Please note: This project is no longer active. The website is kept online for historic purposes only.
If you´re looking for a Linux driver for your Atheros WLAN device, you should continue here .

Ticket #1334 (closed defect: fixed)

Opened 10 years ago

Last modified 9 years ago

ieee80211_ioctl_getwmmparams local kernel DoS

Reported by: mrenzmann Assigned to: mrenzmann
Priority: critical Milestone: version 0.9.5
Component: madwifi: 802.11 stack Version: v0.9.3
Keywords: Cc:
Patch is attached: 1 Pending:

Description

The following security issue has recently been reported to us. The original reporter wishes to stay anonymous.


A restricted local user can make an unprivileged I/O control call to the driver's ieee80211_ioctl_getwmmparams. This function accepts an array index from the user, which is validated incorrectly. The function checks that the index supplied by the user is less than a maximum value, but does not check if the index is less than 0. A local attacker can specify a large negative number which will pass the check, and cause an error in the array dereference.

On SuSE 10.2 32 bit, various components that relied on the networking system stopped functioning. The GUI appeared to still be usable. It also appears that a crafty attacker can use smaller negative values and enumerate portions of kernel memory because the value of the memory at the array deference is returned to the caller. However, this has not been verified by the reporter.

Attachments

02_secfix-0.9.3-wmmparams-take2.patch (1.0 kB) - added by mrenzmann on 05/23/07 10:11:01.

Change History

05/23/07 10:11:01 changed by mrenzmann

  • attachment 02_secfix-0.9.3-wmmparams-take2.patch added.

(follow-up: ↓ 2 ) 05/23/07 10:23:22 changed by mrenzmann

  • status changed from new to assigned.
  • patch_attached set to 1.

The attached patch is for tags/release-0.9.3. It fixes the reported bug and a similar one that exists in ieee80211_ioctl_getwmmparams.

(in reply to: ↑ 1 ) 05/23/07 12:48:51 changed by mrenzmann

Replying to mrenzmann:

It fixes the reported bug and a similar one that exists in ieee80211_ioctl_getwmmparams.

Sorry, typo, that should read ieee80211_ioctl_setwmmparams. The following quote from an internal discussion gives some details:

... someone with say sudo rights to access iwconfig but not root rights would be able to use get/setwmmparams to WRITE as well as read kernel memory, with a restricted range of access (given the range check limits them to addresses less than the address of the array). ...

05/24/07 03:21:30 changed by mentor

  • status changed from assigned to closed.
  • resolution set to fixed.

I believe this to have been fixed in r2280

05/24/07 06:58:23 changed by mrenzmann

  • milestone set to version 0.9.4.

02/11/08 06:18:32 changed by mrenzmann

  • milestone changed from version 0.9.4 to version 0.9.5.