diff options
author | Jean Tourrilhes <jt@hpl.hp.com> | 2007-03-22 20:31:16 -0400 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2007-03-27 14:10:26 -0400 |
commit | c2805fbb8630abb95d94ce7adc3f97976f7e0367 (patch) | |
tree | ca94be7f103d430d38ef6543db597e90f3a63999 /include | |
parent | ed4bb1063171b2f44a40b0a9c400dedb0590dce6 (diff) |
[PATCH] WE-22 : prevent information leak on 64 bit
Johannes Berg discovered that kernel space was leaking to
userspace on 64 bit platform. He made a first patch to fix that. This
is an improved version of his patch.
Signed-off-by: Jean Tourrilhes <jt@hpl.hp.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/wireless.h | 21 | ||||
-rw-r--r-- | include/net/iw_handler.h | 30 |
2 files changed, 39 insertions, 12 deletions
diff --git a/include/linux/wireless.h b/include/linux/wireless.h index 447c52beb691..48759b2f57d7 100644 --- a/include/linux/wireless.h +++ b/include/linux/wireless.h | |||
@@ -1,10 +1,10 @@ | |||
1 | /* | 1 | /* |
2 | * This file define a set of standard wireless extensions | 2 | * This file define a set of standard wireless extensions |
3 | * | 3 | * |
4 | * Version : 21 14.3.06 | 4 | * Version : 22 16.3.07 |
5 | * | 5 | * |
6 | * Authors : Jean Tourrilhes - HPL - <jt@hpl.hp.com> | 6 | * Authors : Jean Tourrilhes - HPL - <jt@hpl.hp.com> |
7 | * Copyright (c) 1997-2006 Jean Tourrilhes, All Rights Reserved. | 7 | * Copyright (c) 1997-2007 Jean Tourrilhes, All Rights Reserved. |
8 | */ | 8 | */ |
9 | 9 | ||
10 | #ifndef _LINUX_WIRELESS_H | 10 | #ifndef _LINUX_WIRELESS_H |
@@ -85,7 +85,7 @@ | |||
85 | * (there is some stuff that will be added in the future...) | 85 | * (there is some stuff that will be added in the future...) |
86 | * I just plan to increment with each new version. | 86 | * I just plan to increment with each new version. |
87 | */ | 87 | */ |
88 | #define WIRELESS_EXT 21 | 88 | #define WIRELESS_EXT 22 |
89 | 89 | ||
90 | /* | 90 | /* |
91 | * Changes : | 91 | * Changes : |
@@ -221,6 +221,10 @@ | |||
221 | * - Add IW_RETRY_SHORT/IW_RETRY_LONG retry modifiers | 221 | * - Add IW_RETRY_SHORT/IW_RETRY_LONG retry modifiers |
222 | * - Power/Retry relative values no longer * 100000 | 222 | * - Power/Retry relative values no longer * 100000 |
223 | * - Add explicit flag to tell stats are in 802.11k RCPI : IW_QUAL_RCPI | 223 | * - Add explicit flag to tell stats are in 802.11k RCPI : IW_QUAL_RCPI |
224 | * | ||
225 | * V21 to V22 | ||
226 | * ---------- | ||
227 | * - Prevent leaking of kernel space in stream on 64 bits. | ||
224 | */ | 228 | */ |
225 | 229 | ||
226 | /**************************** CONSTANTS ****************************/ | 230 | /**************************** CONSTANTS ****************************/ |
@@ -1085,4 +1089,15 @@ struct iw_event | |||
1085 | #define IW_EV_POINT_LEN (IW_EV_LCP_LEN + sizeof(struct iw_point) - \ | 1089 | #define IW_EV_POINT_LEN (IW_EV_LCP_LEN + sizeof(struct iw_point) - \ |
1086 | IW_EV_POINT_OFF) | 1090 | IW_EV_POINT_OFF) |
1087 | 1091 | ||
