On Tue, Apr 18, 2023 at 03:25:46PM +0200, Hans de Goede wrote: > A received TKIP key may be up to 32 bytes because it may contain > MIC rx/tx keys too. These are not used by iwl and copying these > over overflows the iwl_keyinfo.key field. > > Add a check to not copy more data to iwl_keyinfo.key then will fit. > > This fixes backtraces like this one: > > memcpy: detected field-spanning write (size 32) of single field "sta_cmd.key.key" at drivers/net/wireless/intel/iwlwifi/dvm/sta.c:1103 (size 16) > WARNING: CPU: 1 PID: 946 at drivers/net/wireless/intel/iwlwifi/dvm/sta.c:1103 iwlagn_send_sta_key+0x375/0x390 [iwldvm] > <snip> > Hardware name: Dell Inc. Latitude E6430/0H3MT5, BIOS A21 05/08/2017 > RIP: 0010:iwlagn_send_sta_key+0x375/0x390 [iwldvm] > <snip> > Call Trace: > <TASK> > iwl_set_dynamic_key+0x1f0/0x220 [iwldvm] > iwlagn_mac_set_key+0x1e4/0x280 [iwldvm] > drv_set_key+0xa4/0x1b0 [mac80211] > ieee80211_key_enable_hw_accel+0xa8/0x2d0 [mac80211] > ieee80211_key_replace+0x22d/0x8e0 [mac80211] > <snip> > > Link: https://www.alionet.org/index.php?topic=1469.0 > Link: https://lore.kernel.org/linux-wireless/20230218191056.never.374-kees@xxxxxxxxxx/ > Link: https://lore.kernel.org/linux-wireless/68760035-7f75-1b23-e355-bfb758a87d83@xxxxxxxxxx/ > Cc: Kees Cook <keescook@xxxxxxxxxxxx> > Suggested-by: Johannes Berg <johannes@xxxxxxxxxxxxxxxx> > Signed-off-by: Hans de Goede <hdegoede@xxxxxxxxxx> Thanks for chasing this down -- I hadn't had time to come back around to it. Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx> -- Kees Cook
