linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Re: [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211: Fix use after free for wext
       [not found]     ` <ZA3xjPWtCHtE9pAQ@kroah.com>
@ 2023-03-12 15:46       ` Philip Müller
  0 siblings, 0 replies; 5+ messages in thread
From: Philip Müller @ 2023-03-12 15:46 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: support, Hector Martin, linux-wireless, netdev, linux-kernel, stable

Ok, sorry forgot to add some CCs. Beside the reported affected kernels 
by Hector, who also provided the fix, it seems the appointed patch 
affects all stable releases as shown below.

On 12.03.23 22:36, Greg Kroah-Hartman wrote:
> On Sun, Mar 12, 2023 at 10:11:29PM +0700, Philip Müller wrote:
>> I see,
>>
>> however, seems we have a full house here:
>>
>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/releases/4.14.308/wifi-cfg80211-fix-use-after-free-for-wext.patch
>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/releases/4.19.276/wifi-cfg80211-fix-use-after-free-for-wext.patch
>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/releases/5.4.235/wifi-cfg80211-fix-use-after-free-for-wext.patch
>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/releases/5.10.173/wifi-cfg80211-fix-use-after-free-for-wext.patch
>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/releases/5.15.99/wifi-cfg80211-fix-use-after-free-for-wext.patch
>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/releases/6.1.16/wifi-cfg80211-fix-use-after-free-for-wext.patch
>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/releases/6.2.3/wifi-cfg80211-fix-use-after-free-for-wext.patch
> 
> I do not understand, sorry.
> 
> Also, why is this a private message?  Kernel development is done in
> public please.
> 
> thanks,
> 
> greg k-h

-- 
Best, Philip


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211: Fix use after free for wext
  2023-03-11  9:55 ` Hector Martin
  2023-03-11 11:03   ` Hans de Goede
@ 2023-03-13 14:18   ` Linux regression tracking #update (Thorsten Leemhuis)
  1 sibling, 0 replies; 5+ messages in thread
From: Linux regression tracking #update (Thorsten Leemhuis) @ 2023-03-13 14:18 UTC (permalink / raw)
  To: Hector Martin, Alexander Wetzel, linux-wireless, Johannes Berg,
	Greg Kroah-Hartman
  Cc: johannes, stable, Asahi Linux, Ilya, Janne Grunau, LKML, regressions

[TLDR: This mail in primarily relevant for Linux kernel regression
tracking. See link in footer if these mails annoy you.]

On 11.03.23 10:55, Hector Martin wrote:
> 
> This broke WPA auth entirely on brcmfmac (in offload mode) and probably
> others, including on stable 6.2.3 and 6.3-rc1 (tested with iwd). Please
> revert or fix. Notes below.
> 
> Reported-by: Ilya <me@0upti.me>
> Reported-by: Janne Grunau <j@jannau.net>
> 
> #regzbot introduced: 015b8cc5e7c4d7
> #regzbot monitor:
> https://lore.kernel.org/linux-wireless/20230124141856.356646-1-alexander@wetzel-home.de/

#regzbot fix: 79d1ed5ca7db67d48
#regzbot ignore-activity

Ciao, Thorsten (wearing his 'the Linux kernel's regression tracker' hat)
--
Everything you wanna know about Linux kernel regression tracking:
https://linux-regtracking.leemhuis.info/about/#tldr
That page also explains what to do if mails like this annoy you.



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211: Fix use after free for wext
  2023-03-11 11:03   ` Hans de Goede
@ 2023-03-11 12:30     ` Greg Kroah-Hartman
  0 siblings, 0 replies; 5+ messages in thread
From: Greg Kroah-Hartman @ 2023-03-11 12:30 UTC (permalink / raw)
  To: Hans de Goede
  Cc: Hector Martin, Alexander Wetzel, linux-wireless, Johannes Berg,
	johannes, stable, Asahi Linux, Ilya, Janne Grunau, LKML,
	regressions

