group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1897299] Re: mwifiex stops working after kernel upgrade

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Jesse Sung <1897299@xxxxxxxxxxxxxxxxxx>
Date: Sat, 26 Sep 2020 04:44:26 -0000
Reply-to: Bug 1897299 <1897299@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Changed in: hwe-next
       Status: New => Fix Released

** Changed in: hwe-next
     Assignee: (unassigned) => Jesse Sung (wenchien)

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1897299

Title:
  mwifiex stops working after kernel upgrade

Status in HWE Next:
  Fix Released
Status in linux package in Ubuntu:
  In Progress
Status in linux source package in Xenial:
  In Progress
Status in linux source package in Bionic:
  In Progress
Status in linux source package in Focal:
  In Progress
Status in linux source package in Groovy:
  In Progress

Bug description:
  == Impact ==
  Marvell WiFi cards supported by the mwifiex driver may fail to connect to some access points after kernel upgrade.
  This is caused by the commit

  commit e18696786548244914f36ec3c46ac99c53df99c3
  Author: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
  Date:   Wed Jul 8 14:58:57 2020 +0300

      mwifiex: Prevent memory corruption handling keys
      
      The length of the key comes from the network and it's a 16 bit number.  It
      needs to be capped to prevent a buffer overflow.
      
      Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
      Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
      Acked-by: Ganapathi Bhat <ganapathi.bhat@xxxxxxx>
      Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxxxxxx>
      Link: https://lore.kernel.org/r/20200708115857.GA13729@mwanda

  The commit added a check to mwifiex_ret_802_11_key_material_v2() to
  make sure the key length doesn't larger than the key buffer size
  before copying it. The allocated key buffer is 16-byte long. In some
  cases the key would be 32-byte long and hence the check fails. One
  thing to note is that this commit is not the cause of the problem,
  instead it just makes the issue visible.

  The commit is included in Ubuntu-4.4.0-190.220, Ubuntu-4.15.0-119.120,
  Ubuntu-5.4.0-48.52, and Ubuntu-5.8.0-18.19.

  == Fix ==
  There's already a fix in the mainline which increase the key buffer size to 32 bytes:

  commit 4afc850e2e9e781976fb2c7852ce7bac374af938
  Author: Maximilian Luz <luzmaximilian@xxxxxxxxx>
  Date:   Tue Aug 25 17:38:29 2020 +0200

      mwifiex: Increase AES key storage size to 256 bits
      
      Following commit e18696786548 ("mwifiex: Prevent memory corruption
      handling keys") the mwifiex driver fails to authenticate with certain
      networks, specifically networks with 256 bit keys, and repeatedly asks
      for the password. The kernel log repeats the following lines (id and
      bssid redacted):
      
          mwifiex_pcie 0000:01:00.0: info: trying to associate to '<id>' bssid <bssid>
          mwifiex_pcie 0000:01:00.0: info: associated to bssid <bssid> successfully
          mwifiex_pcie 0000:01:00.0: crypto keys added
          mwifiex_pcie 0000:01:00.0: info: successfully disconnected from <bssid>: reason code 3
      
      Tracking down this problem lead to the overflow check introduced by the
      aforementioned commit into mwifiex_ret_802_11_key_material_v2(). This
      check fails on networks with 256 bit keys due to the current storage
      size for AES keys in struct mwifiex_aes_param being only 128 bit.
      
      To fix this issue, increase the storage size for AES keys to 256 bit.
      
      Fixes: e18696786548 ("mwifiex: Prevent memory corruption handling keys")
      Signed-off-by: Maximilian Luz <luzmaximilian@xxxxxxxxx>
      Reported-by: Kaloyan Nikolov <konik98@xxxxxxxxx>
      Tested-by: Kaloyan Nikolov <konik98@xxxxxxxxx>
      Reviewed-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
      Reviewed-by: Brian Norris <briannorris@xxxxxxxxxxxx>
      Tested-by: Brian Norris <briannorris@xxxxxxxxxxxx>
      Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxxxxxx>
      Link: https://lore.kernel.org/r/20200825153829.38043-1-luzmaximilian@xxxxxxxxx

  == Regression Potential ==
  Low. While the fix increases the buffer size, it still checks and make sure data to be copy can fit into the buffer. Also the commit does fix the issue we saw in the Cert lab.

To manage notifications about this bug go to:
https://bugs.launchpad.net/hwe-next/+bug/1897299/+subscriptions