On Tue, 2009-12-15 at 01:43 -0800, David Miller wrote: > > The effect is that after a number of mode transistions (sometimes as few > > as two sufficed), the kernel will oops at very strange locations, mostly > > in something like __kmem_alloc(). > > > > While the root cause turned out to be an issue with the wpa-supplicant > > which feeds the kernel driver with garbage, this occasion pointed out a > > bug in the wireless wext core when SSIDs with 32 byte lengths are passed > > from userspace. In this case, the string is not properly NULL-terminated > > which causes some other part to corrupt memory. > > > > (In the particular case I observed, an SIOCSIWESSID was issued with > > bogus data in iwp->pointer but iwp->length=32). > > > > I admitedly couldn't find where the actual corruption itself happens, > > but with this trivial fix, I can't reproduce the bug anymore. Well you should try harder :) > > - /* kzalloc() ensures NULL-termination for essid_compat. */ > > - extra = kzalloc(extra_size, GFP_KERNEL); > > + /* kzalloc() +1 ensures NULL-termination for essid_compat. */ > > + extra = kzalloc(extra_size + 1, GFP_KERNEL); That doesn't seem correct. If this is used in a SET, then it is purely an in-kernel thing and everything in the kernel is passed the length + data, and the kernel MUST NEVER treat the SSID as a NUL-terminated string. If this is used in a GET, then it will be filled up to 32 bytes by the get handler, and the trailing \0 your patch reserves will never be copied into userspace. Since you indicate the kernel crashed, it is likely that libertas is treating the buffer as a string, instead of an SSID. That doesn't, however, make your fix and more valid. Whatever code uses it as a string is clearly at fault, since this is a valid four-byte SSID: "\x00\x01\x02\x03" johannes
Attachment:
signature.asc
Description: This is a digitally signed message part
