[kernel] r16294 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Thu Sep 16 17:33:26 UTC 2010 

Author: dannf
Date: Thu Sep 16 17:33:20 2010
New Revision: 16294

Log:
wireless extensions: fix kernel heap content leak (CVE-2010-2955)

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/wireless-extensions-fix-kernel-heap-content-leak.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/23

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	Thu Sep 16 17:18:56 2010	(r16293)
+++ dists/sid/linux-2.6/debian/changelog	Thu Sep 16 17:33:20 2010	(r16294)
@@ -20,6 +20,7 @@
   * x86-64, compat (CVE-2010-3301):
     - Retruncate rax after ia32 syscall entry tracing
     - Test %rax for the syscall number, not %eax
+  * wireless extensions: fix kernel heap content leak (CVE-2010-2955)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Wed, 15 Sep 2010 11:21:18 +0100
 

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/wireless-extensions-fix-kernel-heap-content-leak.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/wireless-extensions-fix-kernel-heap-content-leak.patch	Thu Sep 16 17:33:20 2010	(r16294)
@@ -0,0 +1,78 @@
+From 42da2f948d949efd0111309f5827bf0298bcc9a4 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg at intel.com>
+Date: Mon, 30 Aug 2010 12:24:54 +0200
+Subject: wireless extensions: fix kernel heap content leak
+
+From: Johannes Berg <johannes.berg at intel.com>
+
+commit 42da2f948d949efd0111309f5827bf0298bcc9a4 upstream.
+
+Wireless extensions have an unfortunate, undocumented
+requirement which requires drivers to always fill
+iwp->length when returning a successful status. When
+a driver doesn't do this, it leads to a kernel heap
+content leak when userspace offers a larger buffer
+than would have been necessary.
+
+Arguably, this is a driver bug, as it should, if it
+returns 0, fill iwp->length, even if it separately
+indicated that the buffer contents was not valid.
+
+However, we can also at least avoid the memory content
+leak if the driver doesn't do this by setting the iwp
+length to max_tokens, which then reflects how big the
+buffer is that the driver may fill, regardless of how
+big the userspace buffer is.
+
+To illustrate the point, this patch also fixes a
+corresponding cfg80211 bug (since this requirement
+isn't documented nor was ever pointed out by anyone
+during code review, I don't trust all drivers nor
+all cfg80211 handlers to implement it correctly).
+
+Signed-off-by: Johannes Berg <johannes.berg at intel.com>
+Signed-off-by: John W. Linville <linville at tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ net/wireless/wext-compat.c |    3 +++
+ net/wireless/wext.c        |   16 ++++++++++++++++
+ 2 files changed, 19 insertions(+)
+
+--- a/net/wireless/wext-compat.c
++++ b/net/wireless/wext-compat.c
+@@ -1358,6 +1358,9 @@ int cfg80211_wext_giwessid(struct net_de
+ {
+ 	struct wireless_dev *wdev = dev->ieee80211_ptr;
+ 
++	data->flags = 0;
++	data->length = 0;
++
+ 	switch (wdev->iftype) {
+ 	case NL80211_IFTYPE_ADHOC:
+ 		return cfg80211_ibss_wext_giwessid(dev, info, data, ssid);
+--- a/net/wireless/wext.c
++++ b/net/wireless/wext.c
+@@ -854,6 +854,22 @@ static int ioctl_standard_iw_point(struc
+ 		}
+ 	}
+ 
++	if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
++		/*
++		 * If this is a GET, but not NOMAX, it means that the extra
++		 * data is not bounded by userspace, but by max_tokens. Thus
++		 * set the length to max_tokens. This matches the extra data
++		 * allocation.
++		 * The driver should fill it with the number of tokens it
++		 * provided, and it may check iwp->length rather than having
++		 * knowledge of max_tokens. If the driver doesn't change the
++		 * iwp->length, this ioctl just copies back max_token tokens
++		 * filled with zeroes. Hopefully the driver isn't claiming
++		 * them to be valid data.
++		 */
++		iwp->length = descr->max_tokens;
++	}
++
+ 	err = handler(dev, info, (union iwreq_data *) iwp, extra);
+ 
+ 	iwp->length += essid_compat;

Modified: dists/sid/linux-2.6/debian/patches/series/23
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/23	Thu Sep 16 17:18:56 2010	(r16293)
+++ dists/sid/linux-2.6/debian/patches/series/23	Thu Sep 16 17:33:20 2010	(r16294)
@@ -11,3 +11,4 @@
 + bugfix/x86/compat-test-rax-for-the-syscall-number-not-eax.patch
 + bugfix/all/compat-make-compat_alloc_user_space-incorporate-the-access_ok.patch
 + bugfix/x86/compat-retruncate-rax-after-ia32-syscall-entry-tracing.patch
++ bugfix/all/wireless-extensions-fix-kernel-heap-content-leak.patch

More information about the Kernel-svn-changes mailing list