* [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211: Fix use after free for wext
[not found] <20230124141856.356646-1-alexander@wetzel-home.de>
@ 2023-03-11 9:55 ` Hector Martin
2023-03-11 11:03 ` Hans de Goede
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Hector Martin @ 2023-03-11 9:55 UTC (permalink / raw)
To: Alexander Wetzel, linux-wireless, Johannes Berg, Greg Kroah-Hartman
Cc: johannes, stable, Asahi Linux, Ilya, Janne Grunau, LKML, regressions
Hi,
This broke WPA auth entirely on brcmfmac (in offload mode) and probably
others, including on stable 6.2.3 and 6.3-rc1 (tested with iwd). Please
revert or fix. Notes below.
Reported-by: Ilya <me@0upti.me>
Reported-by: Janne Grunau <j@jannau.net>
#regzbot introduced: 015b8cc5e7c4d7
#regzbot monitor:
https://lore.kernel.org/linux-wireless/20230124141856.356646-1-alexander@wetzel-home.de/
On 24/01/2023 23.18, Alexander Wetzel wrote:
> Key information in wext.connect is not reset on (re)connect and can hold
> data from a previous connection.
>
> Reset key data to avoid that drivers or mac80211 incorrectly detect a
> WEP connection request and access the freed or already reused memory.
>
> Additionally optimize cfg80211_sme_connect() and avoid an useless
> schedule of conn_work.
>
> Fixes: fffd0934b939 ("cfg80211: rework key operation")
> Cc: stable@vger.kernel.org
> Link: https://lore.kernel.org/r/c80f04d2-8159-a02a-9287-26e5ec838826@wetzel-home.de
> Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
>
> ---
> V2 changes:
> - updated comment
> - reset more key data
>
> ---
> net/wireless/sme.c | 31 ++++++++++++++++++++++++++-----
> 1 file changed, 26 insertions(+), 5 deletions(-)
>
> diff --git a/net/wireless/sme.c b/net/wireless/sme.c
> index 123248b2c0be..0cc841c0c59b 100644
> --- a/net/wireless/sme.c
> +++ b/net/wireless/sme.c
[snip]
> @@ -1464,6 +1476,15 @@ int cfg80211_connect(struct cfg80211_registered_device *rdev,
This if branch only fires if the connection is WEP.
> } else {
> if (WARN_ON(connkeys))
> return -EINVAL;
> +
> + /* connect can point to wdev->wext.connect which
> + * can hold key data from a previous connection
> + */
> + connect->key = NULL;
> + connect->key_len = 0;
> + connect->key_idx = 0;
And these are indeed only used by WEP.
> + connect->crypto.cipher_group = 0;
> + connect->crypto.n_ciphers_pairwise = 0;
But here you're killing the info that is used for *other* auth modes too
if !WEP, breaking WPA and everything else.
> }
>
> wdev->connect_keys = connkeys;
- Hector
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211: Fix use after free for wext
2023-03-11 9:55 ` [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211: Fix use after free for wext Hector Martin
@ 2023-03-11 11:03 ` Hans de Goede
2023-03-11 12:30 ` Greg Kroah-Hartman
2023-03-11 14:19 ` [PATCH] wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for wext" Hector Martin
2023-03-13 14:18 ` [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211: Fix use after free for wext Linux regression tracking #update (Thorsten Leemhuis)
2 siblings, 1 reply; 7+ messages in thread
From: Hans de Goede @ 2023-03-11 11:03 UTC (permalink / raw)
To: Hector Martin, Alexander Wetzel, linux-wireless, Johannes Berg,
Greg Kroah-Hartman
Cc: johannes, stable, Asahi Linux, Ilya, Janne Grunau, LKML, regressions
Hi Hector,
On 3/11/23 10:55, Hector Martin wrote:
> Hi,
>
> This broke WPA auth entirely on brcmfmac (in offload mode) and probably
> others, including on stable 6.2.3 and 6.3-rc1 (tested with iwd). Please
> revert or fix. Notes below.
>
> Reported-by: Ilya <me@0upti.me>
> Reported-by: Janne Grunau <j@jannau.net>
>
> #regzbot introduced: 015b8cc5e7c4d7
> #regzbot monitor:
> https://lore.kernel.org/linux-wireless/20230124141856.356646-1-alexander@wetzel-home.de/
I can confirm this bug, I was seeing broken wifi on brcmfmac with 6.3-rc1
and I was about to start a git bisect for this this morning when I saw
this email.
