iwlwifi NULL dereference vulnerability [Security Advisory] Advisory: [AD_LAB-07014] iwlwifi NULL dereference vulnerability Class: design Error DATE:11/12/2007 CVEID:CVE-2007-5938 Vulnerable: <=iwlwifi-1.1.21 Affected distribution: All linux distribution with iwlwifi used. Vendor: Intel® I.Synopsis A vulnerability has been discovered in iwlwifi. II.DETAILS: ---------- Background The iwlwifi project provides a driver which utilizes the new mac80211 subsystem for the Intel® Wireless WiFi Link 4965AGN and Intel® PRO/Wireless 3945ABG Network Connection adapters. Description There is a NULL dereference vulnerability in function iwl_set_rate() in compatible/iwl3945-base.c. static void iwl_set_rate(struct iwl_priv *priv) { const struct ieee80211_hw_mode *hw = NULL; struct ieee80211_rate *rate; int i; (1) hw = iwl_get_hw_mode(priv, priv->phymode); <-- not check ret priv->active_rate = 0; priv->active_rate_basic = 0; IWL_DEBUG_RATE("Setting rates for 802.11%c\n", hw->mode == MODE_IEEE80211A ? 'a' : ((hw->mode == MODE_IEEE80211B) ? 'b' : 'g')); (2) for (i = 0; i < hw->num_rates; i++) { <-- null deref. at (1) did not check the return value of iwl_get_hw_mode. it maybe return NULL. when it return NULL will cause (2) dereference NULL pointer. remote attacker can cause the client kernel panic. Impact NULL dereference can cause kernel panic. III.CREDIT: ---------- Venustech AD-LAB discovery this vuln. Thank to all Venustech AD-Lab guys. V.DISCLAIMS: ----------- The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Copyright 1996-2007 VENUSTECH. All Rights Reserved. Terms of use. VENUSTECH Security Lab VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn) Security Trusted {Solution} Provider Service
Saleem, please advise.
(saleem submitted patches upstream, they are in iwlwifi git, and submitted to kernel mailinglists) I am going to take a risk here, and deny that what they claim that this is a non issue. The function will never return NULL in any real life circumstances. (this inconsistency in the code was already reported to the iwlwifi mailinglist at the end of september http://article.gmane.org/gmane.linux.drivers.ipw3945.devel/1618 ) I concluded that back in September, and i looked through the 3945 code again today more thoroughly right now. And it is my preliminary conviction that the level foo needed to return 0 is pretty high. there are 4 call sites for this function (.._set_rates() ) the only one which isn't safe from this (becuase it isn't obviously preceded by an get_channel_info is in reset_tsf callback.) In any case, it would only be exploitable when the module is loading/initialisation. because once it is set to a valid value, it will not be changed to something invalid anymore. I would be interested to know how it can be exploited. Feel free to mail/contact me with an exploitation scenario. but anyway it's better that the check is in place.
The old versions are no longer in the tree.
Created attachment 136472 [details, diff] CVE-2007-5938.patch Adding compnerd's patch for reference.
Patch is in 1.1.21-r1, closing.