Re: [PATCH,2.4,SECURITY,NET] orinoco: CVE-2005-3180: Information leakage due to incorrect padding

[Marcelo Tosatti]

On Wed, Feb 08, 2006 at 06:35:27PM +0900, Horms wrote:
  [PATCH] Better fixup for the orinoco driver
  
  The latest kernel added a pretty ugly fix for the orinoco etherleak bug
  which contains bogus skb-len checks already done by the caller and causes
  copies of all odd sized frames (which are quite common)
  
  While the skb-len check should be ripped out the other fix is harder to do
  properly so I'm proposing for this the -mm tree only until next 2.6.x so
  that it gets tested.
  
  Instead of copying buffers around blindly this code implements a padding
  aware version of the hermes buffer writing function which does padding as
  the buffer is loaded and thus more cleanly and without bogus 1.5K copies.
  
  Signed-off-by: Alan Cox [EMAIL PROTECTED]
  Signed-off-by: Andrew Morton [EMAIL PROTECTED]
  Signed-off-by: Jeff Garzik [EMAIL PROTECTED]
 
 The above is a patch included in 2.6.16 as a fix for CVE-2005-3180.  It to
 be applicable to 2.4.  I have made a backport below, with the only
 semi-significant change being including the ALIGN macro in orinoco.c, as it
 doesn't exist in 2.4.
 
 As yet untested

Applied.

In regard to testing:

- similarity of 2.6 code guarantees certain testing coverage
- v2.4.33 is in -pre stage, plenty of time for the fix to 
be on trial.

Thanks Horms!


-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH,2.4,SECURITY,NET] orinoco: CVE-2005-3180: Information leakage due to incorrect padding

[Horms]

 [PATCH] Better fixup for the orinoco driver
 
 The latest kernel added a pretty ugly fix for the orinoco etherleak bug
 which contains bogus skb-len checks already done by the caller and causes
 copies of all odd sized frames (which are quite common)
 
 While the skb-len check should be ripped out the other fix is harder to do
 properly so I'm proposing for this the -mm tree only until next 2.6.x so
 that it gets tested.
 
 Instead of copying buffers around blindly this code implements a padding
 aware version of the hermes buffer writing function which does padding as
 the buffer is loaded and thus more cleanly and without bogus 1.5K copies.
 
 Signed-off-by: Alan Cox [EMAIL PROTECTED]
 Signed-off-by: Andrew Morton [EMAIL PROTECTED]
 Signed-off-by: Jeff Garzik [EMAIL PROTECTED]

The above is a patch included in 2.6.16 as a fix for CVE-2005-3180.  It to
be applicable to 2.4.  I have made a backport below, with the only
semi-significant change being including the ALIGN macro in orinoco.c, as it
doesn't exist in 2.4.

As yet untested

Signed-off-by: Horms [EMAIL PROTECTED]

index 0c06b14..b99edd3 100644
--- a/drivers/net/wireless/hermes.c
+++ b/drivers/net/wireless/hermes.c
@@ -448,6 +448,43 @@ int hermes_bap_pwrite(hermes_t *hw, int 
return err;
 }
 
+/* Write a block of data to the chip's buffer with padding if
+ * neccessary, via the BAP. Synchronization/serialization is the
+ * caller's problem. len must be even.
+ *
+ * Returns:  0 on internal failure (errno), 0 on success,  0 on error from 
firmware
+ */
+int hermes_bap_pwrite_pad(hermes_t *hw, int bap, const void *buf, unsigned 
data_len, unsigned len,
+ u16 id, u16 offset)
+{
+   int dreg = bap ? HERMES_DATA1 : HERMES_DATA0;
+   int err = 0;
+
+   if (len  0 || len % 2 || data_len  len)
+   return -EINVAL;
+
+   err = hermes_bap_seek(hw, bap, id, offset);
+   if (err)
+   goto out;
+
+   /* Transfer all the complete words of data */
+   hermes_write_words(hw, dreg, buf, data_len/2);
+   /* If there is an odd byte left over pad and transfer it */
+   if (data_len  1) {
+   u8 end[2];
+   end[1] = 0;
+   end[0] = ((unsigned char *)buf)[data_len - 1];
+   hermes_write_words(hw, dreg, end, 1);
+   data_len ++;
+   }
+   /* Now send zeros for the padding */
+   if (data_len  len)
+   hermes_clear_words(hw, dreg, (len - data_len) / 2);
+   /* Complete */
+ out:
+   return err;
+}
+
 /* Read a Length-Type-Value record from the card.
  *
  * If length is NULL, we ignore the length read from the card, and
@@ -534,6 +571,7 @@ EXPORT_SYMBOL(hermes_allocate);
 
 EXPORT_SYMBOL(hermes_bap_pread);
 EXPORT_SYMBOL(hermes_bap_pwrite);
+EXPORT_SYMBOL(hermes_bap_pwrite_pad);
 EXPORT_SYMBOL(hermes_read_ltv);
 EXPORT_SYMBOL(hermes_write_ltv);
 
index 5c01d0d..5a7e587 100644
--- a/drivers/net/wireless/hermes.h
+++ b/drivers/net/wireless/hermes.h
@@ -319,6 +319,8 @@ int hermes_bap_pread(hermes_t *hw, int b
   u16 id, u16 offset);
 int hermes_bap_pwrite(hermes_t *hw, int bap, const void *buf, unsigned len,
u16 id, u16 offset);
+int hermes_bap_pwrite_pad(hermes_t *hw, int bap, const void *buf,
+   unsigned data_len, unsigned len, u16 id, u16 offset);
 int hermes_read_ltv(hermes_t *hw, int bap, u16 rid, unsigned buflen,
u16 *length, void *buf);
 int hermes_write_ltv(hermes_t *hw, int bap, u16 rid,
index 5b5ca26..ec4003f 100644
--- a/drivers/net/wireless/orinoco.c
+++ b/drivers/net/wireless/orinoco.c
@@ -2312,6 +2312,8 @@ orinoco_stat_gather(struct net_device *d
}
 }
 
+#define ALIGN(x,a) (((x)+(a)-1)~((a)-1))
+
 static int
 orinoco_xmit(struct sk_buff *skb, struct net_device *dev)
 {
@@ -2407,14 +2409,22 @@ orinoco_xmit(struct sk_buff *skb, struct
stats-tx_errors++;
goto fail;
}
+   /* Actual xfer length - allow for padding */
+   len = ALIGN(data_len, 2);
+   if (len  ETH_ZLEN - ETH_HLEN)
+   len = ETH_ZLEN - ETH_HLEN;
} else { /* IEEE 802.3 frame */
data_len = len + ETH_HLEN;
data_off = HERMES_802_3_OFFSET;
p = skb-data;
+   /* Actual xfer length - round up for odd length packets */
+   len = ALIGN(data_len, 2);
+   if (len  ETH_ZLEN)
+   len = ETH_ZLEN;
}
 
-   /* Round up for odd length packets */
-   err = hermes_bap_pwrite(hw, USER_BAP, p, RUP_EVEN(data_len), txfid, 
data_off);
+   err = hermes_bap_pwrite_pad(hw, USER_BAP, p, data_len, len,
+   txfid, data_off);
if (err) {
printk(KERN_ERR %s: Error %d writing packet to BAP\n,
   dev-name, err);
-
To unsubscribe from this list: send