Description of problem: This problem was originally tracked down by Brad Spengler. When calling wireless ioctls, if a driver does not correctly validate/shrink iwp->length, the resulting copy_to_user can leak up to 64K of kernel heap contents. It seems that this is triggerable[1] in 2.6.32 at least on ath5k, but I was not able to track down how. The twisty maze of ioctl handlers stumped me. :) Other drivers I checked did not appear to have any problems, but the potential remains. I'm not sure if this patch is the right approach; it was fixed differently[2] in grsecurity. [1] http://forums.grsecurity.net/viewtopic.php?f=3&t=2290&start=0 [2] http://grsecurity.net/~spender/wireless-infoleak-fix2.patch Discussion: http://lkml.org/lkml/2010/8/27/413
Created attachment 442035 [details] bz628434.patch
Discussions: http://lkml.org/lkml/2010/8/27/413 http://lkml.org/lkml/2010/8/30/351 Fix: http://lkml.org/lkml/2010/8/30/146
Created attachment 442177 [details] jwltest-wireless-extensions-fix-kernel-heap-content-leak.patch
Test kernels w/ above patch are available here: http://people.redhat.com/linville/kernels/rhel6/
http://git.kernel.org/?p=linux/kernel/git/linville/wireless-2.6.git;a=commitdiff;h=42da2f948d949efd0111309f5827bf0298bcc9a4
Statement: This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and 5 as they did not backport the upstream commit 3d23e349 that had introduced the problem. A future update in Red Hat Enterprise MRG may address this flaw.
This issue has been addressed in following products: MRG for RHEL-5 Via RHSA-2010:0771 https://rhn.redhat.com/errata/RHSA-2010-0771.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html