Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp3140152pxa; Tue, 25 Aug 2020 12:31:39 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw3uF/1PU6qvzHNEmZrdAFFjWU7xUYx/3cTlKpm5elk8NJCcetOtQmsB3ODZ6mQbQW4GDZt X-Received: by 2002:a17:906:3a85:: with SMTP id y5mr11925727ejd.507.1598383899080; Tue, 25 Aug 2020 12:31:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598383899; cv=none; d=google.com; s=arc-20160816; b=zI8RSDyWujkiK1Lkc1QX0CPFQk1X6aK7sFalJ0RU/v2CtOKMaY+cPv2vcCA9JrRome cv5/o867Mg7tltAVML93XYJ8Fv9l7tyONfhH3h2DT6CPc9LyRWTonqOvnnlkBGOxO37p enRUgv/XSYO9+c0k+WLghJKEx6jV5ex/dE9EK/rOcw767QMxf3ikibifJeRjr/rEMzQI AJHTKlCnqo9oG/FCuQ38S/pSFMRIAyMzNvRi9CFqmy7aRCAML4Om0fbmeMs3hsBEXi+b Ub81P6zYaz51XKLOUSxduB/br5oNkNNHpkqzVnkR9LQKlsqA+UWGiZBMWQmbPDFxA+7n ibTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=91WGW73GFVXZx1UKeprndgfgbUo/dF8OQ0jSHfku+Fs=; b=ReXDNoLZq7aHmk+5/LSoEHPcMd0xOh7en6jdbS8t1K6zCbkpF8Bgyip05/lBQLRlxN vlDeXYqabV/TT9jcBMoEf5WlbGWAPUU+FWLQYezKBCXHWqbiLyiqodpiNv/nhlTfi8Fe iAlncEVHsLh295XDRT4GLY8i0CDb3zYpP4dvp6rKAnEmy7krBXzvLd4Uk2zygjo6810U aWwGrGhPJ2TwmDc8F6y8NMJvhqaDHXkRess8A1lP0wK3wD90HxzOv+bOZdacD0BKEJ1n PlRkXmlNruqyWyB+phkPBzHZAWQxdkzFEVDyIjnkED+IDoHFYfp+YNT0zYjNfvmcAFvc IDbg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=oMyRKWuf; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id by13si2669354edb.208.2020.08.25.12.31.01; Tue, 25 Aug 2020 12:31:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=oMyRKWuf; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726149AbgHYTat (ORCPT + 99 others); Tue, 25 Aug 2020 15:30:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52262 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726303AbgHYTap (ORCPT ); Tue, 25 Aug 2020 15:30:45 -0400 Received: from mail-lj1-x242.google.com (mail-lj1-x242.google.com [IPv6:2a00:1450:4864:20::242]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7FAACC061574 for ; Tue, 25 Aug 2020 12:30:45 -0700 (PDT) Received: by mail-lj1-x242.google.com with SMTP id v9so15182795ljk.6 for ; Tue, 25 Aug 2020 12:30:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=91WGW73GFVXZx1UKeprndgfgbUo/dF8OQ0jSHfku+Fs=; b=oMyRKWufRNneJLathiUhhHb8GFwnpMOFPdZUhrb+Lp5nOIEH2I70wf70XzWPL2p86h tV6zGVWvQ5UqlBWAD/mIdJIH3c6cdzff4Zwg3yszC7MGUw0wSw6mKfhIBUoaoSPDVtdf 62c56twYXvz6zL2YlbNYGyGie1UQatqVYornI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=91WGW73GFVXZx1UKeprndgfgbUo/dF8OQ0jSHfku+Fs=; b=EprISlcXRgaYB20SBLNOFskM7CS1FCyoc1FblbcknvDhonsLE9jgEPvJbREA5dXTtf ItV0Ul2v0Kuua5E9DGkkI3WuihUJzd10OzBXjkArHzjn+KkNks/GyVePFWghCAuc1NdI YjqLDw292nJBuLsK0Xz/wIVirAfpHPKta6vZEE7qeRhkSdid7vZ/Ud+7BqaeNITol0+i KfmEBfB2TEbT10CykQxWHFTqvzrfIorw/GKXFcaWi7j70am7uBPsvDDoOeKNZ6jvPYRW fZ1kozq0NiaACK2ZOoR6AUjLxP+aizgBXFFvdAbSnLZEgR3MyHZPmhaDV3eqPM7paMss xICQ== X-Gm-Message-State: AOAM533ukUGiVvhoXuADpu5so4ovpxh4jEWVuy0fKaV0dXL0QgdMq7pr FnANcbt6sYCYfuPj419e/qzM/vbaRbECGA== X-Received: by 2002:a2e:9196:: with SMTP id f22mr5584864ljg.435.1598383843085; Tue, 25 Aug 