sta_ioctl.c:rt_ioctl_siwpmksa() dereferences wrqu->data.pointer directly, without going through the proper get_user wrapper like other wireless drivers do (possibly there're other places in the driver where this happens, i didn't verify). this is a dangerous and bad programming practice, it can result in all kinds of security problems, from leaking kernel memory to arbitrary code execution in kernel land.
this happends in two functions:
SIOCSIWPMKSA and SIOCSIWMLME.
SIOCSIWPMKSA is always used by wpasupplicant when network interfaces are configured.
bug was detected using PaX.
This seems to be the only drivers that use this ioctl, is that true?
And are you sure that the data isn't properly copied already? Look at ioctl_standard_iw_point() in the wireless stack, isn't that copying the data into kernelspace properly?
Or is this another structure that also needs to be copied in as well?
Can you make up a patch for this?