• Michael Ellerman's avatar
    airo: Fix possible info leak in AIROOLDIOCTL/SIOCDEVPRIVATE · d6bce213
    Michael Ellerman authored
    The driver for Cisco Aironet 4500 and 4800 series cards (airo.c),
    implements AIROOLDIOCTL/SIOCDEVPRIVATE in airo_ioctl().
    
    The ioctl handler copies an aironet_ioctl struct from userspace, which
    includes a command and a length. Some of the commands are handled in
    readrids(), which kmalloc()'s a buffer of RIDSIZE (2048) bytes.
    
    That buffer is then passed to PC4500_readrid(), which has two cases.
    The else case does some setup and then reads up to RIDSIZE bytes from
    the hardware into the kmalloc()'ed buffer.
    
    Here len == RIDSIZE, pBuf is the kmalloc()'ed buffer:
    
    	// read the rid length field
    	bap_read(ai, pBuf, 2, BAP1);
    	// length for remaining part of rid
    	len = min(len, (int)le16_to_cpu(*(__le16*)pBuf)) - 2;
    	...
    	// read remainder of the rid
    	rc = bap_read(ai, ((__le16*)pBuf)+1, len, BAP1);
    
    PC4500_readrid() then returns to readrids() which does:
    
    	len = comp->len;
    	if (copy_to_user(comp->data, iobuf, min(len, (int)RIDSIZE))) {
    
    Where comp->len is the user controlled length field.
    
    So if the "rid length field" returned by the hardware is < 2048, and
    the user requests 2048 bytes in comp->len, we will leak the previous
    contents of the kmalloc()'ed buffer to userspace.
    
    Fix it by kzalloc()'ing the buffer.
    
    Found by Ilja by code inspection, not tested as I don't have the
    required hardware.
    Reported-by: default avatarIlja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    d6bce213
airo.c 218 KB