[X][PATCH 0/1] mwifiex stops working after kernel upgrade

Wen-chien Jesse Sung jesse.sung at canonical.com
Fri Sep 25 17:19:40 UTC 2020

BugLink: https://launchpad.net/bugs/1897299

== Impact ==
Marvell WiFi cards supported by the mwifiex driver may fail to connect to some access points after kernel upgrade.
This is caused by the commit

commit e18696786548244914f36ec3c46ac99c53df99c3
Author: Dan Carpenter <dan.carpenter at oracle.com>
Date: Wed Jul 8 14:58:57 2020 +0300

    mwifiex: Prevent memory corruption handling keys

    The length of the key comes from the network and it's a 16 bit number. It
    needs to be capped to prevent a buffer overflow.

    Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
    Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
    Acked-by: Ganapathi Bhat <ganapathi.bhat at nxp.com>
    Signed-off-by: Kalle Valo <kvalo at codeaurora.org>
    Link: https://lore.kernel.org/r/20200708115857.GA13729@mwanda

The commit added a check to mwifiex_ret_802_11_key_material_v2() to make sure the key length doesn't larger than the key buffer size before copying it. The allocated key buffer is 16-byte long. In some cases the key would be 32-byte long and hence the check fails. One thing to note is that this commit is not the cause of the problem, instead it just makes the issue visible.

The commit is included in Ubuntu-4.4.0-190.220, Ubuntu-4.15.0-119.120, Ubuntu-5.4.0-48.52, and Ubuntu-5.8.0-18.19.

== Fix ==
There's already a fix in the mainline which increase the key buffer size to 32 bytes:

commit 4afc850e2e9e781976fb2c7852ce7bac374af938
Author: Maximilian Luz <luzmaximilian at gmail.com>
Date: Tue Aug 25 17:38:29 2020 +0200

    mwifiex: Increase AES key storage size to 256 bits

    Following commit e18696786548 ("mwifiex: Prevent memory corruption
    handling keys") the mwifiex driver fails to authenticate with certain
    networks, specifically networks with 256 bit keys, and repeatedly asks
    for the password. The kernel log repeats the following lines (id and
    bssid redacted):

        mwifiex_pcie 0000:01:00.0: info: trying to associate to '<id>' bssid <bssid>
        mwifiex_pcie 0000:01:00.0: info: associated to bssid <bssid> successfully
        mwifiex_pcie 0000:01:00.0: crypto keys added
        mwifiex_pcie 0000:01:00.0: info: successfully disconnected from <bssid>: reason code 3

    Tracking down this problem lead to the overflow check introduced by the
    aforementioned commit into mwifiex_ret_802_11_key_material_v2(). This
    check fails on networks with 256 bit keys due to the current storage
    size for AES keys in struct mwifiex_aes_param being only 128 bit.

    To fix this issue, increase the storage size for AES keys to 256 bit.

    Fixes: e18696786548 ("mwifiex: Prevent memory corruption handling keys")
    Signed-off-by: Maximilian Luz <luzmaximilian at gmail.com>
    Reported-by: Kaloyan Nikolov <konik98 at gmail.com>
    Tested-by: Kaloyan Nikolov <konik98 at gmail.com>
    Reviewed-by: Dan Carpenter <dan.carpenter at oracle.com>
    Reviewed-by: Brian Norris <briannorris at chromium.org>
    Tested-by: Brian Norris <briannorris at chromium.org>
    Signed-off-by: Kalle Valo <kvalo at codeaurora.org>
    Link: https://lore.kernel.org/r/20200825153829.38043-1-luzmaximilian@gmail.com

== Regression Potential ==
Low. While the fix increases the buffer size, it still checks and make sure data to be copy can fit into the buffer. Also the commit does fix the issue we saw in the Cert lab.

Maximilian Luz (1):
  mwifiex: Increase AES key storage size to 256 bits

 drivers/net/wireless/mwifiex/fw.h          | 2 +-
 drivers/net/wireless/mwifiex/sta_cmdresp.c | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)


More information about the kernel-team mailing list