* [PATCH] fix infoleak in wireless
@ 2016-05-03 20:40 Kangjie Lu
2016-05-03 20:40 ` Johannes Berg
0 siblings, 1 reply; 5+ messages in thread
From: Kangjie Lu @ 2016-05-03 20:40 UTC (permalink / raw)
To: johannes; +Cc: davem, linux-wireless, linux-kernel, netdev, Kangjie Lu
The 6-bytes array “mac_addr” is not initialized in the dump_station
implementations of “drivers/staging/wilc1000/wilc_wfi_cfgoperations.c”
and “drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c”, so all 6
bytes may be leaked.
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
---
net/wireless/nl80211.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 056a730..2e92d14 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -3905,6 +3905,7 @@ static int nl80211_dump_station(struct sk_buff *skb,
while (1) {
memset(&sinfo, 0, sizeof(sinfo));
+ eth_zero_addr(mac_addr);
err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
mac_addr, &sinfo);
if (err == -ENOENT)
--
1.9.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] fix infoleak in wireless
2016-05-03 20:40 [PATCH] fix infoleak in wireless Kangjie Lu
@ 2016-05-03 20:40 ` Johannes Berg
[not found] ` <CABEk9YxqyBxnqOseJ3-d-aKxnREZBFt1z89nOjHf=DvNQy_hTw@mail.gmail.com>
0 siblings, 1 reply; 5+ messages in thread
From: Johannes Berg @ 2016-05-03 20:40 UTC (permalink / raw)
To: Kangjie Lu; +Cc: davem, linux-wireless, linux-kernel, netdev, Kangjie Lu
On Tue, 2016-05-03 at 16:40 -0400, Kangjie Lu wrote:
> The 6-bytes array “mac_addr” is not initialized in the dump_station
> implementations of
> “drivers/staging/wilc1000/wilc_wfi_cfgoperations.c”
> and “drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c”, so all 6
> bytes may be leaked.
Like I said to you before, this makes those implementations completely
broken. I'm not going to apply this patch. If you want, feel free to
send patches to Greg to remove those dump_station implementations that
are completely broken and that can never do anything useful.
johannes
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] fix infoleak in wireless
[not found] ` <CABEk9YxqyBxnqOseJ3-d-aKxnREZBFt1z89nOjHf=DvNQy_hTw@mail.gmail.com>
@ 2016-05-03 21:00 ` Greg Kroah-Hartman
[not found] ` <CABEk9YwiqpP+Ahxax3AC7tbPcmpUQnrB-Nwsb4rixhVjcL4Crw@mail.gmail.com>
0 siblings, 1 reply; 5+ messages in thread
From: Greg Kroah-Hartman @ 2016-05-03 21:00 UTC (permalink / raw)
To: Kangjie Lu
Cc: Johannes Berg, davem, linux-wireless, linux-kernel, netdev, Kangjie Lu
A: No.
Q: Should I include quotations after my reply?
http://daringfireball.net/2007/07/on_top
On Tue, May 03, 2016 at 04:47:16PM -0400, Kangjie Lu wrote:
> Hi Greg,
>
> Could you please take a look at this issue.
> mac_addr is not initialized is some implementations of dump_station(), which
> can be exploited by attackers for leaking information.
You are going to have to give me more context here...
Like the patch itself?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] fix infoleak in wireless
[not found] ` <CABEk9YwiqpP+Ahxax3AC7tbPcmpUQnrB-Nwsb4rixhVjcL4Crw@mail.gmail.com>
@ 2016-05-03 21:34 ` Greg Kroah-Hartman
[not found] ` <CABEk9YwmQt9bQb_KXgYRj=irq9-edtdOeANs7+Z4qZp1zmqpxg@mail.gmail.com>
0 siblings, 1 reply; 5+ messages in thread
From: Greg Kroah-Hartman @ 2016-05-03 21:34 UTC (permalink / raw)
To: Kangjie Lu
Cc: Johannes Berg, davem, linux-wireless, linux-kernel, netdev, Kangjie Lu
On Tue, May 03, 2016 at 05:11:07PM -0400, Kangjie Lu wrote:
> Opps, I did not notice the patch is not attached.
>
> From 34a82a734388d07eb10f91770f86938e38f7575a Mon Sep 17 00:00:00 2001
> From: Kangjie Lu <kjlu@gatech.edu>
> Date: Tue, 3 May 2016 14:15:18 -0400
> Subject: [PATCH] fix infoleak in wireless
> MIME-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
>
> The 6-bytes array “mac_addr” is not initialized in the dump_station
> implementations of “drivers/staging/wilc1000/wilc_wfi_cfgoperations.c”
> and “drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c”, so all 6
> bytes may be leaked.
>
> Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
> ---
> net/wireless/nl80211.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
> index 056a730..2e92d14 100644
> --- a/net/wireless/nl80211.c
> +++ b/net/wireless/nl80211.c
> @@ -3905,6 +3905,7 @@ static int nl80211_dump_station(struct sk_buff *skb,
>
> while (1) {
> memset(&sinfo, 0, sizeof(sinfo));
> + eth_zero_addr(mac_addr);
> err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
> mac_addr, &sinfo);
> if (err == -ENOENT)
Patch is corrupted :(
Why not fix up the staging drivers, they are the real problem here,
which is what I think the networking maintainers were telling you to do.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] fix infoleak in wireless
[not found] ` <CABEk9YwmQt9bQb_KXgYRj=irq9-edtdOeANs7+Z4qZp1zmqpxg@mail.gmail.com>
@ 2016-05-03 21:46 ` Greg Kroah-Hartman
0 siblings, 0 replies; 5+ messages in thread
From: Greg Kroah-Hartman @ 2016-05-03 21:46 UTC (permalink / raw)
To: Kangjie Lu
Cc: Johannes Berg, davem, linux-wireless, linux-kernel, netdev, Kangjie Lu
A: http://en.wikipedia.org/wiki/Top_post
Q: Were do I find info about this thing called top-posting?
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?
A: No.
Q: Should I include quotations after my reply?
http://daringfireball.net/2007/07/on_top
On Tue, May 03, 2016 at 05:41:46PM -0400, Kangjie Lu wrote:
> You are right. But wouldn't it be more general/better if we initialize the
> allocation at very beginning?
> To avoid information leaks, I think we are supposed to initialize all
> allocations properly if
> we are not sure how they are used.
But the networking maintainers told you to fix the broken drivers
instead. So please do that and send those patches to the correct
developers and mailing lists.
The fact that only 2 staging drivers got this wrong means that everyone
knows how to use this api properly, so I agree with the maintainers
here.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-05-03 21:46 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-05-03 20:40 [PATCH] fix infoleak in wireless Kangjie Lu
2016-05-03 20:40 ` Johannes Berg
[not found] ` <CABEk9YxqyBxnqOseJ3-d-aKxnREZBFt1z89nOjHf=DvNQy_hTw@mail.gmail.com>
2016-05-03 21:00 ` Greg Kroah-Hartman
[not found] ` <CABEk9YwiqpP+Ahxax3AC7tbPcmpUQnrB-Nwsb4rixhVjcL4Crw@mail.gmail.com>
2016-05-03 21:34 ` Greg Kroah-Hartman
[not found] ` <CABEk9YwmQt9bQb_KXgYRj=irq9-edtdOeANs7+Z4qZp1zmqpxg@mail.gmail.com>
2016-05-03 21:46 ` Greg Kroah-Hartman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).