lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <d6851c2b-7966-6cb4-a51c-7268c60e0a86@marcan.st>
Date:   Sat, 11 Mar 2023 18:55:59 +0900
From:   Hector Martin <marcan@...can.st>
To:     Alexander Wetzel <alexander@...zel-home.de>,
        linux-wireless@...r.kernel.org,
        Johannes Berg <johannes.berg@...el.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:     johannes@...solutions.net, stable@...r.kernel.org,
        Asahi Linux <asahi@...ts.linux.dev>, Ilya <me@...ti.me>,
        Janne Grunau <j@...nau.net>,
        LKML <linux-kernel@...r.kernel.org>, regressions@...ts.linux.dev
Subject: [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211: Fix
 use after free for wext

Hi,

This broke WPA auth entirely on brcmfmac (in offload mode) and probably
others, including on stable 6.2.3 and 6.3-rc1 (tested with iwd). Please
revert or fix. Notes below.

Reported-by: Ilya <me@...ti.me>
Reported-by: Janne Grunau <j@...nau.net>

#regzbot introduced: 015b8cc5e7c4d7
#regzbot monitor:
https://lore.kernel.org/linux-wireless/20230124141856.356646-1-alexander@wetzel-home.de/

On 24/01/2023 23.18, Alexander Wetzel wrote:
> Key information in wext.connect is not reset on (re)connect and can hold
> data from a previous connection.
> 
> Reset key data to avoid that drivers or mac80211 incorrectly detect a
> WEP connection request and access the freed or already reused memory.
> 
> Additionally optimize cfg80211_sme_connect() and avoid an useless
> schedule of conn_work.
> 
> Fixes: fffd0934b939 ("cfg80211: rework key operation")
> Cc: stable@...r.kernel.org
> Link: https://lore.kernel.org/r/c80f04d2-8159-a02a-9287-26e5ec838826@wetzel-home.de
> Signed-off-by: Alexander Wetzel <alexander@...zel-home.de>
> 
> ---
> V2 changes:
> - updated comment
> - reset more key data
> 
> ---
>  net/wireless/sme.c | 31 ++++++++++++++++++++++++++-----
>  1 file changed, 26 insertions(+), 5 deletions(-)
> 
> diff --git a/net/wireless/sme.c b/net/wireless/sme.c
> index 123248b2c0be..0cc841c0c59b 100644
> --- a/net/wireless/sme.c
> +++ b/net/wireless/sme.c
[snip]
> @@ -1464,6 +1476,15 @@ int cfg80211_connect(struct cfg80211_registered_device *rdev,

This if branch only fires if the connection is WEP.

>  	} else {
>  		if (WARN_ON(connkeys))
>  			return -EINVAL;
> +
> +		/* connect can point to wdev->wext.connect which
> +		 * can hold key data from a previous connection
> +		 */
> +		connect->key = NULL;
> +		connect->key_len = 0;
> +		connect->key_idx = 0;

And these are indeed only used by WEP.

> +		connect->crypto.cipher_group = 0;
> +		connect->crypto.n_ciphers_pairwise = 0;

But here you're killing the info that is used for *other* auth modes too
if !WEP, breaking WPA and everything else.

>  	}
>  
>  	wdev->connect_keys = connkeys;

- Hector

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