APPLIED: [X][PATCH 0/1] mwifiex stops working after kernel upgrade

Stefan Bader stefan.bader at canonical.com
Tue Sep 29 13:22:40 UTC 2020 

On 25.09.20 19:19, Wen-chien Jesse Sung wrote:
> BugLink: https://launchpad.net/bugs/1897299
> 
> == Impact ==
> Marvell WiFi cards supported by the mwifiex driver may fail to connect to some access points after kernel upgrade.
> This is caused by the commit
> 
> commit e18696786548244914f36ec3c46ac99c53df99c3
> Author: Dan Carpenter <dan.carpenter at oracle.com>
> Date: Wed Jul 8 14:58:57 2020 +0300
> 
>     mwifiex: Prevent memory corruption handling keys
> 
>     The length of the key comes from the network and it's a 16 bit number. It
>     needs to be capped to prevent a buffer overflow.
> 
>     Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
>     Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
>     Acked-by: Ganapathi Bhat <ganapathi.bhat at nxp.com>
>     Signed-off-by: Kalle Valo <kvalo at codeaurora.org>
>     Link: https://lore.kernel.org/r/20200708115857.GA13729@mwanda
> 
> The commit added a check to mwifiex_ret_802_11_key_material_v2() to make sure the key length doesn't larger than the key buffer size before copying it. The allocated key buffer is 16-byte long. In some cases the key would be 32-byte long and hence the check fails. One thing to note is that this commit is not the cause of the problem, instead it just makes the issue visible.
> 
> The commit is included in Ubuntu-4.4.0-190.220, Ubuntu-4.15.0-119.120, Ubuntu-5.4.0-48.52, and Ubuntu-5.8.0-18.19.
> 
> == Fix ==
> There's already a fix in the mainline which increase the key buffer size to 32 bytes:
> 
> commit 4afc850e2e9e781976fb2c7852ce7bac374af938
> Author: Maximilian Luz <luzmaximilian at gmail.com>
> Date: Tue Aug 25 17:38:29 2020 +0200
> 
>     mwifiex: Increase AES key storage size to 256 bits
> 
>     Following commit e18696786548 ("mwifiex: Prevent memory corruption
>     handling keys") the mwifiex driver fails to authenticate with certain
>     networks, specifically networks with 256 bit keys, and repeatedly asks
>     for the password. The kernel log repeats the following lines (id and
>     bssid redacted):
> 
>         mwifiex_pcie 0000:01:00.0: info: trying to associate to '<id>' bssid <bssid>
>         mwifiex_pcie 0000:01:00.0: info: associated to bssid <bssid> successfully
>         mwifiex_pcie 0000:01:00.0: crypto keys added
>         mwifiex_pcie 0000:01:00.0: info: successfully disconnected from <bssid>: reason code 3
> 
>     Tracking down this problem lead to the overflow check introduced by the
>     aforementioned commit into mwifiex_ret_802_11_key_material_v2(). This
>     check fails on networks with 256 bit keys due to the current storage
>     size for AES keys in struct mwifiex_aes_param being only 128 bit.
> 
>     To fix this issue, increase the storage size for AES keys to 256 bit.
> 
>     Fixes: e18696786548 ("mwifiex: Prevent memory corruption handling keys")
>     Signed-off-by: Maximilian Luz <luzmaximilian at gmail.com>
>     Reported-by: Kaloyan Nikolov <konik98 at gmail.com>
>     Tested-by: Kaloyan Nikolov <konik98 at gmail.com>
>     Reviewed-by: Dan Carpenter <dan.carpenter at oracle.com>
>     Reviewed-by: Brian Norris <briannorris at chromium.org>
>     Tested-by: Brian Norris <briannorris at chromium.org>
>     Signed-off-by: Kalle Valo <kvalo at codeaurora.org>
>     Link: https://lore.kernel.org/r/20200825153829.38043-1-luzmaximilian@gmail.com
> 
> == Regression Potential ==
> Low. While the fix increases the buffer size, it still checks and make sure data to be copy can fit into the buffer. Also the commit does fix the issue we saw in the Cert lab.
> 
> 
> Maximilian Luz (1):
>   mwifiex: Increase AES key storage size to 256 bits
> 
>  drivers/net/wireless/mwifiex/fw.h          | 2 +-
>  drivers/net/wireless/mwifiex/sta_cmdresp.c | 4 ++--
>  2 files changed, 3 insertions(+), 3 deletions(-)
> 
Applied to xenial/master-next (for re-spin). Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20200929/11acdd6f/attachment-0001.sig>

More information about the kernel-team mailing list