Bug 628434 (CVE-2010-2955) - CVE-2010-2955 kernel: wireless: fix 64K kernel heap content leak via ioctl
Summary: CVE-2010-2955 kernel: wireless: fix 64K kernel heap content leak via ioctl
Status: CLOSED ERRATA
Alias: CVE-2010-2955
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: desktop-bugs@redhat.com
URL:
Whiteboard: impact=moderate,reported=20100830,pub...
Keywords: Security
Depends On: 628435 628436 628437 628438
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-08-30 03:44 UTC by Eugene Teo (Security Response)
Modified: 2015-08-19 08:53 UTC (History)
12 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2012-03-28 08:48:08 UTC


Attachments (Terms of Use)
bz628434.patch (5.16 KB, patch)
2010-08-30 20:49 UTC, John W. Linville
no flags Details | Diff
jwltest-wireless-extensions-fix-kernel-heap-content-leak.patch (3.04 KB, patch)
2010-08-31 12:51 UTC, John W. Linville
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0771 normal SHIPPED_LIVE Moderate: kernel-rt security and bug fix update 2010-10-14 15:30:14 UTC
Red Hat Product Errata RHSA-2010:0842 normal SHIPPED_LIVE Important: kernel security and bug fix update 2010-11-22 19:34:20 UTC

Description Eugene Teo (Security Response) 2010-08-30 03:44:29 UTC
Description of problem:
This problem was originally tracked down by Brad Spengler.

When calling wireless ioctls, if a driver does not correctly validate/shrink iwp->length, the resulting copy_to_user can leak up to 64K of kernel heap contents.

It seems that this is triggerable[1] in 2.6.32 at least on ath5k, but I was not able to track down how. The twisty maze of ioctl handlers stumped me. :) Other drivers I checked did not appear to have any problems, but the potential remains. I'm not sure if this patch is the right approach; it was fixed differently[2] in grsecurity.

[1] http://forums.grsecurity.net/viewtopic.php?f=3&t=2290&start=0
[2] http://grsecurity.net/~spender/wireless-infoleak-fix2.patch

Discussion:
http://lkml.org/lkml/2010/8/27/413

Comment 3 John W. Linville 2010-08-30 20:49:55 UTC
Created attachment 442035 [details]
bz628434.patch

Comment 4 Eugene Teo (Security Response) 2010-08-31 07:10:06 UTC
Discussions:
http://lkml.org/lkml/2010/8/27/413
http://lkml.org/lkml/2010/8/30/351
Fix: http://lkml.org/lkml/2010/8/30/146

Comment 5 John W. Linville 2010-08-31 12:51:14 UTC
Created attachment 442177 [details]
jwltest-wireless-extensions-fix-kernel-heap-content-leak.patch

Comment 6 John W. Linville 2010-08-31 12:51:50 UTC
Test kernels w/ above patch are available here:

http://people.redhat.com/linville/kernels/rhel6/

Comment 11 Eugene Teo (Security Response) 2010-10-13 09:09:50 UTC
Statement:

This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and 5 as they did not backport the upstream commit 3d23e349 that had introduced the problem. A future update in Red Hat Enterprise MRG may address this flaw.

Comment 12 errata-xmlrpc 2010-10-14 15:30:27 UTC
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2010:0771 https://rhn.redhat.com/errata/RHSA-2010-0771.html

Comment 13 errata-xmlrpc 2010-11-10 19:07:38 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html

Comment 14 errata-xmlrpc 2010-11-22 19:34:25 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html


Note You need to log in before you can comment on or make changes to this bug.