| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 11 Mar 2023 12:03:44 +0100
From: Hans de Goede <hdegoede@...hat.com>
To: Hector Martin <marcan@...can.st>,
Alexander Wetzel <alexander@...zel-home.de>,
linux-wireless@...r.kernel.org,
Johannes Berg <johannes.berg@...el.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: johannes@...solutions.net, stable@...r.kernel.org,
Asahi Linux <asahi@...ts.linux.dev>, Ilya <me@...ti.me>,
Janne Grunau <j@...nau.net>,
LKML <linux-kernel@...r.kernel.org>, regressions@...ts.linux.dev
Subject: Re: [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211:
Fix use after free for wext
Hi Hector,
On 3/11/23 10:55, Hector Martin wrote:
> Hi,
>
> This broke WPA auth entirely on brcmfmac (in offload mode) and probably
> others, including on stable 6.2.3 and 6.3-rc1 (tested with iwd). Please
> revert or fix. Notes below.
>
> Reported-by: Ilya <me@...ti.me>
> Reported-by: Janne Grunau <j@...nau.net>
>
> #regzbot introduced: 015b8cc5e7c4d7
> #regzbot monitor:
> https://lore.kernel.org/linux-wireless/20230124141856.356646-1-alexander@wetzel-home.de/
I can confirm this bug, I was seeing broken wifi on brcmfmac with 6.3-rc1
and I was about to start a git bisect for this this morning when I saw
this email.
Reverting 015b8cc5e7c4d7 fixes the broken wifi. Hector, thank you, you
just saved me from a bisect on somewhat slow hardware :)
Regards,
Hans
>
> On 24/01/2023 23.18, Alexander Wetzel wrote:
>> Key information in wext.connect is not reset on (re)connect and can hold
>> data from a previous connection.
>>
>> Reset key data to avoid that drivers or mac80211 incorrectly detect a
>> WEP connection request and access the freed or already reused memory.
>>
>> Additionally optimize cfg80211_sme_connect() and avoid an useless
>> schedule of conn_work.
>>
>> Fixes: fffd0934b939 ("cfg80211: rework key operation")
>> Cc: stable@...r.kernel.org
>> Link: https://lore.kernel.org/r/c80f04d2-8159-a02a-9287-26e5ec838826@wetzel-home.de
>> Signed-off-by: Alexander Wetzel <alexander@...zel-home.de>
>>
>> ---
>> V2 changes:
>> - updated comment
>> - reset more key data
>>
>> ---
>> net/wireless/sme.c | 31 ++++++++++++++++++++++++++-----
>> 1 file changed, 26 insertions(+), 5 deletions(-)
>>
>> diff --git a/net/wireless/sme.c b/net/wireless/sme.c
>> index 123248b2c0be..0cc841c0c59b 100644
>> --- a/net/wireless/sme.c
>> +++ b/net/wireless/sme.c
> [snip]
>> @@ -1464,6 +1476,15 @@ int cfg80211_connect(struct cfg80211_registered_device *rdev,
>
> This if branch only fires if the connection is WEP.
>
>> } else {
>> if (WARN_ON(connkeys))
>> return -EINVAL;
>> +
>> + /* connect can point to wdev->wext.connect which
>> + * can hold key data from a previous connection
>> + */
>> + connect->key = NULL;
>> + connect->key_len = 0;
>> + connect->key_idx = 0;
>
> And these are indeed only used by WEP.
>
>> + connect->crypto.cipher_group = 0;
>> + connect->crypto.n_ciphers_pairwise = 0;
>
> But here you're killing the info that is used for *other* auth modes too
> if !WEP, breaking WPA and everything else.
>
>> }
>>
>> wdev->connect_keys = connkeys;
>
> - Hector
>
Powered by blists - more mailing lists