Bug 628434 (CVE-2010-2955)

Summary: CVE-2010-2955 kernel: wireless: fix 64K kernel heap content leak via ioctl
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact: desktop-bugs <desktop-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: arozansk, bhu, davej, jkacur, kmcmartin, kzhang, lgoncalv, linville, lwang, pmatouse, tcallawa, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-28 08:48:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 628435, 628436, 628437, 628438    
Bug Blocks:    
Attachments:
Description Flags
bz628434.patch
none
jwltest-wireless-extensions-fix-kernel-heap-content-leak.patch none

Description Eugene Teo (Security Response) 2010-08-30 03:44:29 UTC 
Description of problem:
This problem was originally tracked down by Brad Spengler.

When calling wireless ioctls, if a driver does not correctly validate/shrink iwp->length, the resulting copy_to_user can leak up to 64K of kernel heap contents.

It seems that this is triggerable[1] in 2.6.32 at least on ath5k, but I was not able to track down how. The twisty maze of ioctl handlers stumped me. :) Other drivers I checked did not appear to have any problems, but the potential remains. I'm not sure if this patch is the right approach; it was fixed differently[2] in grsecurity.

[1] http://forums.grsecurity.net/viewtopic.php?f=3&t=2290&start=0
[2] http://grsecurity.net/~spender/wireless-infoleak-fix2.patch

Discussion:
http://lkml.org/lkml/2010/8/27/413
Comment 3 John W. Linville 2010-08-30 20:49:55 UTC 
Created attachment 442035 [details]
bz628434.patch
Comment 4 Eugene Teo (Security Response) 2010-08-31 07:10:06 UTC 
Discussions:
http://lkml.org/lkml/2010/8/27/413
http://lkml.org/lkml/2010/8/30/351
Fix: http://lkml.org/lkml/2010/8/30/146
Comment 5 John W. Linville 2010-08-31 12:51:14 UTC 
Created attachment 442177 [details]
jwltest-wireless-extensions-fix-kernel-heap-content-leak.patch
Comment 6 John W. Linville 2010-08-31 12:51:50 UTC 
Test kernels w/ above patch are available here:

http://people.redhat.com/linville/kernels/rhel6/
Comment 9 Eugene Teo (Security Response) 2010-09-01 01:21:46 UTC 
http://git.kernel.org/?p=linux/kernel/git/linville/wireless-2.6.git;a=commitdiff;h=42da2f948d949efd0111309f5827bf0298bcc9a4
Comment 11 Eugene Teo (Security Response) 2010-10-13 09:09:50 UTC 
Statement:

This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and 5 as they did not backport the upstream commit 3d23e349 that had introduced the problem. A future update in Red Hat Enterprise MRG may address this flaw.
Comment 12 errata-xmlrpc 2010-10-14 15:30:27 UTC 
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2010:0771 https://rhn.redhat.com/errata/RHSA-2010-0771.html
Comment 13 errata-xmlrpc 2010-11-10 19:07:38 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html
Comment 14 errata-xmlrpc 2010-11-22 19:34:25 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html