| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 21 May 2021 16:41:58 +0200
From: Fabio Aiuto <fabioaiuto83@...il.com>
To: gregkh@...uxfoundation.org
Cc: linux-staging@...ts.linux.dev, linux-kernel@...r.kernel.org,
kernel test robot <lkp@...el.com>
Subject: [PATCH] staging: rtl8723bs: moved contexts for arc4 encryption in struct security_priv
moved struct arc4_ctx in struct security_priv to avoid stack allocation
inside encryption routines.
this has been done to fix the following 0-DAY issues:
>> drivers/staging/rtl8723bs/core/rtw_security.c:89:6: warning:
stack frame size of 1120 bytes in function 'rtw_wep_encrypt'
[-Wframe-$
void rtw_wep_encrypt(struct adapter *padapter, u8 *pxmitframe)
^
>> drivers/staging/rtl8723bs/core/rtw_security.c:145:6:
warning: stack frame size of 1088 bytes in function 'rtw_wep_decrypt'
[-Wframe$
void rtw_wep_decrypt(struct adapter *padapter, u8 *precvframe)
^
>> drivers/staging/rtl8723bs/core/rtw_security.c:514:5:
warning: stack frame size of 1136 bytes in function 'rtw_tkip_encrypt'
[-Wfram$
u32 rtw_tkip_encrypt(struct adapter *padapter, u8 *pxmitframe)
^
>> drivers/staging/rtl8723bs/core/rtw_security.c:586:5:
warning: stack frame size of 1104 bytes in function 'rtw_tkip_decrypt'
[-Wfram$
u32 rtw_tkip_decrypt(struct adapter *padapter, u8 *precvframe)
^
Reported-by: kernel test robot <lkp@...el.com>
Signed-off-by: Fabio Aiuto <fabioaiuto83@...il.com>
---
drivers/staging/rtl8723bs/core/rtw_security.c | 41 +++++++++----------
.../staging/rtl8723bs/include/rtw_security.h | 3 ++
2 files changed, 23 insertions(+), 21 deletions(-)
diff --git a/drivers/staging/rtl8723bs/core/rtw_security.c b/drivers/staging/rtl8723bs/core/rtw_security.c
index 5ff8926c1865..a99f439328f1 100644
--- a/drivers/staging/rtl8723bs/core/rtw_security.c
+++ b/drivers/staging/rtl8723bs/core/rtw_security.c
@@ -8,7 +8,6 @@
#include <drv_types.h>
#include <rtw_debug.h>
#include <crypto/aes.h>
-#include <crypto/arc4.h>
static const char * const _security_type_str[] = {
"N/A",
@@ -38,7 +37,6 @@ void rtw_wep_encrypt(struct adapter *padapter, u8 *pxmitframe)
{ /* exclude ICV */
unsigned char crc[4];
- struct arc4_ctx mycontext;
signed int curfragnum, length;
u32 keylength;
@@ -49,6 +47,7 @@ void rtw_wep_encrypt(struct adapter *padapter, u8 *pxmitframe)
struct pkt_attrib *pattrib = &((struct xmit_frame *)pxmitframe)->attrib;
struct security_priv *psecuritypriv = &padapter->securitypriv;
struct xmit_priv *pxmitpriv = &padapter->xmitpriv;
+ struct arc4_ctx *ctx = &psecuritypriv->xmit_arc4_ctx;
if (((struct xmit_frame *)pxmitframe)->buf_addr == NULL)
return;
@@ -72,16 +71,16 @@ void rtw_wep_encrypt(struct adapter *padapter, u8 *pxmitframe)
*((__le32 *)crc) = ~crc32_le(~0, payload, length);
- arc4_setkey(&mycontext, wepkey, 3 + keylength);
- arc4_crypt(&mycontext, payload, payload, length);
- arc4_crypt(&mycontext, payload + length, crc, 4);
+ arc4_setkey(ctx, wepkey, 3 + keylength);
+ arc4_crypt(ctx, payload, payload, length);
+ arc4_crypt(ctx, payload + length, crc, 4);
} else {
length = pxmitpriv->frag_len-pattrib->hdrlen-pattrib->iv_len-pattrib->icv_len;
*((__le32 *)crc) = ~crc32_le(~0, payload, length);
- arc4_setkey(&mycontext, wepkey, 3 + keylength);
- arc4_crypt(&mycontext, payload, payload, length);
- arc4_crypt(&mycontext, payload + length, crc, 4);
+ arc4_setkey(ctx, wepkey, 3 + keylength);
+ arc4_crypt(ctx, payload, payload, length);
+ arc4_crypt(ctx, payload + length, crc, 4);
pframe += pxmitpriv->frag_len;
pframe = (u8 *)round_up((SIZE_PTR)(pframe), 4);
@@ -94,13 +93,13 @@ void rtw_wep_decrypt(struct adapter *padapter, u8 *precvframe)
{
/* exclude ICV */
u8 crc[4];
- struct arc4_ctx mycontext;
signed int length;
u32 keylength;
u8 *pframe, *payload, *iv, wepkey[16];
u8 keyindex;
struct rx_pkt_attrib *prxattrib = &(((union recv_frame *)precvframe)->u.hdr.attrib);
