AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2024-12-17 07:27:01 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity
d6bce2137f
linux_dsm_epyc7002/drivers/net
History
Michael Ellerman d6bce2137f airo: Fix possible info leak in AIROOLDIOCTL/SIOCDEVPRIVATE 
The driver for Cisco Aironet 4500 and 4800 series cards (airo.c),
implements AIROOLDIOCTL/SIOCDEVPRIVATE in airo_ioctl().

The ioctl handler copies an aironet_ioctl struct from userspace, which
includes a command and a length. Some of the commands are handled in
readrids(), which kmalloc()'s a buffer of RIDSIZE (2048) bytes.

That buffer is then passed to PC4500_readrid(), which has two cases.
The else case does some setup and then reads up to RIDSIZE bytes from
the hardware into the kmalloc()'ed buffer.

Here len == RIDSIZE, pBuf is the kmalloc()'ed buffer:

	// read the rid length field
	bap_read(ai, pBuf, 2, BAP1);
	// length for remaining part of rid
	len = min(len, (int)le16_to_cpu(*(__le16*)pBuf)) - 2;
	...
	// read remainder of the rid
	rc = bap_read(ai, ((__le16*)pBuf)+1, len, BAP1);

PC4500_readrid() then returns to readrids() which does:

	len = comp->len;
	if (copy_to_user(comp->data, iobuf, min(len, (int)RIDSIZE))) {

Where comp->len is the user controlled length field.

So if the "rid length field" returned by the hardware is < 2048, and
the user requests 2048 bytes in comp->len, we will leak the previous
contents of the kmalloc()'ed buffer to userspace.

Fix it by kzalloc()'ing the buffer.

Found by Ilja by code inspection, not tested as I don't have the
required hardware.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-01-23 11:01:13 +01:00
..
appletalk
arcnet
bonding bonding: fix active-backup transition after link failure 2019-12-14 16:22:34 -08:00
caif Driver core patches for 5.5-rc1 2019-11-27 11:06:20 -08:00
can can, slip: Protect tty->disc_data in write_wakeup and close with RCU 2020-01-22 20:32:03 +01:00
dsa net: dsa: bcm_sf2: Configure IMP port for 2Gb/sec 2020-01-17 13:26:27 +01:00
ethernet cxgb4: reject overlapped queues in TC-MQPRIO offload 2020-01-19 16:12:53 +01:00
fddi
fjes Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-12-22 09:54:33 -08:00
hamradio 6pack,mkiss: fix possible deadlock 2019-12-13 21:49:29 -08:00
hippi
hyperv hv_netvsc: Fix memory leak when removing rndis device 2020-01-15 22:37:45 +01:00
ieee802154 drivers: net: Fix Kconfig indentation, continued 2019-11-21 11:54:09 -08:00
ipvlan Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-11-02 13:54:56 -07:00
netdevsim devlink: correct misspelling of snapshot 2020-01-11 14:30:24 -08:00
phy net: phy: dp83867: Set FORCE_LINK_GOOD to default after reset 2020-01-17 11:36:18 +01:00
plip
ppp pppoe: remove redundant BUG_ON() check in pppoe_pernet 2019-12-07 11:52:23 -08:00
slip can, slip: Protect tty->disc_data in write_wakeup and close with RCU 2020-01-22 20:32:03 +01:00
team Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-11-02 13:54:56 -07:00
usb net: usb: lan78xx: Add .ndo_features_check 2020-01-21 10:46:51 +01:00
vmxnet3
wan net: wan: lapbether.c: Use built-in RCU list checking 2020-01-16 14:30:52 +01:00
wimax Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-11-02 13:54:56 -07:00
wireless airo: Fix possible info leak in AIROOLDIOCTL/SIOCDEVPRIVATE 2020-01-23 11:01:13 +01:00
xen-netback xen-netback: avoid race that can lead to NULL pointer dereference 2019-12-15 11:40:15 -08:00
dummy.c net: dummy: use standard dev_lstats_add() and dev_lstats_read() 2019-11-07 20:03:08 -08:00
eql.c
geneve.c treewide: Use sizeof_field() macro 2019-12-09 10:36:44 -08:00
gtp.c gtp: fix bad unlock balance in gtp_encap_enable_socket 2020-01-08 12:42:49 -08:00
ifb.c
Kconfig drivers: net: Fix Kconfig indentation, continued 2019-11-21 11:54:09 -08:00
LICENSE.SRC
loopback.c net: use u64_stats_t in struct pcpu_lstats 2019-11-07 20:03:08 -08:00
macsec.c
macvlan.c macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() 2020-01-16 13:12:37 +01:00
macvtap.c
Makefile
mdio.c
mii.c
net_failover.c
netconsole.c
nlmon.c net: nlmon: use standard dev_lstats_add() and dev_lstats_read() 2019-11-07 20:03:08 -08:00
ntb_netdev.c
rionet.c
sb1000.c
Space.c
sungem_phy.c
tap.c
thunderbolt.c
tun.c tun: fix data-race in gro_normal_list() 2019-11-15 12:46:49 -08:00
veth.c veth: use standard dev_lstats_add() and dev_lstats_read() 2019-11-07 20:03:08 -08:00
virtio_net.c bpf: Convert bpf_prog refcnt to atomic64_t 2019-11-18 11:41:59 +01:00
vrf.c
vsockmon.c vsockmon: use standard dev_lstats_add() and dev_lstats_read() 2019-11-07 20:03:08 -08:00
vxlan.c vxlan: fix tos value before xmit 2020-01-02 16:35:48 -08:00
xen-netfront.c