• J
    wext: verify buffer size for SIOCSIWENCODEEXT · 88f16db7
    Johannes Berg 提交于
    Another design flaw in wireless extensions (is anybody
    surprised?) in the way it handles the iw_encode_ext
    structure: The structure is part of the 'extra' memory
    but contains the key length explicitly, instead of it
    just being the length of the extra buffer - size of
    the struct and using the explicit key length only for
    the get operation (which only writes it).
    
    Therefore, we have this layout:
    
    extra: +-------------------------+
           | struct iw_encode_ext  { |
           |     ...                 |
           |     u16 key_len;        |
           |     u8 key[0];          |
           | };                      |
           +-------------------------+
           | key material            |
           +-------------------------+
    
    Now, all drivers I checked use ext->key_len without
    checking that both key_len and the struct fit into the
    extra buffer that has been copied from userspace. This
    leads to a buffer overrun while reading that buffer,
    depending on the driver it may be possible to specify
    arbitrary key_len or it may need to be a proper length
    for the key algorithm specified.
    
    Thankfully, this is only exploitable by root, but root
    can actually cause a segfault or use kernel memory as
    a key (which you can even get back with siocgiwencode
    or siocgiwencodeext from the key buffer).
    
    Fix this by verifying that key_len fits into the buffer
    along with struct iw_encode_ext.
    Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
    Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
    88f16db7
wext.c 47.5 KB