On Sun, Feb 19, 2023 at 04:12:05PM +0100, Johannes Berg wrote: > On Sat, 2023-02-18 at 11:11 -0800, Kees Cook wrote: > > > > case WLAN_CIPHER_SUITE_CCMP: > > key_flags |= STA_KEY_FLG_CCMP; > > - memcpy(sta_cmd.key.key, keyconf->key, keyconf->keylen); > > + memcpy(&sta_cmd.key.keys, keyconf->key, keyconf->keylen); > > This should be fine though, only up to 16 bytes for CCMP. > > > case WLAN_CIPHER_SUITE_TKIP: > > key_flags |= STA_KEY_FLG_TKIP; > > sta_cmd.key.tkip_rx_tsc_byte2 = tkip_iv32; > > for (i = 0; i < 5; i++) > > sta_cmd.key.tkip_rx_ttak[i] = cpu_to_le16(tkip_p1k[i]); > > - memcpy(sta_cmd.key.key, keyconf->key, keyconf->keylen); > > + memcpy(&sta_cmd.key.keys, keyconf->key, keyconf->keylen); > > And that's actually a bug, we should've copied only 16 bytes, I guess. > DVM didn't support MIC offload anyway (at least the way Linux uses the > firmware, though I thought it doesn't at all), so we don't need the MIC > RX/TX keys in there, but anyway the sequence counter values are not part > of the key material on the host. > > I don't think I have a machine now to test this with (nor a TKIP AP, of > course, but that could be changed) - but I suspect that since we > actually calculate the TTAK above, we might not even need this memcpy() > at all? It's the latter that is triggered in the real world, though. See the referenced URL and also now on bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=217214 i.e.: drivers/net/wireless/intel/iwlwifi/dvm/sta.c:1103 So keyconf->keylen is coming in as 32. If this is a bug, I'm not sure where/how to fix it. Perhaps this patch can be taken as-is, and a WARN_ON added for the >16 case to be tracked down separately? -- Kees Cook
