Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 199209 - net-wireless/iwlwifi < 1.1.21-r1 NULL dereference vulnerability (CVE-2007-5938)
Summary: net-wireless/iwlwifi < 1.1.21-r1 NULL dereference vulnerability (CVE-2007-5938)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-11-15 08:25 UTC by airsupply
Modified: 2007-11-20 07:56 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
CVE-2007-5938.patch (CVE-2007-5938.patch,728 bytes, patch)
2007-11-20 07:55 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description airsupply 2007-11-15 08:25:41 UTC
iwlwifi  NULL dereference vulnerability

[Security Advisory]



Advisory: [AD_LAB-07014] iwlwifi  NULL dereference vulnerability

Class: design Error

DATE:11/12/2007

CVEID:CVE-2007-5938

Vulnerable:

	<=iwlwifi-1.1.21
Affected distribution:
	All linux distribution with iwlwifi used.
Vendor:

	Intel®
	

I.Synopsis

A vulnerability has been discovered in iwlwifi.

II.DETAILS:

----------

Background

The iwlwifi project provides a driver which utilizes the new mac80211 subsystem for 
the Intel® Wireless WiFi Link 4965AGN and Intel® PRO/Wireless 3945ABG Network Connection adapters.

Description
	There is a NULL dereference   vulnerability in function iwl_set_rate() in compatible/iwl3945-base.c.
static void iwl_set_rate(struct iwl_priv *priv)
 {
 		const struct ieee80211_hw_mode *hw = NULL;
 		struct ieee80211_rate *rate;
 		int i;
 	
(1) hw = iwl_get_hw_mode(priv, priv->phymode);  <-- not check ret
	
 		priv->active_rate = 0;
 		priv->active_rate_basic = 0;
 	
 IWL_DEBUG_RATE("Setting rates for 802.11%c\n",
 			       hw->mode == MODE_IEEE80211A ?
 			       'a' : ((hw->mode == MODE_IEEE80211B) ? 'b' : 'g'));
 	
(2) for (i = 0; i < hw->num_rates; i++) { <-- null deref.

at (1) did not check the return value of iwl_get_hw_mode. it maybe return NULL.
when it return NULL will cause (2) dereference NULL pointer. remote attacker can 
cause the client kernel panic.

Impact
NULL dereference can cause kernel panic.
III.CREDIT: 

----------

    Venustech AD-LAB discovery this vuln. Thank to all Venustech AD-Lab guys.



V.DISCLAIMS:

-----------



The information in this bulletin is provided "AS IS" without warranty of any

kind. In no event shall we be liable for any damages whatsoever including direct,

indirect, incidental, consequential, loss of business profits or special damages. 



Copyright 1996-2007 VENUSTECH. All Rights Reserved. Terms of use.



VENUSTECH Security Lab 

VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn)



Security

Trusted {Solution} Provider

Service
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-11-16 00:37:05 UTC
Saleem, please advise.
Comment 2 Ian Schram 2007-11-19 14:15:20 UTC
(saleem submitted patches upstream, they are in iwlwifi git, and submitted to kernel mailinglists)

I am going to take a risk here, and deny that what they claim that this is a non issue. The function will never return NULL in any real life circumstances.

(this inconsistency in the code was already reported to the iwlwifi mailinglist at the end of september http://article.gmane.org/gmane.linux.drivers.ipw3945.devel/1618 )

I concluded that back in September, and i looked through the 3945 code again today more thoroughly right now. And it is my preliminary conviction that the level foo needed to return 0 is pretty high.

there are 4 call sites for this function (.._set_rates() )
the only one which isn't safe from this (becuase it isn't obviously preceded by an get_channel_info is in reset_tsf callback.)

In any case, it would only be exploitable when the module is loading/initialisation. because once it is set to a valid value, it will not be changed to something invalid anymore. 


I would be interested to know how it can be exploited. Feel free to mail/contact me with an exploitation scenario.

but anyway it's better that the check is in place.
Comment 3 Saleem Abdulrasool (RETIRED) gentoo-dev 2007-11-20 05:57:26 UTC
The old versions are no longer in the tree.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2007-11-20 07:55:44 UTC
Created attachment 136472 [details, diff]
CVE-2007-5938.patch

Adding compnerd's patch for reference.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2007-11-20 07:56:50 UTC
Patch is in 1.1.21-r1, closing.