lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20240701-wilc_fix_ies_data-v1-1-7486cbacf98a@bootlin.com>
Date: Mon, 01 Jul 2024 18:23:20 +0200
From: Alexis Lothoré <alexis.lothore@...tlin.com>
To: linux-wireless@...r.kernel.org
Cc: Ajay Singh <ajay.kathat@...rochip.com>, 
 Claudiu Beznea <claudiu.beznea@...on.dev>, Kalle Valo <kvalo@...nel.org>, 
 Thomas Petazzoni <thomas.petazzoni@...tlin.com>, 
 linux-kernel@...r.kernel.org, Jozef Hopko <jozef.hopko@...ana.com>, 
 Alexis Lothoré <alexis.lothore@...tlin.com>
Subject: [PATCH wireless] wifi: wilc1000: fix ies_len type in connect path

From: Jozef Hopko <jozef.hopko@...ana.com>

Commit 205c50306acf ("wifi: wilc1000: fix RCU usage in connect path")
made sure that the IEs data was manipulated under the relevant RCU section.
Unfortunately, while doing so, the commit brought a faulty implicit cast
from int to u8 on the ies_len variable, making the parsing fail to be
performed correctly if the IEs block is larger than 255 bytes. This failure
can be observed with Access Points appending a lot of IEs TLVs in their
beacon frames (reproduced with a Pixel phone acting as an Access Point,
which brough 273 bytes of IE data in my testing environment).

Fix IEs parsing by removing this undesired implicit cast.

Fixes: 205c50306acf ("wifi: wilc1000: fix RCU usage in connect path")
Signed-off-by: Jozef Hopko <jozef.hopko@...ana.com>
Signed-off-by: Alexis Lothoré <alexis.lothore@...tlin.com>
---
The issue has been initially detected by Jozef Hopko, and the resulting
patch is also from him. He asked me to upstream it on his behalf. I have
successfuly reproduced the same issue and confirmed that the patch indeed
fixes the connection to the AP I used. The only update I did is about
adding details about the issue in commit message and fixing whitespaces.
The issue has been disclosed to me directly through private mail, so I have
no relevant Reported-By/Closes tag to provide. I am not sure however why I
do not manage to make sparse detect this faulty cast.
---
 drivers/net/wireless/microchip/wilc1000/hif.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/microchip/wilc1000/hif.c b/drivers/net/wireless/microchip/wilc1000/hif.c
index d67293142ffb..3c48e1a57b24 100644
--- a/drivers/net/wireless/microchip/wilc1000/hif.c
+++ b/drivers/net/wireless/microchip/wilc1000/hif.c
@@ -382,7 +382,8 @@ wilc_parse_join_bss_param(struct cfg80211_bss *bss,
 	struct ieee80211_p2p_noa_attr noa_attr;
 	const struct cfg80211_bss_ies *ies;
 	struct wilc_join_bss_param *param;
-	u8 rates_len = 0, ies_len;
+	u8 rates_len = 0;
+	int ies_len;
 	int ret;
 
 	param = kzalloc(sizeof(*param), GFP_KERNEL);

---
base-commit: 21cfb73516c112f0cf0d3ebd3e4bdfbadc819576
change-id: 20240701-wilc_fix_ies_data-22226322ee7c

Best regards,
-- 
Alexis Lothoré, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