* [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211: Fix use after free for wext
[not found] <20230124141856.356646-1-alexander@wetzel-home.de>
@ 2023-03-11 9:55 ` Hector Martin
2023-03-11 11:03 ` Hans de Goede
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Hector Martin @ 2023-03-11 9:55 UTC (permalink / raw)
To: Alexander Wetzel, linux-wireless, Johannes Berg, Greg Kroah-Hartman
Cc: johannes, stable, Asahi Linux, Ilya, Janne Grunau, LKML, regressions
Hi,
This broke WPA auth entirely on brcmfmac (in offload mode) and probably
others, including on stable 6.2.3 and 6.3-rc1 (tested with iwd). Please
revert or fix. Notes below.
Reported-by: Ilya <me@0upti.me>
Reported-by: Janne Grunau <j@jannau.net>
#regzbot introduced: 015b8cc5e7c4d7
#regzbot monitor:
https://lore.kernel.org/linux-wireless/20230124141856.356646-1-alexander@wetzel-home.de/
On 24/01/2023 23.18, Alexander Wetzel wrote:
> Key information in wext.connect is not reset on (re)connect and can hold
> data from a previous connection.
>
> Reset key data to avoid that drivers or mac80211 incorrectly detect a
> WEP connection request and access the freed or already reused memory.
>
> Additionally optimize cfg80211_sme_connect() and avoid an useless
> schedule of conn_work.
>
> Fixes: fffd0934b939 ("cfg80211: rework key operation")
> Cc: stable@vger.kernel.org
> Link: https://lore.kernel.org/r/c80f04d2-8159-a02a-9287-26e5ec838826@wetzel-home.de
> Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
>
> ---
> V2 changes:
> - updated comment
> - reset more key data
>
> ---
> net/wireless/sme.c | 31 ++++++++++++++++++++++++++-----
> 1 file changed, 26 insertions(+), 5 deletions(-)
>
> diff --git a/net/wireless/sme.c b/net/wireless/sme.c
> index 123248b2c0be..0cc841c0c59b 100644
> --- a/net/wireless/sme.c
> +++ b/net/wireless/sme.c
[snip]
> @@ -1464,6 +1476,15 @@ int cfg80211_connect(struct cfg80211_registered_device *rdev,
This if branch only fires if the connection is WEP.
> } else {
> if (WARN_ON(connkeys))
> return -EINVAL;
> +
> + /* connect can point to wdev->wext.connect which
> + * can hold key data from a previous connection
> + */
> + connect->key = NULL;
> + connect->key_len = 0;
> + connect->key_idx = 0;
And these are indeed only used by WEP.
> + connect->crypto.cipher_group = 0;
> + connect->crypto.n_ciphers_pairwise = 0;
But here you're killing the info that is used for *other* auth modes too
if !WEP, breaking WPA and everything else.
> }
>
> wdev->connect_keys = connkeys;
- Hector
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211: Fix use after free for wext
2023-03-11 9:55 ` [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211: Fix use after free for wext Hector Martin
@ 2023-03-11 11:03 ` Hans de Goede
2023-03-11 12:30 ` Greg Kroah-Hartman
2023-03-11 14:19 ` [PATCH] wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for wext" Hector Martin
2023-03-13 14:18 ` [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211: Fix use after free for wext Linux regression tracking #update (Thorsten Leemhuis)
2 siblings, 1 reply; 8+ messages in thread
From: Hans de Goede @ 2023-03-11 11:03 UTC (permalink / raw)
To: Hector Martin, Alexander Wetzel, linux-wireless, Johannes Berg,
Greg Kroah-Hartman
Cc: johannes, stable, Asahi Linux, Ilya, Janne Grunau, LKML, regressions
Hi Hector,
On 3/11/23 10:55, Hector Martin wrote:
> Hi,
>
> This broke WPA auth entirely on brcmfmac (in offload mode) and probably
> others, including on stable 6.2.3 and 6.3-rc1 (tested with iwd). Please
> revert or fix. Notes below.
>
> Reported-by: Ilya <me@0upti.me>
> Reported-by: Janne Grunau <j@jannau.net>
>
> #regzbot introduced: 015b8cc5e7c4d7
> #regzbot monitor:
> https://lore.kernel.org/linux-wireless/20230124141856.356646-1-alexander@wetzel-home.de/
I can confirm this bug, I was seeing broken wifi on brcmfmac with 6.3-rc1
and I was about to start a git bisect for this this morning when I saw
this email.
Reverting 015b8cc5e7c4d7 fixes the broken wifi. Hector, thank you, you
just saved me from a bisect on somewhat slow hardware :)
Regards,
Hans
>
> On 24/01/2023 23.18, Alexander Wetzel wrote:
>> Key information in wext.connect is not reset on (re)connect and can hold
>> data from a previous connection.