struct security_priv *psecuritypriv = &padapter->securitypriv;
+ struct arc4_ctx *ctx = &psecuritypriv->recv_arc4_ctx;
pframe = (unsigned char *)((union recv_frame *)precvframe)->u.hdr.rx_data;
@@ -118,8 +117,8 @@ void rtw_wep_decrypt(struct adapter *padapter, u8 *precvframe)
payload = pframe+prxattrib->iv_len+prxattrib->hdrlen;
/* decrypt payload include icv */
- arc4_setkey(&mycontext, wepkey, 3 + keylength);
- arc4_crypt(&mycontext, payload, payload, length);
+ arc4_setkey(ctx, wepkey, 3 + keylength);
+ arc4_crypt(ctx, payload, payload, length);
/* calculate icv and compare the icv */
*((u32 *)crc) = le32_to_cpu(~crc32_le(~0, payload, length - 4));
@@ -467,7 +466,6 @@ u32 rtw_tkip_encrypt(struct adapter *padapter, u8 *pxmitframe)
u8 ttkey[16];
u8 crc[4];
u8 hw_hdr_offset = 0;
- struct arc4_ctx mycontext;
signed int curfragnum, length;
u8 *pframe, *payload, *iv, *prwskey;
@@ -475,6 +473,7 @@ u32 rtw_tkip_encrypt(struct adapter *padapter, u8 *pxmitframe)
struct pkt_attrib *pattrib = &((struct xmit_frame *)pxmitframe)->attrib;
struct security_priv *psecuritypriv = &padapter->securitypriv;
struct xmit_priv *pxmitpriv = &padapter->xmitpriv;
+ struct arc4_ctx *ctx = &psecuritypriv->xmit_arc4_ctx;
u32 res = _SUCCESS;
if (((struct xmit_frame *)pxmitframe)->buf_addr == NULL)
@@ -509,17 +508,17 @@ u32 rtw_tkip_encrypt(struct adapter *padapter, u8 *pxmitframe)
length = pattrib->last_txcmdsz-pattrib->hdrlen-pattrib->iv_len-pattrib->icv_len;
*((__le32 *)crc) = ~crc32_le(~0, payload, length);
- arc4_setkey(&mycontext, rc4key, 16);
- arc4_crypt(&mycontext, payload, payload, length);
- arc4_crypt(&mycontext, payload + length, crc, 4);
+ arc4_setkey(ctx, rc4key, 16);
+ arc4_crypt(ctx, payload, payload, length);
+ arc4_crypt(ctx, payload + length, crc, 4);
} else {
length = pxmitpriv->frag_len-pattrib->hdrlen-pattrib->iv_len-pattrib->icv_len;
*((__le32 *)crc) = ~crc32_le(~0, payload, length);
- arc4_setkey(&mycontext, rc4key, 16);
- arc4_crypt(&mycontext, payload, payload, length);
- arc4_crypt(&mycontext, payload + length, crc, 4);
+ arc4_setkey(ctx, rc4key, 16);
+ arc4_crypt(ctx, payload, payload, length);
+ arc4_crypt(ctx, payload + length, crc, 4);
pframe += pxmitpriv->frag_len;
pframe = (u8 *)round_up((SIZE_PTR)(pframe), 4);
@@ -539,7 +538,6 @@ u32 rtw_tkip_decrypt(struct adapter *padapter, u8 *precvframe)
u8 rc4key[16];
u8 ttkey[16];
u8 crc[4];
- struct arc4_ctx mycontext;
signed int length;
u8 *pframe, *payload, *iv, *prwskey;
@@ -547,6 +545,7 @@ u32 rtw_tkip_decrypt(struct adapter *padapter, u8 *precvframe)
struct sta_info *stainfo;
struct rx_pkt_attrib *prxattrib = &((union recv_frame *)precvframe)->u.hdr.attrib;
struct security_priv *psecuritypriv = &padapter->securitypriv;
+ struct arc4_ctx *ctx = &psecuritypriv->recv_arc4_ctx;
u32 res = _SUCCESS;
pframe = (unsigned char *)((union recv_frame *)precvframe)->u.hdr.rx_data;
@@ -616,8 +615,8 @@ u32 rtw_tkip_decrypt(struct adapter *padapter, u8 *precvframe)
/* 4 decrypt payload include icv */
- arc4_setkey(&mycontext, rc4key, 16);
- arc4_crypt(&mycontext, payload, payload, length);
+ arc4_setkey(ctx, rc4key, 16);
+ arc4_crypt(ctx, payload, payload, length);
*((u32 *)crc) = le32_to_cpu(~crc32_le(~0, payload, length - 4));
diff --git a/drivers/staging/rtl8723bs/include/rtw_security.h b/drivers/staging/rtl8723bs/include/rtw_security.h
index 83b711c5df0b..a68b73858462 100644
--- a/drivers/staging/rtl8723bs/include/rtw_security.h
+++ b/drivers/staging/rtl8723bs/include/rtw_security.h
@@ -7,6 +7,7 @@
#ifndef __RTW_SECURITY_H_
#define __RTW_SECURITY_H_
+#include <crypto/arc4.h>
#define _NO_PRIVACY_ 0x0
#define _WEP40_ 0x1
@@ -127,6 +128,8 @@ struct security_priv {
u8 wps_ie[MAX_WPS_IE_LEN];/* added in assoc req */
int wps_ie_len;
+ struct arc4_ctx xmit_arc4_ctx;
+ struct arc4_ctx recv_arc4_ctx;
u8 binstallGrpkey;
u8 binstallBIPkey;
--
2.20.1
Powered by blists - more mailing lists