lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <1212392827.4148.11.camel@johannes.berg>
Date:	Mon, 02 Jun 2008 09:47:07 +0200
From:	Johannes Berg <johannes@...solutions.net>
To:	Michael Buesch <mb@...sch.de>
Cc:	Pavel Roskin <proski@....org>,
	Stefanik Gábor <netrolller.3d@...il.com>,
	linux-wireless <linux-wireless@...r.kernel.org>,
	"bcm43xx-dev@...ts.berlios.de" <bcm43xx-dev@...ts.berlios.de>,
	linux-kernel@...r.kernel.org
Subject: Re: Wireless-testing's b43 panics in b43_generate_txhdr on packet
	transmit

On Sat, 2008-05-31 at 19:54 +0200, Michael Buesch wrote:
> On Saturday 31 May 2008 18:50:36 Pavel Roskin wrote:
> > On Sat, 2008-05-31 at 18:41 +0200, Michael Buesch wrote:
> > > On Saturday 31 May 2008 18:34:29 Stefanik Gábor wrote:
> > > > "BUG: unable to handle kernel NULL pointer dereference at 00000004
> > > > IP: [<f8dd3a99>] :b43:b43_generate_txhdr+0x6a9/0x790
> > > 
> > > So can you put a few printks into the function to see where it dereferences
> > > a NULL pointer? (or use gdb to lookup the offset).
> > 
> > u8 key_idx = info->control.hw_key->hw_key_idx;
> > 
> > info->control.hw_key is NULL.
> 
> Is a NULL pointer supposed to tell "do not encrypt", or is this a mac80211 bug?

It looks like a mac80211 bug, but I can't see how we get there.

If you look at mac80211's tx.c, you'll see, in
ieee80211_tx_h_select_key:

        if (!tx->key || !(tx->key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE))
                info->flags |= IEEE80211_TX_CTL_DO_NOT_ENCRYPT;

Hence, I haven't got a clue how you can possibly get into the situation
we have here, even with packet injection. Unless it's a different
version of mac80211 or something.

johannes

Download attachment "signature.asc" of type "application/pgp-signature" (829 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