linux/drivers
Michael Ellerman 78f7a7566f airo: Add missing CAP_NET_ADMIN check in AIROOLDIOCTL/SIOCDEVPRIVATE
The driver for Cisco Aironet 4500 and 4800 series cards (airo.c),
implements AIROOLDIOCTL/SIOCDEVPRIVATE in airo_ioctl().

The ioctl handler copies an aironet_ioctl struct from userspace, which
includes a command. Some of the commands are handled in readrids(),
where the user controlled command is converted into a driver-internal
value called "ridcode".

There are two command values, AIROGWEPKTMP and AIROGWEPKNV, which
correspond to ridcode values of RID_WEP_TEMP and RID_WEP_PERM
respectively. These commands both have checks that the user has
CAP_NET_ADMIN, with the comment that "Only super-user can read WEP
keys", otherwise they return -EPERM.

However there is another command value, AIRORRID, that lets the user
specify the ridcode value directly, with no other checks. This means
the user can bypass the CAP_NET_ADMIN check on AIROGWEPKTMP and
AIROGWEPKNV.

Fix it by moving the CAP_NET_ADMIN check out of the command handling
and instead do it later based on the ridcode. That way regardless of
whether the ridcode is set via AIROGWEPKTMP or AIROGWEPKNV, or passed
in using AIRORID, we always do the CAP_NET_ADMIN check.

