On Thu, Sep 16, 2010 at 01:11:07AM +0200, Johannes Berg wrote:

On Wed, 2010-09-15 at 15:48 -0700, Greg KH wrote:

quoted

On Fri, Aug 27, 2010 at 02:02:41PM -0700, Kees Cook wrote:

quoted

This problem was originally tracked down by Brad Spengler.

When calling wireless ioctls, if a driver does not correctly
validate/shrink iwp->length, the resulting copy_to_user can leak up to
64K of kernel heap contents.

It seems that this is triggerable[1] in 2.6.32 at least on ath5k, but
I was not able to track down how. The twisty maze of ioctl handlers
stumped me. :) Other drivers I checked did not appear to have any problems,
but the potential remains. I'm not sure if this patch is the right approach;
it was fixed differently[2] in grsecurity.

[1] http://forums.grsecurity.net/viewtopic.php?f=3&t=2290&start=0
[2] http://grsecurity.net/~spender/wireless-infoleak-fix2.patch

Is this fixed differently upstream in the kernel with commit id
42da2f948d949efd0111309f5827bf0298bcc9a4?

Yes, that's the fix for this.

Wonderful, thanks for letting me know.

greg k-h