On Wed, 2010-09-15 at 15:48 -0700, Greg KH wrote: > On Fri, Aug 27, 2010 at 02:02:41PM -0700, Kees Cook wrote: > > This problem was originally tracked down by Brad Spengler. > > > > When calling wireless ioctls, if a driver does not correctly > > validate/shrink iwp->length, the resulting copy_to_user can leak up to > > 64K of kernel heap contents. > > > > It seems that this is triggerable[1] in 2.6.32 at least on ath5k, but > > I was not able to track down how. The twisty maze of ioctl handlers > > stumped me. :) Other drivers I checked did not appear to have any problems, > > but the potential remains. I'm not sure if this patch is the right approach; > > it was fixed differently[2] in grsecurity. > > > > [1] http://forums.grsecurity.net/viewtopic.php?f=3&t=2290&start=0 > > [2] http://grsecurity.net/~spender/wireless-infoleak-fix2.patch > > Is this fixed differently upstream in the kernel with commit id > 42da2f948d949efd0111309f5827bf0298bcc9a4? Yes, that's the fix for this. johannes -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
