lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1257151742.3555.165.camel@johannes.local>
Date:	Mon, 02 Nov 2009 09:49:02 +0100
From:	Johannes Berg <johannes@...solutions.net>
To:	Linus Torvalds <torvalds@...ux-foundation.org>
Cc:	Jeff Chua <jeff.chua.linux@...il.com>,
	"John W. Linville" <linville@...driver.com>,
	Linux Kernel <linux-kernel@...r.kernel.org>
Subject: Re: wpa2 hangs v2.6.32-rc5-402-gb6727b1. Revert
 7d930bc33653d5592dc386a76a38f39c2e962344  fixed it.

On Sun, 2009-11-01 at 16:53 -0800, Linus Torvalds wrote:

> That decodes to 
> 
> cfg80211_conn_work+89:
> 
>    3:	89 ef                	mov    %ebp,%edi
>    5:	e8 6f be 41 e1       	callq  0xffffffffe141be79
>    a:	48 8b 43 20          	mov    0x20(%rbx),%rax
>    e:	f6 40 48 01          	testb  $0x1,0x48(%rax)
>   12:	74 5d                	je     0x71
>   14:	83 bb 8c 00 00 00 01 	cmpl   $0x1,0x8c(%rbx)
>   1b:	75 54                	jne    0x71
>   1d:	48 ?? 50 08          	???    0x8(%rax) ???? uncertain instruction ????
>   21:*	8b 02                	mov    (%rdx),%eax     <-- trapping instruction
>   23:	41 89 45 00          	mov    %eax,0x0(%r13)
>   27:	66 8b 42 04          	mov    0x4(%rdx),%ax
>   2b:	66 41 89 45 04       	mov    %ax,0x4(%r13)
>   30:	e8 f5 ea ff ff       	callq  0xffffffffffffeb2a
> 
> trace:
>   __cfg80111_scan_done
>   worker_thread
> 
> which looks like it matches this code:
> 
>         movq    %r14, %rdi      # D.43604,
>         call    mutex_lock      #
>         movq    32(%rbx), %rax  # <variable>.netdev, <variable>.netdev
>         testb   $1, 72(%rax)    #, <variable>.state
>         je      .L215   #,
>         cmpl    $1, 140(%rbx)   #, <variable>.sme_state
>         jne     .L215   #,
>         movq    144(%rbx), %rax # <variable>.conn, <variable>.conn
>         movq    %rbx, %rdi      # wdev,
>         movq    8(%rax), %rax   # <variable>.params.bssid, <variable>.params.bssid
>         movl    (%rax), %edx    #* <variable>.params.bssid, tmp74
>         movl    %edx, 0(%r13)   # tmp74, bssid
>         movw    4(%rax), %ax    #, tmp75
>         movw    %ax, 4(%r13)    # tmp75, bssid
>         call    cfg80211_conn_do_work   #
> 
> ie it looks like 'conn->params.bssid' is NULL and we oops when we try to 
> load bssid from there. The code is:
> 
> 	memcpy(bssid, wdev->conn->params.bssid, ETH_ALEN);
> 
> where ETH_ALEN is 6 bytes, so the memcpy is inlined..
> 
> And yes, that "memcpy()" was added in that buggy commit. 

Indeed, thank you. I'd analysed this before but not made the connection
with Jeff's report.

> So reverting 7d930bc33653d5592dc386a76a38f39c2e962344 is the correct thing 
> to do. Or somebody needs to fix that piece-of-shit code.

Yes ... that params.bssid was != NULL was a bad assumption in that
commit. The right thing to do is to add a check and pass NULL through,
like I did here:
http://thread.gmane.org/gmane.linux.kernel.wireless.general/41695

johannes

Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