Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CABEk9Yz0mijhgKqKEugbvfAdqJKRcn6-HYyET3MA-D2EROo0tw@mail.gmail.com>
Date: Wed, 4 May 2016 09:12:52 -0400
From: Kangjie Lu <kangjielu@...il.com>
To: oss-security@...ts.openwall.com, Taesoo Kim <taesoo@...ech.edu>, 
	Chengyu Song <csong84@...ech.edu>, Insu Yun <insu@...ech.edu>
Subject: CVE Request: information leak in wilc1000 module of Linux kernel

Hello,

In the milc1000 module (drivers/staging/wilc1000/wilc_wfi_cfgoperations.c),
The 6-bytes stack object “mac” is not initialized but leaked via “nla_put”.
This bug may result in leaks of sensitive kernel stack data.

The patch of this bug has been accepted by Linux kernel maintainer and will
be
merged in the next kernel release (see the message bellow).

Fix info:
*http://www.spinics.net/lists/linux-wireless/msg150352.html
<http://www.spinics.net/lists/linux-wireless/msg150352.html>*
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git

Could you please assign a CVE to it?

Thanks,
Kangjie Lu


---------- Forwarded message ----------
From: <gregkh@...uxfoundation.org>
Date: Wed, May 4, 2016 at 1:57 AM
Subject: patch "staging: wilc1000: fix infoleak in wilc_wfi_cfgoperations"
added to staging-testing
To: kangjielu@...il.com, gregkh@...uxfoundation.org, kjlu@...ech.edu



This is a note to let you know that I've just added the patch titled

    staging: wilc1000: fix infoleak in wilc_wfi_cfgoperations

to my staging git tree which can be found at
    git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
in the staging-testing branch.

The patch will show up in the next release of the linux-next tree
(usually sometime within the next 24 hours during the week.)

The patch will be merged to the staging-next branch sometime soon,
after it passes testing, and the merge window is open.

If you have any questions about this process, please let me know.


>From d13829686bba3e06e2217f044beb8fd5a9abf792 Mon Sep 17 00:00:00 2001
From: Kangjie Lu <kangjielu@...il.com>
Date: Tue, 3 May 2016 21:36:11 -0400
Subject: staging: wilc1000: fix infoleak in wilc_wfi_cfgoperations

"mac" is an array allocated in stack without being initialized,
and will be sent out via "nla_put". The dump_station() is supposed
to initialize the mac address; otherwise, sensitive data in kernel
stack will be leaked. To fix this, copy the mac address to it.

Signed-off-by: Kangjie Lu <kjlu@...ech.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
 drivers/staging/wilc1000/wilc_wfi_cfgoperations.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c
b/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c
index 85031f75d7ee..4b041356f823 100644
--- a/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c
+++ b/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c
@@ -1804,6 +1804,7 @@ static int dump_station(struct wiphy *wiphy, struct
net_device *dev,

        wilc_get_rssi(vif, &sinfo->signal);

+       memcpy(mac, priv->au8AssociatedBss, ETH_ALEN);
        return 0;
 }

--
2.8.2

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.