Bug 14591

Summary: drivers/staging - rt2870,rt3090,rt2860
Product: Drivers Reporter: leslie noland (lesnoland)
Component: StagingAssignee: drivers_staging (drivers_staging)
Status: CLOSED OBSOLETE    
Severity: high CC: alan, greg, linville
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: ALL Subsystem:
Regression: No Bisected commit-id:

Description leslie noland 2009-11-13 12:29:01 UTC 
quote(from grsecurity): 

sta_ioctl.c:rt_ioctl_siwpmksa() dereferences wrqu->data.pointer directly, without going through the proper get_user wrapper like other wireless drivers do (possibly there're other places in the driver where this happens, i didn't verify). this is a dangerous and bad programming practice, it can result in all kinds of security problems, from leaking kernel memory to arbitrary code execution in kernel land.

this happends in two functions:
SIOCSIWPMKSA and SIOCSIWMLME.

SIOCSIWPMKSA is always used by wpasupplicant when network interfaces are configured.

bug was detected using PaX.
Comment 1 Greg Kroah-Hartman 2009-11-14 03:58:01 UTC 
This seems to be the only drivers that use this ioctl, is that true?

And are you sure that the data isn't properly copied already?  Look at ioctl_standard_iw_point() in the wireless stack, isn't that copying the data into kernelspace properly?

Or is this another structure that also needs to be copied in as well?

Can you make up a patch for this?