From: Michael Ellerman <mpe@xxxxxxxxxxxxxx> Date: Wed, 22 Jan 2020 15:07:28 +1100 > The driver for Cisco Aironet 4500 and 4800 series cards (airo.c), > implements AIROOLDIOCTL/SIOCDEVPRIVATE in airo_ioctl(). > > The ioctl handler copies an aironet_ioctl struct from userspace, which > includes a command. Some of the commands are handled in readrids(), > where the user controlled command is converted into a driver-internal > value called "ridcode". > > There are two command values, AIROGWEPKTMP and AIROGWEPKNV, which > correspond to ridcode values of RID_WEP_TEMP and RID_WEP_PERM > respectively. These commands both have checks that the user has > CAP_NET_ADMIN, with the comment that "Only super-user can read WEP > keys", otherwise they return -EPERM. > > However there is another command value, AIRORRID, that lets the user > specify the ridcode value directly, with no other checks. This means > the user can bypass the CAP_NET_ADMIN check on AIROGWEPKTMP and > AIROGWEPKNV. > > Fix it by moving the CAP_NET_ADMIN check out of the command handling > and instead do it later based on the ridcode. That way regardless of > whether the ridcode is set via AIROGWEPKTMP or AIROGWEPKNV, or passed > in using AIRORID, we always do the CAP_NET_ADMIN check. > > Found by Ilja by code inspection, not tested as I don't have the > required hardware. > > Reported-by: Ilja Van Sprundel <ivansprundel@xxxxxxxxxxxx> > Signed-off-by: Michael Ellerman <mpe@xxxxxxxxxxxxxx> Applied and queued up for -stable.