2020 12:30:43 -0700 (PDT) Received: from mail-lf1-f50.google.com (mail-lf1-f50.google.com. [209.85.167.50]) by smtp.gmail.com with ESMTPSA id l13sm3256568lfk.18.2020.08.25.12.30.41 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 25 Aug 2020 12:30:41 -0700 (PDT) Received: by mail-lf1-f50.google.com with SMTP id c15so7068510lfi.3 for ; Tue, 25 Aug 2020 12:30:41 -0700 (PDT) X-Received: by 2002:a19:8c3:: with SMTP id 186mr5686629lfi.61.1598383840878; Tue, 25 Aug 2020 12:30:40 -0700 (PDT) MIME-Version: 1.0 References: <20200825153829.38043-1-luzmaximilian@gmail.com> In-Reply-To: <20200825153829.38043-1-luzmaximilian@gmail.com> From: Brian Norris Date: Tue, 25 Aug 2020 12:30:28 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH net] mwifiex: Increase AES key storage size to 256 bits To: Maximilian Luz Cc: Amitkumar Karwar , Ganapathi Bhat , Xinming Hu , Kalle Valo , "David S. Miller" , Jakub Kicinski , Dan Carpenter , linux-wireless , "" , Linux Kernel , Kaloyan Nikolov Content-Type: text/plain; charset="UTF-8" Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Hi, On Tue, Aug 25, 2020 at 8:38 AM Maximilian Luz wrote: > > Following commit e18696786548 ("mwifiex: Prevent memory corruption > handling keys") the mwifiex driver fails to authenticate with certain > networks, specifically networks with 256 bit keys, and repeatedly asks > for the password. The kernel log repeats the following lines (id and > bssid redacted): > > mwifiex_pcie 0000:01:00.0: info: trying to associate to '' bssid > mwifiex_pcie 0000:01:00.0: info: associated to bssid successfully > mwifiex_pcie 0000:01:00.0: crypto keys added > mwifiex_pcie 0000:01:00.0: info: successfully disconnected from : reason code 3 > > Tracking down this problem lead to the overflow check introduced by the > aforementioned commit into mwifiex_ret_802_11_key_material_v2(). This > check fails on networks with 256 bit keys due to the current storage > size for AES keys in struct mwifiex_aes_param being only 128 bit. > > To fix this issue, increase the storage size for AES keys to 256 bit. > > Signed-off-by: Maximilian Luz > Reported-by: Kaloyan Nikolov > Tested-by: Kaloyan Nikolov Thanks for this! I just happened to notice this breakage here, as we just merged the relevant -stable updates. I think it would be wise to get the Fixes tag Dan noted, when Kalle lands this. Reviewed-by: Brian Norris Tested-by: Brian Norris Also, while technically the regressing commit (e18696786548 ("mwifiex: Prevent memory corruption handling keys")) was fixing a potential overflow, the encasing command structure (struct host_cmd_ds_command) is a union of a ton of other command layouts, and likely had plenty of padding at the end, which would at least explain why non-malicious scenarios weren't problematic pre-commit-e18696786548. It's also not clear to me how much the network can directly determine this length, but I suppose that's beside the point now -- it's good to fix both of these bugs. Regards, Brian