| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20230709151356.513279-14-sashal@kernel.org>
Date: Sun, 9 Jul 2023 11:13:48 -0400
From: Sasha Levin <sashal@...nel.org>
To: linux-kernel@...r.kernel.org, stable@...r.kernel.org
Cc: Gregory Greenman <gregory.greenman@...el.com>,
Johannes Berg <johannes.berg@...el.com>,
Sasha Levin <sashal@...nel.org>, kvalo@...nel.org,
avraham.stern@...el.com, ilan.peer@...el.com,
linux-wireless@...r.kernel.org
Subject: [PATCH AUTOSEL 6.3 14/22] wifi: iwlwifi: mvm: fix potential array out of bounds access
From: Gregory Greenman <gregory.greenman@...el.com>
[ Upstream commit 637452360ecde9ac972d19416e9606529576b302 ]
Account for IWL_SEC_WEP_KEY_OFFSET when needed while verifying
key_len size in iwl_mvm_sec_key_add().
Signed-off-by: Gregory Greenman <gregory.greenman@...el.com>
Link: https://lore.kernel.org/r/20230613155501.f193b7493a93.I6948ba625b9318924b96a5e22602ac75d2bd0125@changeid
Signed-off-by: Johannes Berg <johannes.berg@...el.com>
Signed-off-by: Sasha Levin <sashal@...nel.org>
---
drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c b/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c
index e27c893502f70..de288e048b2c7 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c
@@ -1,6 +1,6 @@
// SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
/*
- * Copyright (C) 2022 Intel Corporation
+ * Copyright (C) 2022 - 2023 Intel Corporation
*/
#include <linux/kernel.h>
#include <net/mac80211.h>
@@ -113,9 +113,14 @@ int iwl_mvm_sec_key_add(struct iwl_mvm *mvm,
.u.add.key_flags = cpu_to_le32(key_flags),
.u.add.tx_seq = cpu_to_le64(atomic64_read(&keyconf->tx_pn)),
};
+ int max_key_len = sizeof(cmd.u.add.key);
int ret;
- if (WARN_ON(keyconf->keylen > sizeof(cmd.u.add.key)))
+ if (keyconf->cipher == WLAN_CIPHER_SUITE_WEP40 ||
+ keyconf->cipher == WLAN_CIPHER_SUITE_WEP104)
+ max_key_len -= IWL_SEC_WEP_KEY_OFFSET;
+
+ if (WARN_ON(keyconf->keylen > max_key_len))
return -EINVAL;
if (keyconf->cipher == WLAN_CIPHER_SUITE_WEP40 ||
--
2.39.2
Powered by blists - more mailing lists