>>
>> Reset key data to avoid that drivers or mac80211 incorrectly detect a
>> WEP connection request and access the freed or already reused memory.
>>
>> Additionally optimize cfg80211_sme_connect() and avoid an useless
>> schedule of conn_work.
>>
>> Fixes: fffd0934b939 ("cfg80211: rework key operation")
>> Cc: stable@vger.kernel.org
>> Link: https://lore.kernel.org/r/c80f04d2-8159-a02a-9287-26e5ec838826@wetzel-home.de
>> Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
>>
>> ---
>> V2 changes:
>> - updated comment
>> - reset more key data
>>
>> ---
>> net/wireless/sme.c | 31 ++++++++++++++++++++++++++-----
>> 1 file changed, 26 insertions(+), 5 deletions(-)
>>
>> diff --git a/net/wireless/sme.c b/net/wireless/sme.c
>> index 123248b2c0be..0cc841c0c59b 100644
>> --- a/net/wireless/sme.c
>> +++ b/net/wireless/sme.c
> [snip]
>> @@ -1464,6 +1476,15 @@ int cfg80211_connect(struct cfg80211_registered_device *rdev,
>
> This if branch only fires if the connection is WEP.
>
>> } else {
>> if (WARN_ON(connkeys))
>> return -EINVAL;
>> +
>> + /* connect can point to wdev->wext.connect which
>> + * can hold key data from a previous connection
>> + */
>> + connect->key = NULL;
>> + connect->key_len = 0;
>> + connect->key_idx = 0;
>
> And these are indeed only used by WEP.
>
>> + connect->crypto.cipher_group = 0;
>> + connect->crypto.n_ciphers_pairwise = 0;
>
> But here you're killing the info that is used for *other* auth modes too
> if !WEP, breaking WPA and everything else.
>
>> }
>>
>> wdev->connect_keys = connkeys;
>
> - Hector
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211: Fix use after free for wext
2023-03-11 11:03 ` Hans de Goede
@ 2023-03-11 12:30 ` Greg Kroah-Hartman
0 siblings, 0 replies; 8+ messages in thread
From: Greg Kroah-Hartman @ 2023-03-11 12:30 UTC (permalink / raw)
To: Hans de Goede
Cc: Hector Martin, Alexander Wetzel, linux-wireless, Johannes Berg,
johannes, stable, Asahi Linux, Ilya, Janne Grunau, LKML,
regressions
On Sat, Mar 11, 2023 at 12:03:44PM +0100, Hans de Goede wrote:
> Hi Hector,
>
> On 3/11/23 10:55, Hector Martin wrote:
> > Hi,
> >
> > This broke WPA auth entirely on brcmfmac (in offload mode) and probably
> > others, including on stable 6.2.3 and 6.3-rc1 (tested with iwd). Please
> > revert or fix. Notes below.
> >
> > Reported-by: Ilya <me@0upti.me>
> > Reported-by: Janne Grunau <j@jannau.net>
> >
> > #regzbot introduced: 015b8cc5e7c4d7
> > #regzbot monitor:
> > https://lore.kernel.org/linux-wireless/20230124141856.356646-1-alexander@wetzel-home.de/
>
> I can confirm this bug, I was seeing broken wifi on brcmfmac with 6.3-rc1
> and I was about to start a git bisect for this this morning when I saw
> this email.
>
> Reverting 015b8cc5e7c4d7 fixes the broken wifi. Hector, thank you, you
> just saved me from a bisect on somewhat slow hardware :)
Great, can someone submit the revert patch to the networking tree so we
can get this resolved quickly?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH] wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for wext"
2023-03-11 9:55 ` [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211: Fix use after free for wext Hector Martin
2023-03-11 11:03 ` Hans de Goede
@ 2023-03-11 14:19 ` Hector Martin
2023-03-11 14:22 ` Janne Grunau
2023-03-11 14:31 ` Eric Curtin
2023-03-13 14:18 ` [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211: Fix use after free for wext Linux regression tracking #update (Thorsten Leemhuis)
2 siblings, 2 replies; 8+ messages in thread
From: Hector Martin @ 2023-03-11 14:19 UTC (permalink / raw)
To: Greg Kroah-Hartman, Johannes Berg, Johannes Berg,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Alexander Wetzel
Cc: Ilya, Janne Grunau, Hans de Goede, linux-wireless, netdev,
linux-kernel, stable, regressions, asahi, Hector Martin
This reverts part of commit 015b8cc5e7c4 ("wifi: cfg80211: Fix use after
free for wext")
This commit broke WPA offload by unconditionally clearing the crypto
modes for non-WEP connections. Drop that part of the patch.