Reverting 015b8cc5e7c4d7 fixes the broken wifi. Hector, thank you, you
just saved me from a bisect on somewhat slow hardware :)
Regards,
Hans
>
> On 24/01/2023 23.18, Alexander Wetzel wrote:
>> Key information in wext.connect is not reset on (re)connect and can hold
>> data from a previous connection.
>>
>> Reset key data to avoid that drivers or mac80211 incorrectly detect a
>> WEP connection request and access the freed or already reused memory.
>>
>> Additionally optimize cfg80211_sme_connect() and avoid an useless
>> schedule of conn_work.
>>
>> Fixes: fffd0934b939 ("cfg80211: rework key operation")
>> Cc: stable@vger.kernel.org
>> Link: https://lore.kernel.org/r/c80f04d2-8159-a02a-9287-26e5ec838826@wetzel-home.de
>> Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
>>
>> ---
>> V2 changes:
>> - updated comment
>> - reset more key data
>>
>> ---
>> net/wireless/sme.c | 31 ++++++++++++++++++++++++++-----
>> 1 file changed, 26 insertions(+), 5 deletions(-)
>>
>> diff --git a/net/wireless/sme.c b/net/wireless/sme.c
>> index 123248b2c0be..0cc841c0c59b 100644
>> --- a/net/wireless/sme.c
>> +++ b/net/wireless/sme.c
> [snip]
>> @@ -1464,6 +1476,15 @@ int cfg80211_connect(struct cfg80211_registered_device *rdev,
>
> This if branch only fires if the connection is WEP.
>
>> } else {
>> if (WARN_ON(connkeys))
>> return -EINVAL;
>> +
>> + /* connect can point to wdev->wext.connect which
>> + * can hold key data from a previous connection
>> + */
>> + connect->key = NULL;
>> + connect->key_len = 0;
>> + connect->key_idx = 0;
>
> And these are indeed only used by WEP.
>
>> + connect->crypto.cipher_group = 0;
>> + connect->crypto.n_ciphers_pairwise = 0;
>
> But here you're killing the info that is used for *other* auth modes too
> if !WEP, breaking WPA and everything else.
>
>> }
>>
>> wdev->connect_keys = connkeys;
>
> - Hector
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211: Fix use after free for wext
2023-03-11 11:03 ` Hans de Goede
@ 2023-03-11 12:30 ` Greg Kroah-Hartman
0 siblings, 0 replies; 7+ messages in thread
From: Greg Kroah-Hartman @ 2023-03-11 12:30 UTC (permalink / raw)
To: Hans de Goede
Cc: Hector Martin, Alexander Wetzel, linux-wireless, Johannes Berg,
johannes, stable, Asahi Linux, Ilya, Janne Grunau, LKML,
regressions
On Sat, Mar 11, 2023 at 12:03:44PM +0100, Hans de Goede wrote:
> Hi Hector,
>
> On 3/11/23 10:55, Hector Martin wrote:
> > Hi,
> >
> > This broke WPA auth entirely on brcmfmac (in offload mode) and probably
> > others, including on stable 6.2.3 and 6.3-rc1 (tested with iwd). Please
> > revert or fix. Notes below.
> >
> > Reported-by: Ilya <me@0upti.me>
> > Reported-by: Janne Grunau <j@jannau.net>
> >
> > #regzbot introduced: 015b8cc5e7c4d7
> > #regzbot monitor:
> > https://lore.kernel.org/linux-wireless/20230124141856.356646-1-alexander@wetzel-home.de/
>
> I can confirm this bug, I was seeing broken wifi on brcmfmac with 6.3-rc1
> and I was about to start a git bisect for this this morning when I saw
> this email.
