Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp3757070pxk;
        Tue, 29 Sep 2020 05:38:57 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxM23hlwI5jgWOfpH97cODYL2f9WAzdzBBjiuwmoDfFGh+1DJu8v7W7sXue/0qPDnh7QoVG
X-Received: by 2002:aa7:de82:: with SMTP id j2mr3152699edv.3.1601383137436;
        Tue, 29 Sep 2020 05:38:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1601383137; cv=none;
        d=google.com; s=arc-20160816;
        b=MddQ4RSfqEx7cWRQIFRRiS+fhkQelglAA55a3Y+68h8zLmGF56NezYpsYERLjqzEI/
         wBZk71m4BAoaUV66l3t/YeMdAcOZbvgYkoaPaQTArIKpMz5Qxq2S9Sg6n9Pirxbl5L0K
         7Ul/eE4aUC2YMCpKkO8srWRyAFVM5mDk0p1rd68rL+j0q9B6yOTtzwxL2Ua82pbq5xWu
         BloJQustPW7dq76Esvj9Bhw3eqrldRyMJITlBuKc1wvhhaAROuf5J3+hdApDWDTtNnQG
         3f9Upk98VihuusgbLaLy6exuOS3X5tZVW7DYco6P+4TClolPwbwCPkL+5OOxMCcb6trQ
         IiDg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=0SK2X3duMLvIIcYAmeEroFXNj/zTWoDt2pzhJPZ8i4I=;
        b=XG/koAz+85p8sPpsntOWMn+zufgxArUMXgEMRmmEhg/oZcQTHBN0m3SufIwH+VLT5b
         YLFS90T6b83iqu2WhzX2Jjn9g9uCGTIOP1LstP1sLPECMaFtb/JvofnwR0ms/gB//v8Z
         hduukxpdDEo+57DLZxRYZXSOdrfvlFH5K56GLIegW/DsyvTiFG+1bIYkb9rVkF3je/KS
         eO/QdEJBgBYz+3c/H0NzVlct70J8+2ghJcR32Rt0TkWA4/KvhQDgQZnEGB6esnjMjJyS
         RgJtSGACOjvEoPzuSZAdlIzUGWLdCRZdd7ePiI6AgScAN/cthjNnBxp2gSrc0s2sxnmk
         qfEg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=NcwA5j4q;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id g10si2382568edv.47.2020.09.29.05.38.34;
        Tue, 29 Sep 2020 05:38:57 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=NcwA5j4q;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1733075AbgI2Mff (ORCPT <rfc822;sbrunau@gmail.com> + 99 others);
        Tue, 29 Sep 2020 08:35:35 -0400
Received: from mail.kernel.org ([198.145.29.99]:37334 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1729544AbgI2LVO (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 29 Sep 2020 07:21:14 -0400
Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id F1F9A23A40;
        Tue, 29 Sep 2020 11:19:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1601378352;
        bh=o+Z7Jdv/qMi6nvYPlkj4hmUj2ui70JgeWmRmqa+pKIE=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=NcwA5j4q2RhkRrUtJSPV/hJn8H4wGv31EZ4IirPjVH8mLPUSNIkam3PYCzSjRcFRH
         OpLityEEr8chaQVUtymcwlgWbQk20/blBWTPiyVnp6WS784srzVTM2fnH2pSwZFbd4
         YMQj/yxRv/4ZnpHJGlCdswPOcAg03uc3DUqkuLi0=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Maximilian Luz <luzmaximilian@gmail.com>,
        Kaloyan Nikolov <konik98@gmail.com>,
        Dan Carpenter <dan.carpenter@oracle.com>,
        Brian Norris <briannorris@chromium.org>,
        Kalle Valo <kvalo@codeaurora.org>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 149/166] mwifiex: Increase AES key storage size to 256 bits
Date:   Tue, 29 Sep 2020 13:01:01 +0200
Message-Id: <20200929105942.637429390@linuxfoundation.org>
X-Mailer: git-send-email 2.28.0
In-Reply-To: <20200929105935.184737111@linuxfoundation.org>
References: <20200929105935.184737111@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Maximilian Luz <luzmaximilian@gmail.com>

[ Upstream commit 4afc850e2e9e781976fb2c7852ce7bac374af938 ]

Following commit e18696786548 ("mwifiex: Prevent memory corruption
handling keys") the mwifiex driver fails to authenticate with certain
networks, specifically networks with 256 bit keys, and repeatedly asks
for the password. The kernel log repeats the following lines (id and
bssid redacted):

    mwifiex_pcie 0000:01:00.0: info: trying to associate to '<id>' bssid <bssid>
    mwifiex_pcie 0000:01:00.0: info: associated to bssid <bssid> successfully
    mwifiex_pcie 0000:01:00.0: crypto keys added
    mwifiex_pcie 0000:01:00.0: info: successfully disconnected from <bssid>: reason code 3

Tracking down this problem lead to the overflow check introduced by the
aforementioned commit into mwifiex_ret_802_11_key_material_v2(). This
check fails on networks with 256 bit keys due to the current storage
size for AES keys in struct mwifiex_aes_param being only 128 bit.

To fix this issue, increase the storage size for AES keys to 256 bit.

Fixes: e18696786548 ("mwifiex: Prevent memory corruption handling keys")
Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com>
Reported-by: Kaloyan Nikolov <konik98@gmail.com>
Tested-by: Kaloyan Nikolov <konik98@gmail.com>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Brian Norris <briannorris@chromium.org>
Tested-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200825153829.38043-1-luzmaximilian@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/marvell/mwifiex/fw.h          | 2 +-
 drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/net/wireless/marvell/mwifiex/fw.h b/drivers/net/wireless/marvell/mwifiex/fw.h
index 342555ebafd79..1d86d29b64ccc 100644
--- a/drivers/net/wireless/marvell/mwifiex/fw.h
+++ b/drivers/net/wireless/marvell/mwifiex/fw.h
@@ -938,7 +938,7 @@ struct mwifiex_tkip_param {
 struct mwifiex_aes_param {
 	u8 pn[WPA_PN_SIZE];
 	__le16 key_len;
-	u8 key[WLAN_KEY_LEN_CCMP];
+	u8 key[WLAN_KEY_LEN_CCMP_256];
 } __packed;
 
 struct mwifiex_wapi_param {
diff --git a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c
index 19ce279df24d9..1aeb8cf6dff97 100644
--- a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c
+++ b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c
@@ -624,7 +624,7 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv,
 	key_v2 = &resp->params.key_material_v2;
 
 	len = le16_to_cpu(key_v2->key_param_set.key_params.aes.key_len);
-	if (len > WLAN_KEY_LEN_CCMP)
+	if (len > sizeof(key_v2->key_param_set.key_params.aes.key))
 		return -EINVAL;
 
 	if (le16_to_cpu(key_v2->action) == HostCmd_ACT_GEN_SET) {
@@ -640,7 +640,7 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv,
 		return 0;
 
 	memset(priv->aes_key_v2.key_param_set.key_params.aes.key, 0,
-	       WLAN_KEY_LEN_CCMP);
+	       sizeof(key_v2->key_param_set.key_params.aes.key));
 	priv->aes_key_v2.key_param_set.key_params.aes.key_len =
 				cpu_to_le16(len);
 	memcpy(priv->aes_key_v2.key_param_set.key_params.aes.key,
-- 
2.25.1