On Sat, Mar 11, 2023 at 12:03:44PM +0100, Hans de Goede wrote:
> Hi Hector,
> 
> On 3/11/23 10:55, Hector Martin wrote:
> > Hi,
> > 
> > This broke WPA auth entirely on brcmfmac (in offload mode) and probably
> > others, including on stable 6.2.3 and 6.3-rc1 (tested with iwd). Please
> > revert or fix. Notes below.
> > 
> > Reported-by: Ilya <me@0upti.me>
> > Reported-by: Janne Grunau <j@jannau.net>
> > 
> > #regzbot introduced: 015b8cc5e7c4d7
> > #regzbot monitor:
> > https://lore.kernel.org/linux-wireless/20230124141856.356646-1-alexander@wetzel-home.de/
> 
> I can confirm this bug, I was seeing broken wifi on brcmfmac with 6.3-rc1
> and I was about to start a git bisect for this this morning when I saw
> this email.
> 
> Reverting 015b8cc5e7c4d7 fixes the broken wifi. Hector, thank you, you
> just saved me from a bisect on somewhat slow hardware :)

Great, can someone submit the revert patch to the networking tree so we
can get this resolved quickly?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211: Fix use after free for wext
  2023-03-11  9:55 ` Hector Martin
@ 2023-03-11 11:03   ` Hans de Goede
  2023-03-11 12:30     ` Greg Kroah-Hartman
  2023-03-13 14:18   ` Linux regression tracking #update (Thorsten Leemhuis)
  1 sibling, 1 reply; 5+ messages in thread
From: Hans de Goede @ 2023-03-11 11:03 UTC (permalink / raw)
  To: Hector Martin, Alexander Wetzel, linux-wireless, Johannes Berg,
	Greg Kroah-Hartman
  Cc: johannes, stable, Asahi Linux, Ilya, Janne Grunau, LKML, regressions

Hi Hector,

On 3/11/23 10:55, Hector Martin wrote:
> Hi,
> 
> This broke WPA auth entirely on brcmfmac (in offload mode) and probably
> others, including on stable 6.2.3 and 6.3-rc1 (tested with iwd). Please
> revert or fix. Notes below.
> 
> Reported-by: Ilya <me@0upti.me>
> Reported-by: Janne Grunau <j@jannau.net>
> 
> #regzbot introduced: 015b8cc5e7c4d7
> #regzbot monitor:
> https://lore.kernel.org/linux-wireless/20230124141856.356646-1-alexander@wetzel-home.de/

I can confirm this bug, I was seeing broken wifi on brcmfmac with 6.3-rc1
and I was about to start a git bisect for this this morning when I saw
this email.

Reverting 015b8cc5e7c4d7 fixes the broken wifi. Hector, thank you, you
just saved me from a bisect on somewhat slow hardware :)

Regards,

Hans






> 
> On 24/01/2023 23.18, Alexander Wetzel wrote:
>> Key information in wext.connect is not reset on (re)connect and can hold
>> data from a previous connection.
>>
>> Reset key data to avoid that drivers or mac80211 incorrectly detect a
>> WEP connection request and access the freed or already reused memory.
>>
>> Additionally optimize cfg80211_sme_connect() and avoid an useless
>> schedule of conn_work.
>>
>> Fixes: fffd0934b939 ("cfg80211: rework key operation")
>> Cc: stable@vger.kernel.org
>> Link: https://lore.kernel.org/r/c80f04d2-8159-a02a-9287-26e5ec838826@wetzel-home.de
>> Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
>>
>> ---
>> V2 changes:
>> - updated comment
>> - reset more key data
>>
>> ---
>>  net/wireless/sme.c | 31 ++++++++++++++++++++++++++-----
>>  1 file changed, 26 insertions(+), 5 deletions(-)
>>
>> diff --git a/net/wireless/sme.c b/net/wireless/sme.c
>> index 123248b2c0be..0cc841c0c59b 100644
>> --- a/net/wireless/sme.c
>> +++ b/net/wireless/sme.c
> [snip]
>> @@ -1464,6 +1476,15 @@ int cfg80211_connect(struct cfg80211_registered_device *rdev,
> 
> This if branch only fires if the connection is WEP.
> 
>>  	} else {
>>  		if (WARN_ON(connkeys))
>>  			return -EINVAL;
>> +
>> +		/* connect can point to wdev->wext.connect which
>> +		 * can hold key data from a previous connection
>> +		 */
>> +		connect->key = NULL;
>> +		connect->key_len = 0;
>> +		connect->key_idx = 0;
> 
> And these are indeed only used by WEP.
> 
>> +		connect->crypto.cipher_group = 0;
>> +		connect->crypto.n_ciphers_pairwise = 0;
> 
> But here you're killing the info that is used for *other* auth modes too
> if !WEP, breaking WPA and everything else.
> 
>>  	}
>>  
>>  	wdev->connect_keys = connkeys;
> 
> - Hector
> 


