diff options
| author | Michael Ellerman <mpe@ellerman.id.au> | 2020-01-22 15:07:27 +1100 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2020-01-23 11:01:13 +0100 |
| commit | d6bce2137f5d6bb1093e96d2f801479099b28094 (patch) | |
| tree | 1fc995b2737ae2bacf040cbb2e9f66b3359bf1c2 /fs/proc/softirqs.c | |
| parent | 3adb4eaa1b4cbadc7858679334d19e840e7df6db (diff) | |
airo: Fix possible info leak in AIROOLDIOCTL/SIOCDEVPRIVATE
The driver for Cisco Aironet 4500 and 4800 series cards (airo.c),
implements AIROOLDIOCTL/SIOCDEVPRIVATE in airo_ioctl().
The ioctl handler copies an aironet_ioctl struct from userspace, which
includes a command and a length. Some of the commands are handled in
readrids(), which kmalloc()'s a buffer of RIDSIZE (2048) bytes.
That buffer is then passed to PC4500_readrid(), which has two cases.
The else case does some setup and then reads up to RIDSIZE bytes from
the hardware into the kmalloc()'ed buffer.
Here len == RIDSIZE, pBuf is the kmalloc()'ed buffer:
// read the rid length field
bap_read(ai, pBuf, 2, BAP1);
// length for remaining part of rid
len = min(len, (int)le16_to_cpu(*(__le16*)pBuf)) - 2;
...
// read remainder of the rid
rc = bap_read(ai, ((__le16*)pBuf)+1, len, BAP1);
PC4500_readrid() then returns to readrids() which does:
len = comp->len;
if (copy_to_user(comp->data, iobuf, min(len, (int)RIDSIZE))) {
Where comp->len is the user controlled length field.
So if the "rid length field" returned by the hardware is < 2048, and
the user requests 2048 bytes in comp->len, we will leak the previous
contents of the kmalloc()'ed buffer to userspace.
Fix it by kzalloc()'ing the buffer.
Found by Ilja by code inspection, not tested as I don't have the
required hardware.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'fs/proc/softirqs.c')
0 files changed, 0 insertions, 0 deletions