Fixes: 015b8cc5e7c4 ("wifi: cfg80211: Fix use after free for wext")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/linux-wireless/ZAx0TWRBlGfv7pNl@kroah.com/T/#m11e6e0915ab8fa19ce8bc9695ab288c0fe018edf
Signed-off-by: Hector Martin <marcan@marcan.st>
---
net/wireless/sme.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index 28ce13840a88..7bdeb8eea92d 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -1500,8 +1500,6 @@ int cfg80211_connect(struct cfg80211_registered_device *rdev,
connect->key = NULL;
connect->key_len = 0;
connect->key_idx = 0;
- connect->crypto.cipher_group = 0;
- connect->crypto.n_ciphers_pairwise = 0;
}
wdev->connect_keys = connkeys;
--
2.35.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for wext"
2023-03-11 14:19 ` [PATCH] wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for wext" Hector Martin
@ 2023-03-11 14:22 ` Janne Grunau
2023-03-11 14:31 ` Eric Curtin
1 sibling, 0 replies; 8+ messages in thread
From: Janne Grunau @ 2023-03-11 14:22 UTC (permalink / raw)
To: Hector Martin
Cc: Greg Kroah-Hartman, Johannes Berg, Johannes Berg,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Alexander Wetzel, Ilya, Hans de Goede, linux-wireless, netdev,
linux-kernel, stable, regressions, asahi
On 2023-03-11 23:19:14 +0900, Hector Martin wrote:
> This reverts part of commit 015b8cc5e7c4 ("wifi: cfg80211: Fix use after
> free for wext")
>
> This commit broke WPA offload by unconditionally clearing the crypto
> modes for non-WEP connections. Drop that part of the patch.
>
> Fixes: 015b8cc5e7c4 ("wifi: cfg80211: Fix use after free for wext")
> Cc: stable@vger.kernel.org
> Link: https://lore.kernel.org/linux-wireless/ZAx0TWRBlGfv7pNl@kroah.com/T/#m11e6e0915ab8fa19ce8bc9695ab288c0fe018edf
> Signed-off-by: Hector Martin <marcan@marcan.st>
> ---
> net/wireless/sme.c | 2 --
> 1 file changed, 2 deletions(-)
>
> diff --git a/net/wireless/sme.c b/net/wireless/sme.c
> index 28ce13840a88..7bdeb8eea92d 100644
> --- a/net/wireless/sme.c
> +++ b/net/wireless/sme.c
> @@ -1500,8 +1500,6 @@ int cfg80211_connect(struct cfg80211_registered_device *rdev,
> connect->key = NULL;
> connect->key_len = 0;
> connect->key_idx = 0;
> - connect->crypto.cipher_group = 0;
> - connect->crypto.n_ciphers_pairwise = 0;
> }
>
> wdev->connect_keys = connkeys;
Tested-by: Janne Grunau <j@jannau.net>
thanks,
Janne
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for wext"
2023-03-11 14:19 ` [PATCH] wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for wext" Hector Martin
2023-03-11 14:22 ` Janne Grunau
@ 2023-03-11 14:31 ` Eric Curtin
1 sibling, 0 replies; 8+ messages in thread
From: Eric Curtin @ 2023-03-11 14:31 UTC (permalink / raw)
To: Hector Martin
Cc: Greg Kroah-Hartman, Johannes Berg, Johannes Berg,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Alexander Wetzel, Ilya, Janne Grunau, Hans de Goede,
linux-wireless, netdev, linux-kernel, stable, regressions, asahi
On Sat, 11 Mar 2023 at 14:28, Hector Martin <marcan@marcan.st> wrote:
>
> This reverts part of commit 015b8cc5e7c4 ("wifi: cfg80211: Fix use after
> free for wext")
>
> This commit broke WPA offload by unconditionally clearing the crypto
> modes for non-WEP connections. Drop that part of the patch.