1092 | /* Size of the Event prefix when packed in stream */ | ||
1093 | #define IW_EV_LCP_PK_LEN (4) | ||
1094 | /* Size of the various events when packed in stream */ | ||
1095 | #define IW_EV_CHAR_PK_LEN (IW_EV_LCP_PK_LEN + IFNAMSIZ) | ||
1096 | #define IW_EV_UINT_PK_LEN (IW_EV_LCP_PK_LEN + sizeof(__u32)) | ||
1097 | #define IW_EV_FREQ_PK_LEN (IW_EV_LCP_PK_LEN + sizeof(struct iw_freq)) | ||
1098 | #define IW_EV_PARAM_PK_LEN (IW_EV_LCP_PK_LEN + sizeof(struct iw_param)) | ||
1099 | #define IW_EV_ADDR_PK_LEN (IW_EV_LCP_PK_LEN + sizeof(struct sockaddr)) | ||
1100 | #define IW_EV_QUAL_PK_LEN (IW_EV_LCP_PK_LEN + sizeof(struct iw_quality)) | ||
1101 | #define IW_EV_POINT_PK_LEN (IW_EV_LCP_LEN + 4) | ||
1102 | |||
1088 | #endif /* _LINUX_WIRELESS_H */ | 1103 | #endif /* _LINUX_WIRELESS_H */ |
diff --git a/include/net/iw_handler.h b/include/net/iw_handler.h index 10559e937d27..8a830188354d 100644 --- a/include/net/iw_handler.h +++ b/include/net/iw_handler.h | |||
@@ -1,10 +1,10 @@ | |||
1 | /* | 1 | /* |
2 | * This file define the new driver API for Wireless Extensions | 2 | * This file define the new driver API for Wireless Extensions |
3 | * | 3 | * |
4 | * Version : 7 18.3.05 | 4 | * Version : 8 16.3.07 |
5 | * | 5 | * |
6 | * Authors : Jean Tourrilhes - HPL - <jt@hpl.hp.com> | 6 | * Authors : Jean Tourrilhes - HPL - <jt@hpl.hp.com> |
7 | * Copyright (c) 2001-2006 Jean Tourrilhes, All Rights Reserved. | 7 | * Copyright (c) 2001-2007 Jean Tourrilhes, All Rights Reserved. |
8 | */ | 8 | */ |
9 | 9 | ||
10 | #ifndef _IW_HANDLER_H | 10 | #ifndef _IW_HANDLER_H |
@@ -207,7 +207,7 @@ | |||
207 | * will be needed... | 207 | * will be needed... |
208 | * I just plan to increment with each new version. | 208 | * I just plan to increment with each new version. |
209 | */ | 209 | */ |
210 | #define IW_HANDLER_VERSION 7 | 210 | #define IW_HANDLER_VERSION 8 |
211 | 211 | ||
212 | /* | 212 | /* |
213 | * Changes : | 213 | * Changes : |
@@ -239,6 +239,10 @@ | |||
239 | * - Remove (struct iw_point *)->pointer from events and streams | 239 | * - Remove (struct iw_point *)->pointer from events and streams |
240 | * - Remove spy_offset from struct iw_handler_def | 240 | * - Remove spy_offset from struct iw_handler_def |
241 | * - Add "check" version of event macros for ieee802.11 stack | 241 | * - Add "check" version of event macros for ieee802.11 stack |
242 | * | ||
243 | * V7 to V8 | ||
244 | * ---------- | ||
245 | * - Prevent leaking of kernel space in stream on 64 bits. | ||
242 | */ | 246 | */ |
243 | 247 | ||
244 | /**************************** CONSTANTS ****************************/ | 248 | /**************************** CONSTANTS ****************************/ |
@@ -500,7 +504,11 @@ iwe_stream_add_event(char * stream, /* Stream of events */ | |||
500 | /* Check if it's possible */ | 504 | /* Check if it's possible */ |
501 | if(likely((stream + event_len) < ends)) { | 505 | if(likely((stream + event_len) < ends)) { |
502 | iwe->len = event_len; | 506 | iwe->len = event_len; |
