
++		iwp->length = descr->max_tokens;
++	}
++
+ 	err = handler(dev, info, (union iwreq_data *) iwp, extra);
+ 
+ 	iwp->length += essid_compat;

More information about the scm-commits mailing list