Bug#631161: kfreebsd-8: cve-2011-2480 info disclosure
2011/6/21 Michael Gilbert <michael.s.gilbert@gmail.com>:
> looking at the commit itself [0], i find Dan's conclusion rather
> surprising. the affected code is in the 802.11 stack, so it seems like
> it should be platform-independent. i doubt x86 is any better at
> handling signedness issues, but i suppose i could be missing something.
Fix uploaded to unstable and experimental.
debian-security: Patch is available in r3480 in glibc-bsd SVN (attached
for your convenience).
--
Robert Millan
Index: debian/changelog
===================================================================
--- debian/changelog (revision 3479)
+++ debian/changelog (revision 3480)
@@ -1,3 +1,11 @@
+kfreebsd-8 (8.1+dfsg-8+squeeze1) UNRELEASED; urgency=low
+
+ * Fix net802.11 stack kernel memory disclosure (CVE-2011-2480).
+ (Closes: #631160)
+ - 000_net80211_disclosure.diff
+
+ -- Robert Millan <rmh@debian.org> Sat, 25 Jun 2011 13:24:06 +0200
+
kfreebsd-8 (8.1+dfsg-8) stable-proposed-updates; urgency=low
[ Petr Salinger ]
Index: debian/patches/series
===================================================================
--- debian/patches/series (revision 3479)
+++ debian/patches/series (revision 3480)
@@ -3,6 +3,7 @@
000_coda.diff
000_ufs_lookup.diff
000_tcp_usrreq.diff
+000_net80211_disclosure.diff
001_misc.diff
003_glibc_dev_aicasm.diff
004_xargs.diff
Index: debian/patches/000_net80211_disclosure.diff
===================================================================
--- debian/patches/000_net80211_disclosure.diff (revision 0)
+++ debian/patches/000_net80211_disclosure.diff (revision 3480)
@@ -0,0 +1,79 @@
+--- a/sys/net80211/ieee80211_acl.c
++++ b/sys/net80211/ieee80211_acl.c
+@@ -77,7 +77,7 @@
+ struct aclstate {
+ acl_lock_t as_lock;
+ int as_policy;
+- int as_nacls;
++ uint32_t as_nacls;
+ TAILQ_HEAD(, acl) as_list; /* list of all ACL's */
+ LIST_HEAD(, acl) as_hash[ACL_HASHSIZE];
+ struct ieee80211vap *as_vap;
+@@ -289,7 +289,8 @@
+ struct aclstate *as = vap->iv_as;
+ struct acl *acl;
+ struct ieee80211req_maclist *ap;
+- int error, space, i;
++ int error;
++ uint32_t i, space;
+
+ switch (ireq->i_val) {
+ case IEEE80211_MACCMD_POLICY:
+--- a/sys/net80211/ieee80211_ioctl.c
++++ b/sys/net80211/ieee80211_ioctl.c
+@@ -141,7 +141,7 @@
+ ieee80211_ioctl_getchaninfo(struct ieee80211vap *vap, struct ieee80211req *ireq)
+ {
+ struct ieee80211com *ic = vap->iv_ic;
+- int space;
++ uint32_t space;
+
+ space = __offsetof(struct ieee80211req_chaninfo,
+ ic_chans[ic->ic_nchans]);
+@@ -205,7 +205,7 @@
+ {
+ struct ieee80211_node *ni;
+ uint8_t macaddr[IEEE80211_ADDR_LEN];
+- const int off = __offsetof(struct ieee80211req_sta_stats, is_stats);
++ const size_t off = __offsetof(struct ieee80211req_sta_stats, is_stats);
+ int error;
+
+ if (ireq->i_len < off)
+@@ -321,7 +321,7 @@
+ if (req.space > ireq->i_len)
+ req.space = ireq->i_len;
+ if (req.space > 0) {
+- size_t space;
++ uint32_t space;
+ void *p;
+
+ space = req.space;
+@@ -456,7 +456,7 @@
+
+ static __noinline int
+ getstainfo_common(struct ieee80211vap *vap, struct ieee80211req *ireq,
+- struct ieee80211_node *ni, int off)
++ struct ieee80211_node *ni, size_t off)
+ {
+ struct ieee80211com *ic = vap->iv_ic;
+ struct stainforeq req;
+@@ -501,7 +501,7 @@
+ ieee80211_ioctl_getstainfo(struct ieee80211vap *vap, struct ieee80211req *ireq)
+ {
+ uint8_t macaddr[IEEE80211_ADDR_LEN];
+- const int off = __offsetof(struct ieee80211req_sta_req, info);
++ const size_t off = __offsetof(struct ieee80211req_sta_req, info);
+ struct ieee80211_node *ni;
+ int error;
+
+--- a/sys/net80211/ieee80211_ioctl.h
++++ b/sys/net80211/ieee80211_ioctl.h
+@@ -578,7 +578,7 @@
+ char i_name[IFNAMSIZ]; /* if_name, e.g. "wi0" */
+ uint16_t i_type; /* req type */
+ int16_t i_val; /* Index or simple value */
+- int16_t i_len; /* Index or simple value */
++ uint16_t i_len; /* Index or simple value */
+ void *i_data; /* Extra data */
+ };
+ #define SIOCS80211 _IOW('i', 234, struct ieee80211req)
Reply to: