Public bug reported:
== Impact ==
Marvell WiFi cards supported by the mwifiex driver may fail to connect to some
access points after kernel upgrade.
This is caused by the commit
commit e18696786548244914f36ec3c46ac99c53df99c3
Author: Dan Carpenter <dan.carpen...@oracle.com>
Date: Wed Jul 8 14:58:57 2020 +0300
mwifiex: Prevent memory corruption handling keys
The length of the key comes from the network and it's a 16 bit number. It
needs to be capped to prevent a buffer overflow.
Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex
driver")
Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com>
Acked-by: Ganapathi Bhat <ganapathi.b...@nxp.com>
Signed-off-by: Kalle Valo <kv...@codeaurora.org>
Link: https://lore.kernel.org/r/20200708115857.GA13729@mwanda
The commit added a check to mwifiex_ret_802_11_key_material_v2() to make
sure the key length doesn't larger than the key buffer size before
copying it. The allocated key buffer is 16-byte long. In some cases the
key would be 32-byte long and hence the check fails. One thing to note
is that this commit is not the cause of the problem, instead it just
makes the issue visible.
The commit is included in Ubuntu-4.4.0-190.220, Ubuntu-4.15.0-119.120,
Ubuntu-5.4.0-48.52, and Ubuntu-5.8.0-18.19.
== Fix ==
There's already a fix in the mainline which increase the key buffer size to 32
bytes:
commit 4afc850e2e9e781976fb2c7852ce7bac374af938
Author: Maximilian Luz <luzmaximil...@gmail.com>
Date: Tue Aug 25 17:38:29 2020 +0200
mwifiex: Increase AES key storage size to 256 bits
Following commit e18696786548 ("mwifiex: Prevent memory corruption
handling keys") the mwifiex driver fails to authenticate with certain
networks, specifically networks with 256 bit keys, and repeatedly asks
for the password. The kernel log repeats the following lines (id and
bssid redacted):
mwifiex_pcie 0000:01:00.0: info: trying to associate to '<id>' bssid
<bssid>
mwifiex_pcie 0000:01:00.0: info: associated to bssid <bssid>
successfully
mwifiex_pcie 0000:01:00.0: crypto keys added
mwifiex_pcie 0000:01:00.0: info: successfully disconnected from
<bssid>: reason code 3
Tracking down this problem lead to the overflow check introduced by the
aforementioned commit into mwifiex_ret_802_11_key_material_v2(). This
check fails on networks with 256 bit keys due to the current storage
size for AES keys in struct mwifiex_aes_param being only 128 bit.
To fix this issue, increase the storage size for AES keys to 256 bit.
Fixes: e18696786548 ("mwifiex: Prevent memory corruption handling keys")
Signed-off-by: Maximilian Luz <luzmaximil...@gmail.com>
Reported-by: Kaloyan Nikolov <koni...@gmail.com>
Tested-by: Kaloyan Nikolov <koni...@gmail.com>
Reviewed-by: Dan Carpenter <dan.carpen...@oracle.com>
Reviewed-by: Brian Norris <briannor...@chromium.org>
Tested-by: Brian Norris <briannor...@chromium.org>
Signed-off-by: Kalle Valo <kv...@codeaurora.org>
Link:
https://lore.kernel.org/r/20200825153829.38043-1-luzmaximil...@gmail.com
== Regression Potential ==
Low. While the fix increases the buffer size, it still checks and make sure
data to be copy can fit into the buffer. Also the commit does fix the issue we
saw in the Cert lab.