>
> Reverting 015b8cc5e7c4d7 fixes the broken wifi. Hector, thank you, you
> just saved me from a bisect on somewhat slow hardware :)
Great, can someone submit the revert patch to the networking tree so we
can get this resolved quickly?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH] wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for wext"
2023-03-11 9:55 ` [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211: Fix use after free for wext Hector Martin
2023-03-11 11:03 ` Hans de Goede
@ 2023-03-11 14:19 ` Hector Martin
2023-03-11 14:22 ` Janne Grunau
2023-03-11 14:31 ` Eric Curtin
2023-03-13 14:18 ` [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211: Fix use after free for wext Linux regression tracking #update (Thorsten Leemhuis)
2 siblings, 2 replies; 7+ messages in thread
From: Hector Martin @ 2023-03-11 14:19 UTC (permalink / raw)
To: Greg Kroah-Hartman, Johannes Berg, Johannes Berg,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Alexander Wetzel
Cc: Ilya, Janne Grunau, Hans de Goede, linux-wireless, netdev,
linux-kernel, stable, regressions, asahi, Hector Martin
This reverts part of commit 015b8cc5e7c4 ("wifi: cfg80211: Fix use after
free for wext")
This commit broke WPA offload by unconditionally clearing the crypto
modes for non-WEP connections. Drop that part of the patch.
Fixes: 015b8cc5e7c4 ("wifi: cfg80211: Fix use after free for wext")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/linux-wireless/ZAx0TWRBlGfv7pNl@kroah.com/T/#m11e6e0915ab8fa19ce8bc9695ab288c0fe018edf
Signed-off-by: Hector Martin <marcan@marcan.st>
---
net/wireless/sme.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index 28ce13840a88..7bdeb8eea92d 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -1500,8 +1500,6 @@ int cfg80211_connect(struct cfg80211_registered_device *rdev,
connect->key = NULL;
connect->key_len = 0;
connect->key_idx = 0;
- connect->crypto.cipher_group = 0;
- connect->crypto.n_ciphers_pairwise = 0;
}
wdev->connect_keys = connkeys;
--
2.35.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for wext"
2023-03-11 14:19 ` [PATCH] wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for wext" Hector Martin
@ 2023-03-11 14:22 ` Janne Grunau
2023-03-11 14:31 ` Eric Curtin
1 sibling, 0 replies; 7+ messages in thread
From: Janne Grunau @ 2023-03-11 14:22 UTC (permalink / raw)
To: Hector Martin
Cc: Greg Kroah-Hartman, Johannes Berg, Johannes Berg,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Alexander Wetzel, Ilya, Hans de Goede, linux-wireless, netdev,
linux-kernel, stable, regressions, asahi
On 2023-03-11 23:19:14 +0900, Hector Martin wrote:
> This reverts part of commit 015b8cc5e7c4 ("wifi: cfg80211: Fix use after
> free for wext")
>
> This commit broke WPA offload by unconditionally clearing the crypto
> modes for non-WEP connections. Drop that part of the patch.
>
> Fixes: 015b8cc5e7c4 ("wifi: cfg80211: Fix use after free for wext")
> Cc: stable@vger.kernel.org
> Link: https://lore.kernel.org/linux-wireless/ZAx0TWRBlGfv7pNl@kroah.com/T/#m11e6e0915ab8fa19ce8bc9695ab288c0fe018edf
> Signed-off-by: Hector Martin <marcan@marcan.st>
> ---
> net/wireless/sme.c | 2 --
> 1 file changed, 2 deletions(-)
>
> diff --git a/net/wireless/sme.c b/net/wireless/sme.c
> index 28ce13840a88..7bdeb8eea92d 100644
> --- a/net/wireless/sme.c
> +++ b/net/wireless/sme.c
> @@ -1500,8 +1500,6 @@ int cfg80211_connect(struct cfg80211_registered_device *rdev,
> connect->key = NULL;
> connect->key_len = 0;
> connect->key_idx = 0;
> - connect->crypto.cipher_group = 0;
> - connect->crypto.n_ciphers_pairwise = 0;
> }
>
> wdev->connect_keys = connkeys;
Tested-by: Janne Grunau <j@jannau.net>
thanks,
Janne
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for wext"
2023-03-11 14:19 ` [PATCH] wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for wext" Hector Martin
2023-03-11 14:22 ` Janne Grunau
@ 2023-03-11 14:31 ` Eric Curtin
1 sibling, 0 replies; 7+ messages in thread
From: Eric Curtin @ 2023-03-11 14:31 UTC (permalink / raw)
To: Hector Martin
Cc: Greg Kroah-Hartman, Johannes Berg, Johannes Berg,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Alexander Wetzel, Ilya, Janne Grunau, Hans de Goede,
linux-wireless, netdev, linux-kernel, stable, regressions, asahi
On Sat, 11 Mar 2023 at 14:28, Hector Martin <marcan@marcan.st> wrote:
>
> This reverts part of commit 015b8cc5e7c4 ("wifi: cfg80211: Fix use after
> free for wext")
>
> This commit broke WPA offload by unconditionally clearing the crypto
> modes for non-WEP connections. Drop that part of the patch.
