From: Stanislaw Gruszka <sgruszka@redhat.com>
To: "Tomáš Janoušek" <tomi@nomi.cz>
Cc: wwguy <wey-yi.w.guy@intel.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>,
Johannes Berg <johannes@sipsolutions.net>,
security@kernel.org
Subject: Re: iwlagn: memory corruption with WPA enterprise
Date: Tue, 14 Feb 2012 10:20:21 +0100 [thread overview]
Message-ID: <20120214092020.GB12905@redhat.com> (raw)
In-Reply-To: <20120210180929.GA17733@nomi.cz>
On Fri, Feb 10, 2012 at 07:09:29PM +0100, Tomáš Janoušek wrote:
> For the last few months, I've happily used a 64-bit kernel and have had no
> problems whatsoever. About a week ago, I started using virtual machines in
> KVM. And today I found that I have exactly the same problem, but only _inside_
> the virtual machine. I can't reliably scp a file from the internet to my
> virtual machine. It works fine when I scp to the host, it works fine when I'm
> on a WPA-PSK network. And it happens even if I tell kvm to emulate e1000, not
> only with virtio-net. How strange is that?
>
> And while this is happening, the host is running just fine. The host has a
> 64-bit kernel with a 32-bit userspace, so if something was wrong with the
> 32-bit mode of my processor, it would've appeared on the host as well, no?
>
> It's also worth mentioning that if I build openssl with "no-asm 386", scp
> works just fine.
Good hint.
> So it doesn't look like a memory corruption after all. It
> seems as if certain CPU instructions didn't work properly if running on a
> 32-bit kernel with a WiFi adapter doing something. But how can it be
> that those same CPU instructions work on a 64-bit host with 32-bit userspace?
> At the same time! That's just completely insane, and I can't think of an
> explanation. Shall I get a new CPU perhaps? :-)
>
>
> Please, give me any ideas that you might have.
That make sense! Your "CPU instructions break things" theory sounds crazy,
but I think it's logical. WPA enterprise differ from WPA-PSA (pre shared
key) that the key changed periodically, SSL is used when keys are changed
(via wpa_supplicant). So looks like 32-bit openssl generate object code
that trigger bug on CPU, which crash other processes.
Please forward details about this issue to security@kernel.org and proper
vendor engineer in non public manner, as this hw bug could be possibly
exploitable (hardware bug can not be fixed, but kernel could disable
appropriate functionality or use some other workaround).
Thanks
Stanislaw
next prev parent reply other threads:[~2012-02-14 9:20 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-29 17:15 iwlagn: memory corruption with WPA enterprise Tomáš Janoušek
2011-10-31 16:03 ` Stanislaw Gruszka
2011-11-09 15:54 ` Tomáš Janoušek
2011-11-09 15:59 ` wwguy
2011-11-09 16:51 ` Stanislaw Gruszka
2011-11-10 9:18 ` Tomáš Janoušek
2011-11-10 11:47 ` Stanislaw Gruszka
2011-11-10 12:53 ` Tomáš Janoušek
2011-11-10 16:07 ` Stanislaw Gruszka
2011-11-10 15:24 ` Guy, Wey-Yi
2011-11-10 16:42 ` Tomáš Janoušek
2011-11-10 17:02 ` Larry Finger
2011-11-10 16:30 ` Tomáš Janoušek
2011-11-11 5:47 ` Stanislaw Gruszka
2011-11-11 15:01 ` Tomáš Janoušek
2011-11-14 14:07 ` Stanislaw Gruszka
2011-11-19 18:11 ` Tomáš Janoušek
2011-11-20 2:13 ` wwguy
2011-11-20 3:20 ` Tomáš Janoušek
2011-11-20 4:28 ` wwguy
2011-11-20 20:40 ` Tomáš Janoušek
2012-02-10 18:09 ` Tomáš Janoušek
2012-02-13 9:25 ` Stanislaw Gruszka
2012-02-13 13:09 ` Stanislaw Gruszka
2012-02-13 13:29 ` Tomáš Janoušek
2012-02-14 9:20 ` Stanislaw Gruszka [this message]
2012-03-05 14:01 ` Tomáš Janoušek
2012-03-05 14:57 ` Stanislaw Gruszka
2012-03-05 15:00 ` Tomáš Janoušek
2012-03-05 15:11 ` Stanislaw Gruszka
2012-03-05 15:18 ` Tomáš Janoušek
2011-11-21 13:05 ` Stanislaw Gruszka
2011-11-21 13:09 ` Tomáš Janoušek
2011-11-21 13:40 ` Stanislaw Gruszka
2011-11-21 14:32 ` Tomáš Janoušek
2011-11-10 19:31 ` Adrian Chadd
2011-11-11 5:44 ` Stanislaw Gruszka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120214092020.GB12905@redhat.com \
--to=sgruszka@redhat.com \
--cc=johannes@sipsolutions.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=security@kernel.org \
--cc=tomi@nomi.cz \
--cc=wey-yi.w.guy@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).