** Affects: hwe-next
Importance: Undecided
Status: New
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee: Jesse Sung (wenchien)
Status: In Progress
** Affects: linux (Ubuntu Xenial)
Importance: Undecided
Assignee: Jesse Sung (wenchien)
Status: In Progress
** Affects: linux (Ubuntu Bionic)
Importance: Undecided
Assignee: Jesse Sung (wenchien)
Status: In Progress
** Affects: linux (Ubuntu Focal)
Importance: Undecided
Assignee: Jesse Sung (wenchien)
Status: In Progress
** Affects: linux (Ubuntu Groovy)
Importance: Undecided
Assignee: Jesse Sung (wenchien)
Status: In Progress
** Tags: oem-priority originate-from-1896647 plano
** Also affects: linux (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Groovy)
Importance: Undecided
Assignee: Jesse Sung (wenchien)
Status: In Progress
** Also affects: linux (Ubuntu Focal)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Xenial)
Status: New => In Progress
** Changed in: linux (Ubuntu Bionic)
Status: New => In Progress
** Changed in: linux (Ubuntu Focal)
Status: New => In Progress
** Changed in: linux (Ubuntu Xenial)
Assignee: (unassigned) => Jesse Sung (wenchien)
** Changed in: linux (Ubuntu Bionic)
Assignee: (unassigned) => Jesse Sung (wenchien)
** Changed in: linux (Ubuntu Focal)
Assignee: (unassigned) => Jesse Sung (wenchien)
** Tags added: oem-priority originate-from-1896647 plano
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1897299
Title:
mwifiex stops working after kernel upgrade
Status in HWE Next:
New
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Xenial:
In Progress
Status in linux source package in Bionic:
In Progress
Status in linux source package in Focal:
In Progress
Status in linux source package in Groovy:
In Progress
Bug description:
== Impact ==
Marvell WiFi cards supported by the mwifiex driver may fail to connect to
some access points after kernel upgrade.
This is caused by the commit
commit e18696786548244914f36ec3c46ac99c53df99c3
Author: Dan Carpenter <dan.carpen...@oracle.com>
Date: Wed Jul 8 14:58:57 2020 +0300
mwifiex: Prevent memory corruption handling keys
The length of the key comes from the network and it's a 16 bit number. It
needs to be capped to prevent a buffer overflow.
Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell
mwifiex driver")
Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com>
Acked-by: Ganapathi Bhat <ganapathi.b...@nxp.com>
Signed-off-by: Kalle Valo <kv...@codeaurora.org>
Link: https://lore.kernel.org/r/20200708115857.GA13729@mwanda
The commit added a check to mwifiex_ret_802_11_key_material_v2() to
make sure the key length doesn't larger than the key buffer size
before copying it. The allocated key buffer is 16-byte long. In some
cases the key would be 32-byte long and hence the check fails. One
thing to note is that this commit is not the cause of the problem,
instead it just makes the issue visible.
The commit is included in Ubuntu-4.4.0-190.220, Ubuntu-4.15.0-119.120,
Ubuntu-5.4.0-48.52, and Ubuntu-5.8.0-18.19.
== Fix ==
There's already a fix in the mainline which increase the key buffer size to
32 bytes:
commit 4afc850e2e9e781976fb2c7852ce7bac374af938
Author: Maximilian Luz <luzmaximil...@gmail.com>
Date: Tue Aug 25 17:38:29 2020 +0200
mwifiex: Increase AES key storage size to 256 bits
Following commit e18696786548 ("mwifiex: Prevent memory corruption
handling keys") the mwifiex driver fails to authenticate with certain
networks, specifically networks with 256 bit keys, and repeatedly asks
for the password. The kernel log repeats the following lines (id and
bssid redacted):
mwifiex_pcie 0000:01:00.0: info: trying to associate to '<id>' bssid
<bssid>
mwifiex_pcie 0000:01:00.0: info: associated to bssid <bssid>
successfully
mwifiex_pcie 0000:01:00.0: crypto keys added
mwifiex_pcie 0000:01:00.0: info: successfully disconnected from
<bssid>: reason code 3
Tracking down this problem lead to the overflow check introduced by the
aforementioned commit into mwifiex_ret_802_11_key_material_v2(). This
check fails on networks with 256 bit keys due to the current storage
size for AES keys in struct mwifiex_aes_param being only 128 bit.
To fix this issue, increase the storage size for AES keys to 256 bit.
Fixes: e18696786548 ("mwifiex: Prevent memory corruption handling keys")
Signed-off-by: Maximilian Luz <luzmaximil...@gmail.com>
Reported-by: Kaloyan Nikolov <koni...@gmail.com>
Tested-by: Kaloyan Nikolov <koni...@gmail.com>
Reviewed-by: Dan Carpenter <dan.carpen...@oracle.com>
Reviewed-by: Brian Norris <briannor...@chromium.org>
Tested-by: Brian Norris <briannor...@chromium.org>
Signed-off-by: Kalle Valo <kv...@codeaurora.org>
Link:
https://lore.kernel.org/r/20200825153829.38043-1-luzmaximil...@gmail.com
== Regression Potential ==
Low. While the fix increases the buffer size, it still checks and make sure
data to be copy can fit into the buffer. Also the commit does fix the issue we
saw in the Cert lab.
To manage notifications about this bug go to:
https://bugs.launchpad.net/hwe-next/+bug/1897299/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