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211: Fix use after free for wext
       [not found] <20230124141856.356646-1-alexander@wetzel-home.de>
@ 2023-03-11  9:55 ` Hector Martin
  2023-03-11 11:03   ` Hans de Goede
  2023-03-13 14:18   ` Linux regression tracking #update (Thorsten Leemhuis)
  0 siblings, 2 replies; 5+ messages in thread
From: Hector Martin @ 2023-03-11  9:55 UTC (permalink / raw)
  To: Alexander Wetzel, linux-wireless, Johannes Berg, Greg Kroah-Hartman
  Cc: johannes, stable, Asahi Linux, Ilya, Janne Grunau, LKML, regressions

Hi,

This broke WPA auth entirely on brcmfmac (in offload mode) and probably
others, including on stable 6.2.3 and 6.3-rc1 (tested with iwd). Please
revert or fix. Notes below.

Reported-by: Ilya <me@0upti.me>
Reported-by: Janne Grunau <j@jannau.net>

#regzbot introduced: 015b8cc5e7c4d7
#regzbot monitor:
https://lore.kernel.org/linux-wireless/20230124141856.356646-1-alexander@wetzel-home.de/

On 24/01/2023 23.18, Alexander Wetzel wrote:
> Key information in wext.connect is not reset on (re)connect and can hold
> data from a previous connection.
> 
> Reset key data to avoid that drivers or mac80211 incorrectly detect a
> WEP connection request and access the freed or already reused memory.
> 
> Additionally optimize cfg80211_sme_connect() and avoid an useless
> schedule of conn_work.
> 
> Fixes: fffd0934b939 ("cfg80211: rework key operation")
> Cc: stable@vger.kernel.org
> Link: https://lore.kernel.org/r/c80f04d2-8159-a02a-9287-26e5ec838826@wetzel-home.de
> Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
> 
> ---
> V2 changes:
> - updated comment
> - reset more key data
> 
> ---
>  net/wireless/sme.c | 31 ++++++++++++++++++++++++++-----
>  1 file changed, 26 insertions(+), 5 deletions(-)
> 
> diff --git a/net/wireless/sme.c b/net/wireless/sme.c
> index 123248b2c0be..0cc841c0c59b 100644
> --- a/net/wireless/sme.c
> +++ b/net/wireless/sme.c
[snip]
> @@ -1464,6 +1476,15 @@ int cfg80211_connect(struct cfg80211_registered_device *rdev,

This if branch only fires if the connection is WEP.

>  	} else {
>  		if (WARN_ON(connkeys))
>  			return -EINVAL;
> +
> +		/* connect can point to wdev->wext.connect which
> +		 * can hold key data from a previous connection
> +		 */
> +		connect->key = NULL;
> +		connect->key_len = 0;
> +		connect->key_idx = 0;

And these are indeed only used by WEP.

> +		connect->crypto.cipher_group = 0;
> +		connect->crypto.n_ciphers_pairwise = 0;

But here you're killing the info that is used for *other* auth modes too
if !WEP, breaking WPA and everything else.

>  	}
>  
>  	wdev->connect_keys = connkeys;

- Hector

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2023-03-13 14:19 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <1b393dfc-76be-9404-e7c9-a2f9fff215a8@manjaro.org>
     [not found] ` <ZA3m5s7yfTGMVthu@kroah.com>
     [not found]   ` <5dc06a75-9913-8f47-a79e-38b0879808bb@manjaro.org>
     [not found]     ` <ZA3xjPWtCHtE9pAQ@kroah.com>
2023-03-12 15:46       ` [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211: Fix use after free for wext Philip Müller
     [not found] <20230124141856.356646-1-alexander@wetzel-home.de>
2023-03-11  9:55 ` Hector Martin
2023-03-11 11:03   ` Hans de Goede
2023-03-11 12:30     ` Greg Kroah-Hartman
2023-03-13 14:18   ` Linux regression tracking #update (Thorsten Leemhuis)

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).