From: David S. Miller <davem@sunset.davemloft.net>
Date: Tue, 20 Nov 2007 11:29:53 +0000 (-0800)
Subject: [WIRELESS] WEXT: Fix userspace corruption on 64-bit.
X-Git-Tag: firefly_0821_release~24175^2~43
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=0a06ea87185531705e4417e3a051f81b64f210c1;p=firefly-linux-kernel-4.4.55.git

[WIRELESS] WEXT: Fix userspace corruption on 64-bit.

On 64-bit systems sizeof(struct ifreq) is 8 bytes larger than
sizeof(struct iwreq).

For GET calls, the wireless extension code copies back into userspace
using sizeof(struct ifreq) but userspace and elsewhere only allocates
a "struct iwreq".  Thus, this copy writes past the end of the iwreq
object and corrupts whatever sits after it in memory.

Fix the copy_to_user() length.

This particularly hurts the compat case because the wireless compat
code uses compat_alloc_userspace() and right after this allocated
buffer is the current bottom of the user stack, and that's what gets
overwritten by the copy_to_user() call.

Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/net/wireless/wext.c b/net/wireless/wext.c
index 85e5f9dd0d8e..47e80cc2077c 100644
--- a/net/wireless/wext.c
+++ b/net/wireless/wext.c
@@ -1094,7 +1094,7 @@ int wext_handle_ioctl(struct net *net, struct ifreq *ifr, unsigned int cmd,
 	rtnl_lock();
 	ret = wireless_process_ioctl(net, ifr, cmd);
 	rtnl_unlock();
-	if (IW_IS_GET(cmd) && copy_to_user(arg, ifr, sizeof(struct ifreq)))
+	if (IW_IS_GET(cmd) && copy_to_user(arg, ifr, sizeof(struct iwreq)))
 		return -EFAULT;
 	return ret;
 }