503 | memcpy(stream, (char *) iwe, event_len); | 507 | /* Beware of alignement issues on 64 bits */ |
508 | memcpy(stream, (char *) iwe, IW_EV_LCP_PK_LEN); | ||
509 | memcpy(stream + IW_EV_LCP_LEN, | ||
510 | ((char *) iwe) + IW_EV_LCP_LEN, | ||
511 | event_len - IW_EV_LCP_LEN); | ||
504 | stream += event_len; | 512 | stream += event_len; |
505 | } | 513 | } |
506 | return stream; | 514 | return stream; |
@@ -521,10 +529,10 @@ iwe_stream_add_point(char * stream, /* Stream of events */ | |||
521 | /* Check if it's possible */ | 529 | /* Check if it's possible */ |
522 | if(likely((stream + event_len) < ends)) { | 530 | if(likely((stream + event_len) < ends)) { |
523 | iwe->len = event_len; | 531 | iwe->len = event_len; |
524 | memcpy(stream, (char *) iwe, IW_EV_LCP_LEN); | 532 | memcpy(stream, (char *) iwe, IW_EV_LCP_PK_LEN); |
525 | memcpy(stream + IW_EV_LCP_LEN, | 533 | memcpy(stream + IW_EV_LCP_LEN, |
526 | ((char *) iwe) + IW_EV_LCP_LEN + IW_EV_POINT_OFF, | 534 | ((char *) iwe) + IW_EV_LCP_LEN + IW_EV_POINT_OFF, |
527 | IW_EV_POINT_LEN - IW_EV_LCP_LEN); | 535 | IW_EV_POINT_PK_LEN - IW_EV_LCP_PK_LEN); |
528 | memcpy(stream + IW_EV_POINT_LEN, extra, iwe->u.data.length); | 536 | memcpy(stream + IW_EV_POINT_LEN, extra, iwe->u.data.length); |
529 | stream += event_len; | 537 | stream += event_len; |
530 | } | 538 | } |
@@ -574,7 +582,11 @@ iwe_stream_check_add_event(char * stream, /* Stream of events */ | |||
574 | /* Check if it's possible, set error if not */ | 582 | /* Check if it's possible, set error if not */ |
575 | if(likely((stream + event_len) < ends)) { | 583 | if(likely((stream + event_len) < ends)) { |
576 | iwe->len = event_len; | 584 | iwe->len = event_len; |
577 | memcpy(stream, (char *) iwe, event_len); | 585 | /* Beware of alignement issues on 64 bits */ |
586 | memcpy(stream, (char *) iwe, IW_EV_LCP_PK_LEN); | ||
587 | memcpy(stream + IW_EV_LCP_LEN, | ||
588 | ((char *) iwe) + IW_EV_LCP_LEN, | ||
589 | event_len - IW_EV_LCP_LEN); | ||
578 | stream += event_len; | 590 | stream += event_len; |
579 | } else | 591 | } else |
580 | *perr = -E2BIG; | 592 | *perr = -E2BIG; |
@@ -598,10 +610,10 @@ iwe_stream_check_add_point(char * stream, /* Stream of events */ | |||
598 | /* Check if it's possible */ | 610 | /* Check if it's possible */ |
599 | if(likely((stream + event_len) < ends)) { | 611 | if(likely((stream + event_len) < ends)) { |
600 | iwe->len = event_len; | 612 | iwe->len = event_len; |
601 | memcpy(stream, (char *) iwe, IW_EV_LCP_LEN); | 613 | memcpy(stream, (char *) iwe, IW_EV_LCP_PK_LEN); |
602 | memcpy(stream + IW_EV_LCP_LEN, | 614 | memcpy(stream + IW_EV_LCP_LEN, |
603 | ((char *) iwe) + IW_EV_LCP_LEN + IW_EV_POINT_OFF, | 615 | ((char *) iwe) + IW_EV_LCP_LEN + IW_EV_POINT_OFF, |
604 | IW_EV_POINT_LEN - IW_EV_LCP_LEN); | 616 | IW_EV_POINT_PK_LEN - IW_EV_LCP_PK_LEN); |
605 | memcpy(stream + IW_EV_POINT_LEN, extra, iwe->u.data.length); | 617 | memcpy(stream + IW_EV_POINT_LEN, extra, iwe->u.data.length); |
606 | stream += event_len; | 618 | stream += event_len; |
607 | } else | 619 | } else |