Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 199209

Summary: net-wireless/iwlwifi < 1.1.21-r1 NULL dereference vulnerability (CVE-2007-5938)
Product: Gentoo Security Reporter: airsupply <airsupply>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: trivial CC: compnerd, ischram
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---
Description Flags
CVE-2007-5938.patch none

Description airsupply 2007-11-15 08:25:41 UTC
iwlwifi  NULL dereference vulnerability

[Security Advisory]

Advisory: [AD_LAB-07014] iwlwifi  NULL dereference vulnerability

Class: design Error




Affected distribution:
	All linux distribution with iwlwifi used.



A vulnerability has been discovered in iwlwifi.




The iwlwifi project provides a driver which utilizes the new mac80211 subsystem for 
the Intel® Wireless WiFi Link 4965AGN and Intel® PRO/Wireless 3945ABG Network Connection adapters.

	There is a NULL dereference   vulnerability in function iwl_set_rate() in compatible/iwl3945-base.c.
static void iwl_set_rate(struct iwl_priv *priv)
 		const struct ieee80211_hw_mode *hw = NULL;
 		struct ieee80211_rate *rate;
 		int i;
(1) hw = iwl_get_hw_mode(priv, priv->phymode);  <-- not check ret
 		priv->active_rate = 0;
 		priv->active_rate_basic = 0;
 IWL_DEBUG_RATE("Setting rates for 802.11%c\n",
 			       hw->mode == MODE_IEEE80211A ?
 			       'a' : ((hw->mode == MODE_IEEE80211B) ? 'b' : 'g'));
(2) for (i = 0; i < hw->num_rates; i++) { <-- null deref.

at (1) did not check the return value of iwl_get_hw_mode. it maybe return NULL.
when it return NULL will cause (2) dereference NULL pointer. remote attacker can 
cause the client kernel panic.

NULL dereference can cause kernel panic.


    Venustech AD-LAB discovery this vuln. Thank to all Venustech AD-Lab guys.



The information in this bulletin is provided "AS IS" without warranty of any

kind. In no event shall we be liable for any damages whatsoever including direct,

indirect, incidental, consequential, loss of business profits or special damages. 

Copyright 1996-2007 VENUSTECH. All Rights Reserved. Terms of use.

VENUSTECH Security Lab 



Trusted {Solution} Provider

Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-11-16 00:37:05 UTC
Saleem, please advise.
Comment 2 Ian Schram 2007-11-19 14:15:20 UTC
(saleem submitted patches upstream, they are in iwlwifi git, and submitted to kernel mailinglists)

I am going to take a risk here, and deny that what they claim that this is a non issue. The function will never return NULL in any real life circumstances.

(this inconsistency in the code was already reported to the iwlwifi mailinglist at the end of september )

I concluded that back in September, and i looked through the 3945 code again today more thoroughly right now. And it is my preliminary conviction that the level foo needed to return 0 is pretty high.

there are 4 call sites for this function (.._set_rates() )
the only one which isn't safe from this (becuase it isn't obviously preceded by an get_channel_info is in reset_tsf callback.)

In any case, it would only be exploitable when the module is loading/initialisation. because once it is set to a valid value, it will not be changed to something invalid anymore. 

I would be interested to know how it can be exploited. Feel free to mail/contact me with an exploitation scenario.

but anyway it's better that the check is in place.
Comment 3 Saleem Abdulrasool (RETIRED) gentoo-dev 2007-11-20 05:57:26 UTC
The old versions are no longer in the tree.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2007-11-20 07:55:44 UTC
Created attachment 136472 [details, diff]

Adding compnerd's patch for reference.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2007-11-20 07:56:50 UTC
Patch is in 1.1.21-r1, closing.