Date: Wed, 4 May 2016 09:12:52 -0400 From: Kangjie Lu <kangjielu@...il.com> To: oss-security@...ts.openwall.com, Taesoo Kim <taesoo@...ech.edu>, Chengyu Song <csong84@...ech.edu>, Insu Yun <insu@...ech.edu> Subject: CVE Request: information leak in wilc1000 module of Linux kernel Hello, In the milc1000 module (drivers/staging/wilc1000/wilc_wfi_cfgoperations.c), The 6-bytes stack object “mac” is not initialized but leaked via “nla_put”. This bug may result in leaks of sensitive kernel stack data. The patch of this bug has been accepted by Linux kernel maintainer and will be merged in the next kernel release (see the message bellow). Fix info: *http://www.spinics.net/lists/linux-wireless/msg150352.html <http://www.spinics.net/lists/linux-wireless/msg150352.html>* git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git Could you please assign a CVE to it? Thanks, Kangjie Lu ---------- Forwarded message ---------- From: <gregkh@...uxfoundation.org> Date: Wed, May 4, 2016 at 1:57 AM Subject: patch "staging: wilc1000: fix infoleak in wilc_wfi_cfgoperations" added to staging-testing To: kangjielu@...il.com, gregkh@...uxfoundation.org, kjlu@...ech.edu This is a note to let you know that I've just added the patch titled staging: wilc1000: fix infoleak in wilc_wfi_cfgoperations to my staging git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git in the staging-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the staging-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. >From d13829686bba3e06e2217f044beb8fd5a9abf792 Mon Sep 17 00:00:00 2001 From: Kangjie Lu <kangjielu@...il.com> Date: Tue, 3 May 2016 21:36:11 -0400 Subject: staging: wilc1000: fix infoleak in wilc_wfi_cfgoperations "mac" is an array allocated in stack without being initialized, and will be sent out via "nla_put". The dump_station() is supposed to initialize the mac address; otherwise, sensitive data in kernel stack will be leaked. To fix this, copy the mac address to it. Signed-off-by: Kangjie Lu <kjlu@...ech.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org> --- drivers/staging/wilc1000/wilc_wfi_cfgoperations.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c b/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c index 85031f75d7ee..4b041356f823 100644 --- a/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c +++ b/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c @@ -1804,6 +1804,7 @@ static int dump_station(struct wiphy *wiphy, struct net_device *dev, wilc_get_rssi(vif, &sinfo->signal); + memcpy(mac, priv->au8AssociatedBss, ETH_ALEN); return 0; } -- 2.8.2
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.