Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp7148595ybi; Mon, 8 Jul 2019 15:37:10 -0700 (PDT) X-Google-Smtp-Source: APXvYqw3Zz2520KdT7oDXAgqGtavHUPSR1H2SlRgxnffTEs+yNMCPxoNRtE5Clm+VhGYzcDXBKEm X-Received: by 2002:a65:5845:: with SMTP id s5mr25944542pgr.432.1562625430071; Mon, 08 Jul 2019 15:37:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562625430; cv=none; d=google.com; s=arc-20160816; b=LQQ88wW4SfaQyC//KzB1idiMrx3c1jxv7MbCHyJ86hie1AK8hj3ttppMg+uFX3aYkg QOuJQWUiDzPbv4yj8XT9PuibfXZIPYFQVtS9AaNV2l8DR8j33LNWDF04scd8qevQXbNA ErfbcUyRUe6rRo7T4ZBcsphij5CzYOAOXkHprr3eyj+PSdMgt2RXSKuasyWzCfiZ/hRu x/Gvi/cw8lP31AClhBTPiPGIs3ic1DmN/5R/pcN9G0f3yNYj0pTi385+Qj15Iuv8U6Xe nkUxK2EnOwBjSIhYjekdx17jQum/xjkOWPIYqw4L7gO6sYE0SJt0bbgDMqOxug2h01z9 mzFQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Qg3SJq6dioFI17Jwlgs6ZGoyI3yqDznQLB32Y+xg/oE=; b=jlw/ESG9jZ/dJyC8DqQ2vuDiDakOFpo0tGHYS0dn89wOUc8O/ucc5v53JElo+bGVP5 Q+YXArreIiFoC3u0odaB5OkvGUAda6IRxn93pm71lPDvfvN8Pys8+uXl9wvy4Ynm8mX7 fzmP5Kd0kO+hC6+qu9xABI22fv0aD00vxTRzKhOL5jw31vdNhQWUKL/wwzLQVi5LI2ZF +cmA/SbNXiN7Qk3JswMkKFRWG2xSXOTFBFLKKvBOCrdRbPHtsAmS45NTwS9qguQrw2YZ +32R3foDKiLA+nN5iZ8/v+9EegDlgtsa7btLIDOILz8QPqCw1ri0dgl3jD2hCczmw5LY yBBg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=l7+miwsc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f9si20966570pgg.450.2019.07.08.15.36.55; Mon, 08 Jul 2019 15:37:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=l7+miwsc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387681AbfGHPU4 (ORCPT + 99 others); Mon, 8 Jul 2019 11:20:56 -0400 Received: from mail.kernel.org ([198.145.29.99]:44448 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387502AbfGHPTx (ORCPT ); Mon, 8 Jul 2019 11:19:53 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 25B6A21537; Mon, 8 Jul 2019 15:19:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562599192; bh=tLVZwVgEy3INWT+QDUG63JAAvvmORHsEoFCuqJI91d8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=l7+miwscx8kolmmva2a8+Shi39ZZ9iakrYRH2OFoW71DKjcWEe11cRYzhxbUcVhKl 7YH3n/uojUkOJAH14NUtviV2HipS1VE7ytdGzfw0c7mbW53/RkXPr3XDY2Dg8Dl3IR rv/eMfqsriT3V3cUHn727HY9D2+uoIobwPOxoqBQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jouni Malinen , Johannes Berg Subject: [PATCH 4.9 035/102] mac80211: Do not use stack memory with scatterlist for GMAC Date: Mon, 8 Jul 2019 17:12:28 +0200 Message-Id: <20190708150528.209577232@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190708150525.973820964@linuxfoundation.org> References: <20190708150525.973820964@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jouni Malinen commit a71fd9dac23613d96ba3c05619a8ef4fd6cdf9b9 upstream. ieee80211_aes_gmac() uses the mic argument directly in sg_set_buf() and that does not allow use of stack memory (e.g., BUG_ON() is hit in sg_set_buf() with CONFIG_DEBUG_SG). BIP GMAC TX side is fine for this since it can use the skb data buffer, but the RX side was using a stack variable for deriving the local MIC value to compare against the received one. Fix this by allocating heap memory for the mic buffer. This was found with hwsim test case ap_cipher_bip_gmac_128 hitting that BUG_ON() and kernel panic. Cc: stable@vger.kernel.org Signed-off-by: Jouni Malinen Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/mac80211/wpa.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) --- a/net/mac80211/wpa.c +++ b/net/mac80211/wpa.c @@ -1169,7 +1169,7 @@ ieee80211_crypto_aes_gmac_decrypt(struct struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); struct ieee80211_key *key = rx->key; struct ieee80211_mmie_16 *mmie; - u8 aad[GMAC_AAD_LEN], mic[GMAC_MIC_LEN], ipn[6], nonce[GMAC_NONCE_LEN]; + u8 aad[GMAC_AAD_LEN], *mic, ipn[6], nonce[GMAC_NONCE_LEN]; struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; if (!ieee80211_is_mgmt(hdr->frame_control)) @@ -1200,13 +1200,18 @@ ieee80211_crypto_aes_gmac_decrypt(struct memcpy(nonce, hdr->addr2, ETH_ALEN); memcpy(nonce + ETH_ALEN, ipn, 6); + mic = kmalloc(GMAC_MIC_LEN, GFP_ATOMIC); + if (!mic) + return RX_DROP_UNUSABLE; if (ieee80211_aes_gmac(key->u.aes_gmac.tfm, aad, nonce, skb->data + 24, skb->len - 24, mic) < 0 || crypto_memneq(mic, mmie->mic, sizeof(mmie->mic))) { key->u.aes_gmac.icverrors++; + kfree(mic); return RX_DROP_UNUSABLE; } + kfree(mic); } memcpy(key->u.aes_gmac.rx_pn, ipn, 6);