Re: [PATCH 2.4] Wireless Extension v17 (resend)

[Jean Tourrilhes]

On Tue, Feb 08, 2005 at 05:51:29PM -0800, Chris Wright wrote:
> * Jean Tourrilhes (jt@xxxxxxxxxx) wrote:
> > 	The first is the handling of spyoffset which is potentially
> > unsafe. Unfortunately, the fix involve some API/infrastructure change,
> > so is not transparent. Fortunately drivers are clever enough to not
> > trigger this bug.
> > 	The second is a potential leak of kernel data to user space in
> > private handler handling. Few drivers use that feature, there is no
> > risk of crash or direct attack, so I would not worry about it.
> 
> Hmm, having ability to read kernel data is not so nice.

	It's not like you can read any arbitrary address, exploiting
such a flaw is in my mind theoritical. Let's not overblow things,
there are some real bugs to take care of.

>  prism54 uses
> this, and is a reasonably popular card.  Looks to me like this should be
> plugged.  Is the patch below sufficient? (stolen from full 2.6 patch)

	Yep, except that you have an extra chunk that should not be
in. You probably did not use the latest version of the patch (and that
was not in the one sent to Marcelo). I would not like to introduce a
real bug in 2.4.X :-(

> thanks,
> -chris

	This chunk is erroneous :

> @@ -731,7 +749,7 @@ static inline int ioctl_private_call(str
>  				return -EFAULT;
>  
>  			/* Does it fits within bounds ? */
> -			if(iwr->u.data.length > (descr->set_args &
> +			if(iwr->u.data.length > (descr->get_args &
>  						 IW_PRIV_SIZE_MASK))
>  				return -E2BIG;
>  		} else {

	Have fun...

	Jean
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/