From: Jouni Malinen <j@w1.fi>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: linux-wireless@vger.kernel.org, Johannes Berg <johannes.berg@intel.com>
Subject: Re: [PATCH 6/6] cfg80211: reduce connect key caching struct size
Date: Wed, 28 Sep 2016 23:58:55 +0300 [thread overview]
Message-ID: <20160928205855.GA27770@w1.fi> (raw)
In-Reply-To: <1473777868-32429-6-git-send-email-johannes@sipsolutions.net>
On Tue, Sep 13, 2016 at 04:44:28PM +0200, Johannes Berg wrote:
> After the previous patches, connect keys can only (correctly)
> be used for storing static WEP keys. Therefore, remove all the
> data for dealing with key index 4/5 and reduce the size of the
> key material to the maximum for WEP keys.
> diff --git a/net/wireless/core.h b/net/wireless/core.h
> struct cfg80211_cached_keys {
> - struct key_params params[6];
> - u8 data[6][WLAN_MAX_KEY_LEN];
> - int def, defmgmt;
> + struct key_params params[4];
> + u8 data[4][WLAN_KEY_LEN_WEP104];
> + int def;
> };
As noted in our irc discussion, this is not really a good thing to do.
WEXT compat code uses this structure for all ciphers, not just static
WEP keys. BIP configuration can use key index 4-5 and the key lengths
can go up to 32 bytes instead of WLAN_KEY_LEN_WEP104. In other words,
this patch should be dropped or reverted since it causes kernel panics
due to memory corruption when writing beyond this reduced size
structure.
This was found with hwsim tests and after full day of running full test
runs, a compressed form for easy triggering of the issue was found:
hostap/tests/hwsim/vm$ ./vm-run.sh wext_pmf wext_pmf wext_pmf wext_pmf wext_pmf wext_pmf
Starting test run in a virtual machine
./run-all.sh: passing the following args to run-tests.py: wext_pmf wext_pmf wext_pmf wext_pmf wext_pmf wext_pmf
START wext_pmf 1/6
PASS wext_pmf 7.384815 2016-09-28 20:36:15.644646
START wext_pmf 2/6
qemu-system-x86_64: 9pfs:virtfs_reset: One or more uncluncked fids found during reset
qemu-system-x86_64: 9pfs:virtfs_reset: One or more uncluncked fids found during reset
KERNEL CRASHED!
--
Jouni Malinen PGP id EFC895FA
next prev parent reply other threads:[~2016-09-28 20:58 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-13 14:44 [PATCH 1/6] cfg80211: disallow shared key authentication with key index 4 Johannes Berg
2016-09-13 14:44 ` [PATCH 2/6] nl80211: fix connect keys range check Johannes Berg
2016-09-13 14:44 ` [PATCH 3/6] nl80211: only allow WEP keys during connect command Johannes Berg
2016-09-13 14:44 ` [PATCH 4/6] cfg80211: wext: only allow WEP keys to be configured before connected Johannes Berg
2016-09-13 14:44 ` [PATCH 5/6] cfg80211: validate key index better Johannes Berg
2016-09-13 14:44 ` [PATCH 6/6] cfg80211: reduce connect key caching struct size Johannes Berg
2016-09-28 20:58 ` Jouni Malinen [this message]
2016-09-28 21:57 ` Johannes Berg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160928205855.GA27770@w1.fi \
--to=j@w1.fi \
--cc=johannes.berg@intel.com \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.