On Fri, Aug 27, 2010 at 02:02:41PM -0700, Kees Cook wrote: > This problem was originally tracked down by Brad Spengler. > > When calling wireless ioctls, if a driver does not correctly > validate/shrink iwp->length, the resulting copy_to_user can leak up to > 64K of kernel heap contents. > > It seems that this is triggerable[1] in 2.6.32 at least on ath5k, but > I was not able to track down how. The twisty maze of ioctl handlers > stumped me. :) Other drivers I checked did not appear to have any problems, > but the potential remains. I'm not sure if this patch is the right approach; > it was fixed differently[2] in grsecurity. > > [1] http://forums.grsecurity.net/viewtopic.php?f=3&t=2290&start=0 > [2] http://grsecurity.net/~spender/wireless-infoleak-fix2.patch Is this fixed differently upstream in the kernel with commit id 42da2f948d949efd0111309f5827bf0298bcc9a4? thanks, greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html