>
> Fixes: 015b8cc5e7c4 ("wifi: cfg80211: Fix use after free for wext")
> Cc: stable@vger.kernel.org
> Link: https://lore.kernel.org/linux-wireless/ZAx0TWRBlGfv7pNl@kroah.com/T/#m11e6e0915ab8fa19ce8bc9695ab288c0fe018edf
> Signed-off-by: Hector Martin <marcan@marcan.st>
Reviewed-by: Eric Curtin <ecurtin@redhat.com>
Is mise le meas/Regards,
Eric Curtin
> ---
> net/wireless/sme.c | 2 --
> 1 file changed, 2 deletions(-)
>
> diff --git a/net/wireless/sme.c b/net/wireless/sme.c
> index 28ce13840a88..7bdeb8eea92d 100644
> --- a/net/wireless/sme.c
> +++ b/net/wireless/sme.c
> @@ -1500,8 +1500,6 @@ int cfg80211_connect(struct cfg80211_registered_device *rdev,
> connect->key = NULL;
> connect->key_len = 0;
> connect->key_idx = 0;
> - connect->crypto.cipher_group = 0;
> - connect->crypto.n_ciphers_pairwise = 0;
> }
>
> wdev->connect_keys = connkeys;
> --
> 2.35.1
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211: Fix use after free for wext
2023-03-11 9:55 ` [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211: Fix use after free for wext Hector Martin
2023-03-11 11:03 ` Hans de Goede
2023-03-11 14:19 ` [PATCH] wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for wext" Hector Martin
@ 2023-03-13 14:18 ` Linux regression tracking #update (Thorsten Leemhuis)
2 siblings, 0 replies; 7+ messages in thread
From: Linux regression tracking #update (Thorsten Leemhuis) @ 2023-03-13 14:18 UTC (permalink / raw)
To: Hector Martin, Alexander Wetzel, linux-wireless, Johannes Berg,
Greg Kroah-Hartman
Cc: johannes, stable, Asahi Linux, Ilya, Janne Grunau, LKML, regressions
[TLDR: This mail in primarily relevant for Linux kernel regression
tracking. See link in footer if these mails annoy you.]
On 11.03.23 10:55, Hector Martin wrote:
>
> This broke WPA auth entirely on brcmfmac (in offload mode) and probably
> others, including on stable 6.2.3 and 6.3-rc1 (tested with iwd). Please
> revert or fix. Notes below.
>
> Reported-by: Ilya <me@0upti.me>
> Reported-by: Janne Grunau <j@jannau.net>
>
> #regzbot introduced: 015b8cc5e7c4d7
> #regzbot monitor:
> https://lore.kernel.org/linux-wireless/20230124141856.356646-1-alexander@wetzel-home.de/
#regzbot fix: 79d1ed5ca7db67d48
#regzbot ignore-activity
Ciao, Thorsten (wearing his 'the Linux kernel's regression tracker' hat)
--
Everything you wanna know about Linux kernel regression tracking:
https://linux-regtracking.leemhuis.info/about/#tldr
That page also explains what to do if mails like this annoy you.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2023-03-13 14:18 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20230124141856.356646-1-alexander@wetzel-home.de>
2023-03-11 9:55 ` [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211: Fix use after free for wext Hector Martin
2023-03-11 11:03 ` Hans de Goede
2023-03-11 12:30 ` Greg Kroah-Hartman
2023-03-11 14:19 ` [PATCH] wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for wext" Hector Martin
2023-03-11 14:22 ` Janne Grunau
2023-03-11 14:31 ` Eric Curtin
2023-03-13 14:18 ` [REGRESSION] Patch broke WPA auth: Re: [PATCH v2] wifi: cfg80211: Fix use after free for wext Linux regression tracking #update (Thorsten Leemhuis)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).