lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 18 Dec 2014 14:01:46 +0100 From: Arend van Spriel <arend@...adcom.com> To: Brian Norris <computersforpeace@...il.com> CC: "John W. Linville" <linville@...driver.com>, Kalle Valo <kvalo@....qualcomm.com>, "David S. Miller" <davem@...emloft.net>, "Brett Rudley" <brudley@...adcom.com>, "Franky (Zhenhui) Lin" <frankyl@...adcom.com>, Hante Meuleman <meuleman@...adcom.com>, <linux-wireless@...r.kernel.org>, <brcm80211-dev-list@...adcom.com>, <netdev@...r.kernel.org> Subject: Re: [PATCH] brcmsmac: don't leak kernel memory via printk() On 12/18/14 07:32, Brian Norris wrote: > + others [1] > > On Wed, Dec 10, 2014 at 1:39 AM, Brian Norris > <computersforpeace@...il.com> wrote: >> Debug code prints the fifo name via custom dev_warn() wrappers. The >> fifo_names array is only non-zero when debugging is manually enabled, >> which is all well and good. However, it's *not* good that this array >> uses zero-length arrays in the non-debug case, and so it doesn't >> actually have any memory allocated to it. This means that as far as we >> know, fifo_names[i] actually points to garbage memory. >> >> I've seen this in my log: >> >> [ 4601.205511] brcmsmac bcma0:1: wl0: brcms_c_d11hdrs_mac80211: �GeL txop exceeded phylen 137/256 dur 1602/1504 >> >> So let's give this array space enough to fill it with a NULL byte. >> >> Signed-off-by: Brian Norris<computersforpeace@...il.com> >> Cc: Brett Rudley<brudley@...adcom.com> >> Cc: Arend van Spriel<arend@...adcom.com> >> Cc: "Franky (Zhenhui) Lin"<frankyl@...adcom.com> >> Cc: Hante Meuleman<meuleman@...adcom.com> >> Cc: "John W. Linville"<linville@...driver.com> >> Cc: linux-wireless@...r.kernel.org >> Cc: brcm80211-dev-list@...adcom.com >> Cc: netdev@...r.kernel.org > > BTW, I guess this qualifies as a security hole, albeit a small one. > Should this be CC: stable@...r.kernel.org? I have no strong opinion on this, but I guess. Feel free to do so. Regards, Arend >> --- >> drivers/net/wireless/brcm80211/brcmsmac/main.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/net/wireless/brcm80211/brcmsmac/main.c b/drivers/net/wireless/brcm80211/brcmsmac/main.c >> index 1b474828d5b8..aed0c948dce8 100644 >> --- a/drivers/net/wireless/brcm80211/brcmsmac/main.c >> +++ b/drivers/net/wireless/brcm80211/brcmsmac/main.c >> @@ -316,7 +316,7 @@ static const u16 xmtfifo_sz[][NFIFO] = { >> static const char * const fifo_names[] = { >> "AC_BK", "AC_BE", "AC_VI", "AC_VO", "BCMC", "ATIM" }; >> #else >> -static const char fifo_names[6][0]; >> +static const char fifo_names[6][1]; >> #endif >> >> #ifdef DEBUG > > Brian > > [1] http://lwn.net/Articles/626689/ -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists