14591 – drivers/staging - rt2870,rt3090,rt2860

Bug 14591 - drivers/staging - rt2870,rt3090,rt2860

Summary: drivers/staging - rt2870,rt3090,rt2860

Status:	CLOSED OBSOLETE

Alias:	None

Product:	Drivers
Classification:	Unclassified
Component:	Staging (show other bugs)
Hardware:	All Linux

Importance:	P1 high
Assignee:	drivers_staging@kernel-bugs.osdl.org

URL:
Keywords:

Depends on:
Blocks:

Reported:	2009-11-13 12:29 UTC by leslie noland
Modified:	2012-06-18 12:26 UTC (History)
CC List:	3 users (show)

See Also:
Kernel Version:	ALL
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description leslie noland 2009-11-13 12:29:01 UTC

quote(from grsecurity): 

sta_ioctl.c:rt_ioctl_siwpmksa() dereferences wrqu->data.pointer directly, without going through the proper get_user wrapper like other wireless drivers do (possibly there're other places in the driver where this happens, i didn't verify). this is a dangerous and bad programming practice, it can result in all kinds of security problems, from leaking kernel memory to arbitrary code execution in kernel land.

this happends in two functions:
SIOCSIWPMKSA and SIOCSIWMLME.

SIOCSIWPMKSA is always used by wpasupplicant when network interfaces are configured.

bug was detected using PaX.

Comment 1 Greg Kroah-Hartman 2009-11-14 03:58:01 UTC

This seems to be the only drivers that use this ioctl, is that true?

And are you sure that the data isn't properly copied already?  Look at ioctl_standard_iw_point() in the wireless stack, isn't that copying the data into kernelspace properly?

Or is this another structure that also needs to be copied in as well?

Can you make up a patch for this?

Note You need to log in before you can comment on or make changes to this bug.