oss-sec mailing list archives
CVE request: kernel: mac80211: fix two remote exploits
From: Eugene Teo <eugeneteo () kernel sg>
Date: Tue, 01 Dec 2009 12:56:20 +0800
http://git.kernel.org/linus/4253119acf412fd686ef4bd8749b5a4d70ea3a51"Lennert Buytenhek noticed a remotely triggerable problem in mac80211, which is due to some code shuffling I did that ended up changing the order in which things were done -- this was in
commit d75636ef9c1af224f1097941879d5a8db7cd04e5
Author: Johannes Berg <johannes () sipsolutions net>
Date: Tue Feb 10 21:25:53 2009 +0100
mac80211: RX aggregation: clean up stop session
The problem is that the BUG_ON moved before the various checks, and as
such can be triggered.
As the comment indicates, the BUG_ON can be removed since the ampdu_action callback must already exist when the state is OPERATIONAL.
A similar code path leads to a WARN_ON in ieee80211_stop_tx_ba_session, which can also be removed."
Btw, FYI, there's another issue that was also introduced by the same code shuffling patch (commit d75636ef) but was fixed in another patch (commit 827d42c9). It was assigned with CVE-2009-4026.
Thanks, Eugene -- Eugene Teo / Red Hat Security Response Team
Current thread:
- CVE request: kernel: mac80211: fix two remote exploits Eugene Teo (Nov 30)
- Re: CVE request: kernel: mac80211: fix two remote exploits Josh Bressers (Dec 02)
- Re: CVE request: kernel: mac80211: fix two remote exploits Eugene Teo (Dec 02)
- Re: CVE request: kernel: mac80211: fix two remote exploits Steven M. Christey (Dec 02)
- Re: CVE request: kernel: mac80211: fix two remote exploits Eugene Teo (Dec 02)
- Re: CVE request: kernel: mac80211: fix two remote exploits Eugene Teo (Dec 02)
- Re: CVE request: kernel: mac80211: fix two remote exploits Josh Bressers (Dec 02)