>
> Fixes: 015b8cc5e7c4 ("wifi: cfg80211: Fix use after free for wext")
> Cc: stable@vger.kernel.org
> Link: https://lore.kernel.org/linux-wireless/ZAx0TWRBlGfv7pNl@kroah.com/T/#m11e6e0915ab8fa19ce8bc9695ab288c0fe018edf
> Signed-off-by: Hector Martin <marcan@marcan.st>
Reviewed-by: Eric Curtin <ecurtin@redhat.com>
Is mise le meas/Regards,
Eric Curtin
> ---
> net/wireless/sme.c | 2 --
> 1 file changed, 2 deletions(-)
>
> diff --git a/net/wireless/sme.c b/net/wireless/sme.c
> index 28ce13840a88..7bdeb8eea92d 100644
> --- a/net/wireless/sme.c
> +++ b/net/wireless/sme.c
> @@ -1500,8 +1500,6 @@ int cfg80211_connect(struct cfg80211_registered_device *rdev,
> connect->key = NULL;
> connect->key_len = 0;
> connect->key_idx = 0;
> - connect->crypto.cipher_group = 0;
> - connect->crypto.n_ciphers_pairwise = 0;
> }
>
> wdev->connect_keys = connkeys;
> --
> 2.35.1
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211: Fix use after free for wext
2023-03-11 9:55 ` [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211: Fix use after free for wext Hector Martin
2023-03-11 11:03 ` Hans de Goede
2023-03-11 14:19 ` [PATCH] wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for wext" Hector Martin
@ 2023-03-13 14:18 ` Linux regression tracking #update (Thorsten Leemhuis)
2 siblings, 0 replies; 8+ messages in thread
From: Linux regression tracking #update (Thorsten Leemhuis) @ 2023-03-13 14:18 UTC (permalink / raw)
To: Hector Martin, Alexander Wetzel, linux-wireless, Johannes Berg,
Greg Kroah-Hartman
Cc: johannes, stable, Asahi Linux, Ilya, Janne Grunau, LKML, regressions
[TLDR: This mail in primarily relevant for Linux kernel regression
tracking. See link in footer if these mails annoy you.]
On 11.03.23 10:55, Hector Martin wrote:
>
> This broke WPA auth entirely on brcmfmac (in offload mode) and probably
> others, including on stable 6.2.3 and 6.3-rc1 (tested with iwd). Please
> revert or fix. Notes below.
>
> Reported-by: Ilya <me@0upti.me>
> Reported-by: Janne Grunau <j@jannau.net>
>
> #regzbot introduced: 015b8cc5e7c4d7
> #regzbot monitor:
> https://lore.kernel.org/linux-wireless/20230124141856.356646-1-alexander@wetzel-home.de/
#regzbot fix: 79d1ed5ca7db67d48
#regzbot ignore-activity
Ciao, Thorsten (wearing his 'the Linux kernel's regression tracker' hat)
--
Everything you wanna know about Linux kernel regression tracking:
https://linux-regtracking.leemhuis.info/about/#tldr
That page also explains what to do if mails like this annoy you.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211: Fix use after free for wext
[not found] ` <ZA3xjPWtCHtE9pAQ@kroah.com>
@ 2023-03-12 15:46 ` Philip Müller
0 siblings, 0 replies; 8+ messages in thread
From: Philip Müller @ 2023-03-12 15:46 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: support, Hector Martin, linux-wireless, netdev, linux-kernel, stable
Ok, sorry forgot to add some CCs. Beside the reported affected kernels
by Hector, who also provided the fix, it seems the appointed patch
affects all stable releases as shown below.
On 12.03.23 22:36, Greg Kroah-Hartman wrote:
> On Sun, Mar 12, 2023 at 10:11:29PM +0700, Philip Müller wrote:
>> I see,
>>
>> however, seems we have a full house here:
>>
>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/releases/4.14.308/wifi-cfg80211-fix-use-after-free-for-wext.patch
>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/releases/4.19.276/wifi-cfg80211-fix-use-after-free-for-wext.patch
>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/releases/5.4.235/wifi-cfg80211-fix-use-after-free-for-wext.patch
>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/releases/5.10.173/wifi-cfg80211-fix-use-after-free-for-wext.patch
>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/releases/5.15.99/wifi-cfg80211-fix-use-after-free-for-wext.patch
>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/releases/6.1.16/wifi-cfg80211-fix-use-after-free-for-wext.patch
>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/releases/6.2.3/wifi-cfg80211-fix-use-after-free-for-wext.patch
>
> I do not understand, sorry.
>
> Also, why is this a private message? Kernel development is done in
> public please.
>
> thanks,
>
> greg k-h
--
Best, Philip
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2023-03-13 14:19 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20230124141856.356646-1-alexander@wetzel-home.de>
2023-03-11 9:55 ` [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211: Fix use after free for wext Hector Martin
2023-03-11 11:03 ` Hans de Goede
2023-03-11 12:30 ` Greg Kroah-Hartman
2023-03-11 14:19 ` [PATCH] wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for wext" Hector Martin
2023-03-11 14:22 ` Janne Grunau
2023-03-11 14:31 ` Eric Curtin
2023-03-13 14:18 ` [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211: Fix use after free for wext Linux regression tracking #update (Thorsten Leemhuis)
[not found] <1b393dfc-76be-9404-e7c9-a2f9fff215a8@manjaro.org>
[not found] ` <ZA3m5s7yfTGMVthu@kroah.com>
[not found] ` <5dc06a75-9913-8f47-a79e-38b0879808bb@manjaro.org>
[not found] ` <ZA3xjPWtCHtE9pAQ@kroah.com>
2023-03-12 15:46 ` Philip Müller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).