Found by Ilja by code inspection, not tested as I don't have the
required hardware.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-01-23 11:01:13 +01:00
..
accessibility
acpi ACPI: PM: Avoid attaching ACPI PM domain to certain devices 2019-12-10 00:22:18 +01:00
amba
android binder: fix incorrect calculation for num_valid 2019-12-14 09:10:47 +01:00
ata ata: ahci_brcm: Add missing clock management during recovery 2019-12-25 20:47:24 -07:00
atm atm: eni: fix uninitialized variable warning 2020-01-08 13:11:00 -08:00
auxdisplay auxdisplay: charlcd: deduplicate simple_strtoul() 2019-12-04 19:44:12 -08:00
base Fix built-in early-load Intel microcode alignment 2020-01-15 11:50:37 -08:00
bcma
block block-5.5-2020-01-16 2020-01-17 05:54:18 -08:00
bluetooth Bluetooth: btbcm: Use the BDADDR_PROPERTY quirk 2019-11-22 13:35:20 +01:00
bus bus: ti-sysc: Fix iterating over clocks 2019-12-16 14:55:22 -08:00
cdrom cdrom: respect device capabilities during opening action 2019-11-26 13:02:24 -07:00
char tpm: Handle negative priv->response_len in tpm_common_read() 2020-01-08 18:11:09 +02:00
clk ARM: SoC fixes 2020-01-16 19:42:08 -08:00
clocksource clocksource: riscv: add notrace to riscv_sched_clock 2020-01-04 21:48:48 -08:00
connector
counter
cpufreq Merge branch 'cpufreq/arm/fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vireshk/pm 2020-01-07 10:41:35 +01:00
cpuidle cpuidle: teo: Fix intervals[] array indexing bug 2020-01-13 11:14:58 +01:00
crypto Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2020-01-15 10:21:34 -08:00
dax libnvdimm for 5.5 2019-12-01 18:43:25 -08:00
dca
devfreq PM / devfreq: tegra: Add COMMON_CLK dependency 2019-12-23 10:42:58 +09:00
dio
dma ioat: ioat_alloc_ring() failure handling. 2019-12-27 12:06:06 +05:30
dma-buf - A fix for a memory leak in the dma-buf support 2019-12-09 17:13:19 +10:00
edac riscv: move sifive_l2_cache.h to include/soc 2020-01-12 10:12:44 -08:00
eisa
extcon Char/Misc driver patches for 5.5-rc1 2019-11-27 10:53:50 -08:00
firewire FireWire (IEEE 1394) subsystem updates: 2019-12-02 14:13:00 -08:00
firmware Merge branch 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2020-01-18 12:50:14 -08:00
fpga
fsi fsi: aspeed: Fix OPB0 byte order register values 2019-11-08 11:28:21 +01:00
gnss
gpio Revert "gpio: thunderx: Switch to GPIOLIB_IRQCHIP" 2020-01-15 11:17:21 +01:00
gpu drm fixes for 5.5-rc7 2020-01-18 13:57:31 -08:00
greybus
hid HID: hidraw, uhid: Always report EPOLLOUT 2020-01-10 15:34:28 +01:00
hsi
hv Merge branch 'akpm' (patches from Andrew) 2019-12-01 20:36:41 -08:00
hwmon compat_ioctl: remove most of fs/compat_ioctl.c 2019-12-01 13:46:15 -08:00
hwspinlock hwspinlock: u8500_hsem: Remove redundant PM runtime implementation 2019-11-08 16:42:26 -08:00
hwtracing coresight: etm4x: Fix unused function warning 2020-01-14 15:38:28 +01:00
i2c i2c: iop3xx: Fix memory leak in probe error path 2020-01-15 20:31:27 +01:00
i3c
ide compat_ioctl: remove most of fs/compat_ioctl.c 2019-12-01 13:46:15 -08:00
idle cpuidle: Drop disabled field from struct cpuidle_state 2019-11-29 11:48:39 +01:00
iio iio: light: vcnl4000: Fix scale for vcnl4040 2020-01-13 12:08:40 +01:00
infiniband i40iw: Remove setting of VMA private data and use rdma_user_mmap_io 2020-01-07 15:07:37 -04:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2020-01-09 15:37:40 -08:00
interconnect interconnect: qcom: msm8974: Walk the list safely on node removal 2019-12-12 10:28:54 +01:00
iommu iommu/dma: fix variable 'cookie' set but not used 2020-01-07 17:08:58 +01:00
ipack
irqchip irqchip/ingenic: Get rid of the legacy IRQ domain 2020-01-13 17:45:23 +01:00
isdn compat_ioctl: remove most of fs/compat_ioctl.c 2019-12-01 13:46:15 -08:00
leds Merge tag 'leds-5.5-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/pavel/linux-leds 2019-12-01 16:09:28 -08:00
lightnvm
macintosh powerpc updates for 5.5 2019-11-30 14:35:43 -08:00
mailbox mailbox changes for v5.5 2019-12-01 18:42:02 -08:00
mcb
md block: fix an integer overflow in logical block size 2020-01-15 21:43:09 -07:00
media media updates for v5.5-rc5 2020-01-04 10:41:08 -08:00
memory memory: tegra: Fixes for v5.5-rc1 2019-12-06 08:28:51 -08:00
