linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Marcel Holtmann <marcel@holtmann.org>
To: Arend Van Spriel <arend.vanspriel@broadcom.com>
Cc: Chi-Hsien Lin <Chi-Hsien.Lin@cypress.com>,
	Stefan Wahren <wahrenst@gmx.net>,
	Stanley Hsu <Stanley.Hsu@cypress.com>,
	Franky Lin <franky.lin@broadcom.com>,
	Hante Meuleman <hante.meuleman@broadcom.com>,
	Wright Feng <Wright.Feng@cypress.com>,
	"linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>,
	"brcm80211-dev-list.pdl@broadcom.com" 
	<brcm80211-dev-list.pdl@broadcom.com>,
	brcm80211-dev-list <brcm80211-dev-list@cypress.com>,
	Jouni Malinen <j@w1.fi>
Subject: Re: wpa_supplicant 2.8 fails in brcmf_cfg80211_set_pmk
Date: Wed, 19 Jun 2019 07:26:13 +0200	[thread overview]
Message-ID: <0ABBF42F-1C9C-4564-A27C-511026EB733C@holtmann.org> (raw)
In-Reply-To: <d0263c6f-97d0-6571-32e9-778392eafe69@broadcom.com>

Hi Arend,

>>>>>> i was able to reproduce an (maybe older issue) with 4-way handshake
>>>>>> offloading for 802.1X in the brcmfmac driver. My setup consists of
>>>>>> Raspberry Pi 3 B (current linux-next, arm64/defconfig) on STA side and a
>>>>>> Raspberry Pi 3 A+ (Linux 4.19) on AP side.
>>>>> 
>>>>> Looks like Raspberry Pi isn't the only affected platform [3], [4].
>>>>> 
>>>>> [3] - https://bugzilla.redhat.com/show_bug.cgi?id=1665608
>>>>> [4] - https://bugzilla.kernel.org/show_bug.cgi?id=202521
>>>> 
>>>> Stefan,
>>>> 
>>>> Could you please try the attached patch for your wpa_supplicant? We'll
>>>> upstream if it works for you.
>>> 
>>> I hope that someone is also providing a kernel patch to fix the issue. Hacking around a kernel issue in userspace is not enough. Fix the root cause in the kernel.
>> Marcel,
>> This is a kernel warning for invalid application PMK set actions, so the
>> fix is to only set PMK to wifi driver when 4-way is offloaded. I think
>> Arend added the WARN_ON() intentionally to catch application misuse of
> > PMK setting.
>> You may also remove the warnings with the attached patch, but let's see
>> what Arend says first.
>> Arend,
>> Any comment?
> 
> Hi Chi-Hsien, Marcel
> 
> From the kernel side I do not see an issue. In order to use 802.1X offload the NL80211_ATTR_WANT_1X_4WAY_HS flag must be set in NL80211_CMD_CONNECT. Otherwise, NL80211_CMD_SET_PMK is not accepted. The only improvement would be to document this more clearly in the "WPA/WPA2 EAPOL handshake offload" DOC section in nl80211.h.

so nl80211 is an API. And an application can use that API wrongly (be that intentionally or unintentionally), the kernel can not just go WARN_ON and print a backtrace. That is your bug. So please handle wrong user input properly.

Frankly, I don’t get why nl80211 itself is not validating the input and this is left to the driver. I think we need a nl80211 fuzzer that really exercises this API with random values and parameters to provide invalid input.

Regards

Marcel


  parent reply	other threads:[~2019-06-19  5:26 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-15 17:01 wpa_supplicant 2.8 fails in brcmf_cfg80211_set_pmk Stefan Wahren
2019-06-15 17:21 ` Stefan Wahren
2019-06-17  8:04   ` Chi-Hsien Lin
2019-06-17 14:33     ` Marcel Holtmann
2019-06-18  5:33       ` Chi-Hsien Lin
2019-06-18  8:27         ` Arend Van Spriel
2019-06-18 17:03           ` Stefan Wahren
2019-06-20  9:44             ` Arend Van Spriel
2019-06-19  5:26           ` Marcel Holtmann [this message]
2019-06-20 10:04             ` Arend Van Spriel
2019-06-20 18:39               ` Marcel Holtmann
2019-06-20 18:01     ` Stefan Wahren

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0ABBF42F-1C9C-4564-A27C-511026EB733C@holtmann.org \
    --to=marcel@holtmann.org \
    --cc=Chi-Hsien.Lin@cypress.com \
    --cc=Stanley.Hsu@cypress.com \
    --cc=Wright.Feng@cypress.com \
    --cc=arend.vanspriel@broadcom.com \
    --cc=brcm80211-dev-list.pdl@broadcom.com \
    --cc=brcm80211-dev-list@cypress.com \
    --cc=franky.lin@broadcom.com \
    --cc=hante.meuleman@broadcom.com \
    --cc=j@w1.fi \
    --cc=linux-wireless@vger.kernel.org \
    --cc=wahrenst@gmx.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).