Patch "wifi: iwlwifi: mvm: fix potential array out of bounds access" has been added to the 6.4-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 23 Jul 2023 21:27:26 -0400

This is a note to let you know that I've just added the patch titled

    wifi: iwlwifi: mvm: fix potential array out of bounds access

to the 6.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     wifi-iwlwifi-mvm-fix-potential-array-out-of-bounds-a.patch
and it can be found in the queue-6.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit a37efc3bc4885e014924de01edb24e2175627ad3
Author: Gregory Greenman <gregory.greenman@xxxxxxxxx>
Date:   Tue Jun 13 15:57:21 2023 +0300

    wifi: iwlwifi: mvm: fix potential array out of bounds access
    
    [ Upstream commit 637452360ecde9ac972d19416e9606529576b302 ]
    
    Account for IWL_SEC_WEP_KEY_OFFSET when needed while verifying
    key_len size in iwl_mvm_sec_key_add().
    
    Signed-off-by: Gregory Greenman <gregory.greenman@xxxxxxxxx>
    Link: https://lore.kernel.org/r/20230613155501.f193b7493a93.I6948ba625b9318924b96a5e22602ac75d2bd0125@changeid
    Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c b/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c
index 8853821b37168..1e659bd07392a 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c
@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
 /*
- * Copyright (C) 2022 Intel Corporation
+ * Copyright (C) 2022 - 2023 Intel Corporation
  */
 #include <linux/kernel.h>
 #include <net/mac80211.h>
@@ -179,9 +179,14 @@ int iwl_mvm_sec_key_add(struct iwl_mvm *mvm,
 		.u.add.key_flags = cpu_to_le32(key_flags),
 		.u.add.tx_seq = cpu_to_le64(atomic64_read(&keyconf->tx_pn)),
 	};
+	int max_key_len = sizeof(cmd.u.add.key);
 	int ret;
 
-	if (WARN_ON(keyconf->keylen > sizeof(cmd.u.add.key)))
+	if (keyconf->cipher == WLAN_CIPHER_SUITE_WEP40 ||
+	    keyconf->cipher == WLAN_CIPHER_SUITE_WEP104)
+		max_key_len -= IWL_SEC_WEP_KEY_OFFSET;
+
+	if (WARN_ON(keyconf->keylen > max_key_len))
 		return -EINVAL;
 
 	if (WARN_ON(!sta_mask))