memstick pci-v5.5-changes 2019-12-03 13:58:22 -08:00
message scsi: mptfusion: Fix double fetch bug in ioctl 2020-01-15 23:05:52 -05:00
mfd chrome platform changes for v5.5 2019-12-03 14:37:12 -08:00
misc Char/Misc fixes for 5.5-rc7 2020-01-18 12:08:57 -08:00
mmc mmc: sdhci-of-esdhc: re-implement erratum A-009204 workaround 2019-12-19 08:13:43 +01:00
mtd mtd: rawnand: gpmi: Restore nfc timing setup after suspend/resume 2020-01-17 22:45:09 +01:00
mux
net airo: Add missing CAP_NET_ADMIN check in AIROOLDIOCTL/SIOCDEVPRIVATE 2020-01-23 11:01:13 +01:00
nfc NFC: pn533: fix bulk-message timeout 2020-01-13 18:50:18 -08:00
ntb Add Hygon Device ID to the AMD NTB device driver 2019-12-07 18:38:17 -08:00
nubus
nvdimm libnvdimm for 5.5 2019-12-01 18:43:25 -08:00
nvme nvmet: fix per feat data len for get_feature 2020-01-10 08:55:50 -07:00
nvmem ARM: SoC-related driver updates 2019-12-05 11:43:31 -08:00
of Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-12-22 09:54:33 -08:00
opp PM / OPP: Support adjusting OPP voltages at runtime 2019-11-11 10:27:15 +05:30
oprofile Printk changes for 5.5 2019-11-25 19:40:40 -08:00
parisc
parport parport: daisy: use new parport device model 2019-11-13 19:09:49 +08:00
pci PCI: rockchip: Fix IO outbound ATU register number 2019-12-12 15:25:37 -06:00
pcmcia pcmcia: remove unused dprintk definition 2019-11-22 07:03:45 +01:00
perf perf/smmuv3: Remove the leftover put_cpu() in error path 2019-12-18 16:15:36 +00:00
phy phy/rockchip: inno-hdmi: round clock rate down to closest 1000 Hz 2019-12-31 15:46:08 +05:30
pinctrl pinctrl: meson: Fix wrong shift value when get drive-strength 2020-01-07 11:21:07 +01:00
platform platform/chrome fixes for v5.5-rc7. 2020-01-16 10:26:40 -08:00
pnp
power Additional power management updates for 5.5-rc1 2019-12-04 10:48:09 -08:00
powercap powercap: intel_rapl: add NULL pointer check to rapl_mmio_cpu_online() 2020-01-07 12:24:34 +01:00
pps
ps3
ptp ptp: free ptp device pin descriptors properly 2020-01-14 10:58:57 -08:00
pwm pwm: Changes for v5.5-rc1 2019-12-05 11:28:14 -08:00
rapidio drivers/rapidio/rio-access.c: fix missing include of <linux/rio_drv.h> 2019-12-04 19:44:13 -08:00
ras
regulator regulator: Fixes for v5.5 2020-01-06 12:04:31 -08:00
remoteproc remoteproc: stm32: fix probe error case 2019-11-18 20:35:16 -08:00
reset reset: Do not register resource data for missing resets 2019-12-10 11:43:37 +01:00
rpmsg rpmsg updates for v5.5 2019-12-01 18:39:24 -08:00
rtc rtc: cmos: Revert "rtc: Fix the AltCentury value on AMD/Hygon platform" 2020-01-04 05:31:50 +01:00
s390 s390/zcrypt: move ap device reset from bus to driver code 2020-01-09 16:59:18 +01:00
sbus
scsi SCSI fixes on 20200118 2020-01-18 12:12:36 -08:00
sfi
sh
siox
slimbus
soc ARM: SoC fixes 2020-01-16 19:42:08 -08:00
soundwire Merge 5.4-rc7 into char-misc-next 2019-11-11 06:24:30 +01:00
spi spi: Fixes for v5.5 2020-01-06 12:34:44 -08:00
spmi
ssb
staging staging: comedi: ni_routes: allow partial routing information 2020-01-15 13:30:09 +01:00
target SCSI fixes on 20191227 2019-12-27 17:28:41 -08:00
tc
tee optee: Fix multi page dynamic shm pool alloc 2020-01-03 11:21:12 +01:00
thermal drivers: thermal: tsens: Work with old DTBs 2020-01-07 08:22:35 +01:00
thunderbolt thunderbolt: Power cycle the router if NVM authentication fails 2019-11-19 17:35:57 +01:00
tty serdev: Don't claim unsupported ACPI serial devices 2020-01-06 20:00:44 +01:00
uio uio: fix irq init with dt support & irq not defined 2019-11-14 11:49:48 +08:00
usb USB-serial fixes for 5.5-rc7 2020-01-17 19:40:06 +01:00
vfio VFIO updates for v5.5-rc1 2019-12-07 14:51:04 -08:00
vhost Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-12-08 13:28:11 -08:00
video pci-v5.5-changes 2019-12-03 13:58:22 -08:00
virt compat_ioctl: remove most of fs/compat_ioctl.c 2019-12-01 13:46:15 -08:00
virtio virtio_balloon: divide/multiply instead of shifts 2019-12-11 08:14:07 -05:00
visorbus
vlynq
vme
w1 w1: new driver. DS2430 chip 2019-11-14 13:06:33 +08:00
watchdog watchdog: orion: fix platform_get_irq() complaints 2019-12-30 15:58:29 +01:00
xen xen: branch for v5.5-rc3 2019-12-21 06:24:56 -08:00
zorro
Kconfig
Makefile