On Thu, Sep 16, 2010 at 01:11:07AM +0200, Johannes Berg wrote: > On Wed, 2010-09-15 at 15:48 -0700, Greg KH wrote: > > On Fri, Aug 27, 2010 at 02:02:41PM -0700, Kees Cook wrote: > > > This problem was originally tracked down by Brad Spengler. > > > > > > When calling wireless ioctls, if a driver does not correctly > > > validate/shrink iwp->length, the resulting copy_to_user can leak up to > > > 64K of kernel heap contents. > > > > > > It seems that this is triggerable[1] in 2.6.32 at least on ath5k, but > > > I was not able to track down how. The twisty maze of ioctl handlers > > > stumped me. :) Other drivers I checked did not appear to have any problems, > > > but the potential remains. I'm not sure if this patch is the right approach; > > > it was fixed differently[2] in grsecurity. > > > > > > [1] http://forums.grsecurity.net/viewtopic.php?f=3&t=2290&start=0 > > > [2] http://grsecurity.net/~spender/wireless-infoleak-fix2.patch > > > > Is this fixed differently upstream in the kernel with commit id > > 42da2f948d949efd0111309f5827bf0298bcc9a4? > > Yes, that's the fix for this. Wonderful, thanks for letting me know. greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
