From 0d2e374878ddcfc5d8af8c426bf5db8fa534015d Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: May 25 2023 07:19:34 +0000 Subject: wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace (git-fixes). --- diff --git a/patches.suse/wifi-iwlwifi-dvm-Fix-memcpy-detected-field-spanning-.patch b/patches.suse/wifi-iwlwifi-dvm-Fix-memcpy-detected-field-spanning-.patch new file mode 100644 index 0000000..1a26f18 --- /dev/null +++ b/patches.suse/wifi-iwlwifi-dvm-Fix-memcpy-detected-field-spanning-.patch @@ -0,0 +1,71 @@ +From ef16799640865f937719f0771c93be5dca18adc6 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Tue, 18 Apr 2023 15:25:46 +0200 +Subject: [PATCH] wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace +Git-commit: ef16799640865f937719f0771c93be5dca18adc6 +Patch-mainline: v6.4-rc1 +References: git-fixes + +A received TKIP key may be up to 32 bytes because it may contain +MIC rx/tx keys too. These are not used by iwl and copying these +over overflows the iwl_keyinfo.key field. + +Add a check to not copy more data to iwl_keyinfo.key then will fit. + +This fixes backtraces like this one: + + memcpy: detected field-spanning write (size 32) of single field "sta_cmd.key.key" at drivers/net/wireless/intel/iwlwifi/dvm/sta.c:1103 (size 16) + WARNING: CPU: 1 PID: 946 at drivers/net/wireless/intel/iwlwifi/dvm/sta.c:1103 iwlagn_send_sta_key+0x375/0x390 [iwldvm] + + Hardware name: Dell Inc. Latitude E6430/0H3MT5, BIOS A21 05/08/2017 + RIP: 0010:iwlagn_send_sta_key+0x375/0x390 [iwldvm] + + Call Trace: + + iwl_set_dynamic_key+0x1f0/0x220 [iwldvm] + iwlagn_mac_set_key+0x1e4/0x280 [iwldvm] + drv_set_key+0xa4/0x1b0 [mac80211] + ieee80211_key_enable_hw_accel+0xa8/0x2d0 [mac80211] + ieee80211_key_replace+0x22d/0x8e0 [mac80211] + + +Link: https://www.alionet.org/index.php?topic=1469.0 +Link: https://lore.kernel.org/linux-wireless/20230218191056.never.374-kees@kernel.org/ +Link: https://lore.kernel.org/linux-wireless/68760035-7f75-1b23-e355-bfb758a87d83@redhat.com/ +Cc: Kees Cook +Suggested-by: Johannes Berg +Signed-off-by: Hans de Goede +Reviewed-by: Kees Cook +Signed-off-by: Johannes Berg +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/intel/iwlwifi/dvm/sta.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/sta.c b/drivers/net/wireless/intel/iwlwifi/dvm/sta.c +index cef43cf80620..8b01ab986cb1 100644 +--- a/drivers/net/wireless/intel/iwlwifi/dvm/sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/dvm/sta.c +@@ -1081,6 +1081,7 @@ static int iwlagn_send_sta_key(struct iwl_priv *priv, + { + __le16 key_flags; + struct iwl_addsta_cmd sta_cmd; ++ size_t to_copy; + int i; + + spin_lock_bh(&priv->sta_lock); +@@ -1100,7 +1101,9 @@ static int iwlagn_send_sta_key(struct iwl_priv *priv, + sta_cmd.key.tkip_rx_tsc_byte2 = tkip_iv32; + for (i = 0; i < 5; i++) + sta_cmd.key.tkip_rx_ttak[i] = cpu_to_le16(tkip_p1k[i]); +- memcpy(sta_cmd.key.key, keyconf->key, keyconf->keylen); ++ /* keyconf may contain MIC rx/tx keys which iwl does not use */ ++ to_copy = min_t(size_t, sizeof(sta_cmd.key.key), keyconf->keylen); ++ memcpy(sta_cmd.key.key, keyconf->key, to_copy); + break; + case WLAN_CIPHER_SUITE_WEP104: + key_flags |= STA_KEY_FLG_KEY_SIZE_MSK; +-- +2.35.3 + diff --git a/series.conf b/series.conf index 830b7bf..e2273b1 100644 --- a/series.conf +++ b/series.conf @@ -19940,6 +19940,7 @@ patches.suse/wifi-iwlwifi-pcie-Fix-integer-overflow-in-iwl_write_.patch patches.suse/wifi-iwlwifi-make-the-loop-for-card-preparation-effe.patch patches.suse/wifi-iwlwifi-mvm-check-firmware-response-size.patch + patches.suse/wifi-iwlwifi-dvm-Fix-memcpy-detected-field-spanning-.patch patches.suse/wifi-iwlwifi-fw-fix-memory-leak-in-debugfs.patch patches.suse/wifi-mt76-handle-failure-of-vzalloc-in-mt7615_coredu.patch patches.suse/wifi-mt76-add-missing-locking-to-protect-against-con.patch