Bug 14591 - drivers/staging - rt2870,rt3090,rt2860
Summary: drivers/staging - rt2870,rt3090,rt2860
Status: CLOSED OBSOLETE
Alias: None
Product: Drivers
Classification: Unclassified
Component: Staging (show other bugs)
Hardware: All Linux
: P1 high
Assignee: drivers_staging@kernel-bugs.osdl.org
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-11-13 12:29 UTC by leslie noland
Modified: 2012-06-18 12:26 UTC (History)
3 users (show)

See Also:
Kernel Version: ALL
Subsystem:
Regression: No
Bisected commit-id:


Attachments

Description leslie noland 2009-11-13 12:29:01 UTC
quote(from grsecurity): 

sta_ioctl.c:rt_ioctl_siwpmksa() dereferences wrqu->data.pointer directly, without going through the proper get_user wrapper like other wireless drivers do (possibly there're other places in the driver where this happens, i didn't verify). this is a dangerous and bad programming practice, it can result in all kinds of security problems, from leaking kernel memory to arbitrary code execution in kernel land.

this happends in two functions:
SIOCSIWPMKSA and SIOCSIWMLME.

SIOCSIWPMKSA is always used by wpasupplicant when network interfaces are configured.

bug was detected using PaX.
Comment 1 Greg Kroah-Hartman 2009-11-14 03:58:01 UTC
This seems to be the only drivers that use this ioctl, is that true?

And are you sure that the data isn't properly copied already?  Look at ioctl_standard_iw_point() in the wireless stack, isn't that copying the data into kernelspace properly?

Or is this another structure that also needs to be copied in as well?

Can you make up a patch for this?

Note You need to log in before you can comment on or make changes to this bug.