linux-toradex.git/net/wireless/wext.c, branch v2.6.30.2 Linux kernel for Apalis and Colibri modules wext: verify buffer size for SIOCSIWENCODEEXT 2009-05-20T18:07:50+00:00 Johannes Berg johannes@sipsolutions.net 2009-05-13T10:04:30+00:00 88f16db7a2fa63b9242e8a0fbc40d51722f2e2f9 Another design flaw in wireless extensions (is anybody surprised?) in the way it handles the iw_encode_ext structure: The structure is part of the 'extra' memory but contains the key length explicitly, instead of it just being the length of the extra buffer - size of the struct and using the explicit key length only for the get operation (which only writes it). Therefore, we have this layout: extra: +-------------------------+ | struct iw_encode_ext { | | ... | | u16 key_len; | | u8 key[0]; | | }; | +-------------------------+ | key material | +-------------------------+ Now, all drivers I checked use ext->key_len without checking that both key_len and the struct fit into the extra buffer that has been copied from userspace. This leads to a buffer overrun while reading that buffer, depending on the driver it may be possible to specify arbitrary key_len or it may need to be a proper length for the key algorithm specified. Thankfully, this is only exploitable by root, but root can actually cause a segfault or use kernel memory as a key (which you can even get back with siocgiwencode or siocgiwencodeext from the key buffer). Fix this by verifying that key_len fits into the buffer along with struct iw_encode_ext. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com> 
Another design flaw in wireless extensions (is anybody
surprised?) in the way it handles the iw_encode_ext
structure: The structure is part of the 'extra' memory
but contains the key length explicitly, instead of it
just being the length of the extra buffer - size of
the struct and using the explicit key length only for
the get operation (which only writes it).

Therefore, we have this layout:

extra: +-------------------------+
       | struct iw_encode_ext  { |
       |     ...                 |
       |     u16 key_len;        |
       |     u8 key[0];          |
       | };                      |
       +-------------------------+
       | key material            |
       +-------------------------+

Now, all drivers I checked use ext->key_len without
checking that both key_len and the struct fit into the
extra buffer that has been copied from userspace. This
leads to a buffer overrun while reading that buffer,
depending on the driver it may be possible to specify
arbitrary key_len or it may need to be a proper length
for the key algorithm specified.

Thankfully, this is only exploitable by root, but root
can actually cause a segfault or use kernel memory as
a key (which you can even get back with siocgiwencode
or siocgiwencodeext from the key buffer).

Fix this by verifying that key_len fits into the buffer
along with struct iw_encode_ext.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
wireless: convert wireless ioctl to net_device_ops 2009-01-06T18:42:24+00:00 Stephen Hemminger shemminger@vyatta.com 2009-01-06T18:42:24+00:00 148bc4303f9ba972cbfe5d30dfec93ec0d8ff1e1 Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
wireless: Fix incorrect use of loose in wext.c 2008-12-07T07:55:32+00:00 Nick Andrew nick@nick-andrew.net 2008-12-07T07:55:32+00:00 6c5cc8e0516005cb9a8f940276fac7614f7acf5c Fix incorrect use of loose in wext.c It should be 'lose', not 'loose'. Signed-off-by: Nick Andrew <nick@nick-andrew.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Fix incorrect use of loose in wext.c

It should be 'lose', not 'loose'.

Signed-off-by: Nick Andrew <nick@nick-andrew.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
wext: Send name on events 2008-08-13T09:39:56+00:00 Jamal Hadi Salim hadi@cyberus.ca 2008-08-13T09:39:56+00:00 317900cb010f4aca0e3cb14a02d0ddcc44ddafa7 In the minimal the wireless extensions oughta send at least the name in addition to the ifindex. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net> 
In the minimal the wireless extensions oughta send at least
the name in addition to the ifindex.

Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
netns: Use net_eq() to compare net-namespaces for optimization. 2008-07-20T05:34:43+00:00 YOSHIFUJI Hideaki yoshfuji@linux-ipv6.org 2008-07-20T05:34:43+00:00 721499e8931c5732202481ae24f2dfbf9910f129 Without CONFIG_NET_NS, namespace is always &init_net. Compiler will be able to omit namespace comparisons with this patch. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
Without CONFIG_NET_NS, namespace is always &init_net.
Compiler will be able to omit namespace comparisons with this patch.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
wext: Create IW_REQUEST_FLAG_COMPAT and set it as needed. 2008-06-17T01:34:49+00:00 David S. Miller davem@davemloft.net 2008-06-03T14:39:16+00:00 0f5cabba49021d36e9f76bd97d7fa0f4a408063f Now low-level WEXT ioctl handlers can do compat handling when necessary. Signed-off-by: David S. Miller <davem@davemloft.net> 
Now low-level WEXT ioctl handlers can do compat handling
when necessary.

Signed-off-by: David S. Miller <davem@davemloft.net>
wext: Dispatch and handle compat ioctls entirely in net/wireless/wext.c 2008-06-17T01:32:46+00:00 David S. Miller davem@davemloft.net 2008-06-03T16:14:03+00:00 87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 Next we can kill the hacks in fs/compat_ioctl.c and also dispatch compat ioctls down into the driver and 80211 protocol helper layers in order to handle iw_point objects embedded in stream replies which need to be translated. Signed-off-by: David S. Miller <davem@davemloft.net> 
Next we can kill the hacks in fs/compat_ioctl.c and also
dispatch compat ioctls down into the driver and 80211 protocol
helper layers in order to handle iw_point objects embedded in
stream replies which need to be translated.

Signed-off-by: David S. Miller <davem@davemloft.net>
wext: Pull top-level ioctl dispatch logic into helper function. 2008-06-17T01:32:09+00:00 David S. Miller davem@davemloft.net 2008-06-03T14:36:30+00:00 a67fa76d8be4e24e2d61cd76438a893d4c2886f7 Signed-off-by: David S. Miller <davem@davemloft.net> 
Signed-off-by: David S. Miller <davem@davemloft.net>
wext: Pass iwreq pointer down into standard/private handlers. 2008-06-17T01:31:55+00:00 David S. Miller davem@sunset.davemloft.net 2007-12-21T11:46:01+00:00 d2911255590d9ca561a481b9dbebcfcbbf38fa4e They have no need to see the object as an ifreq. Signed-off-by: David S. Miller <davem@davemloft.net> 
They have no need to see the object as an ifreq.

Signed-off-by: David S. Miller <davem@davemloft.net>
wext: Parameterize the standard/private handlers. 2008-06-17T01:30:59+00:00 David S. Miller davem@sunset.davemloft.net 2007-12-21T11:41:45+00:00 ca1e8bb8e4e89e2769e2b39eb29fdcfc5c19cf89 The WEXT standard and private handlers to use are now arguments to wireless_process_ioctl(). Signed-off-by: David S. Miller <davem@davemloft.net> 
The WEXT standard and private handlers to use are now
arguments to wireless_process_ioctl().

Signed-off-by: David S. Miller <davem@davemloft.net>