LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
	Zwane Mwaikambo <zwane@arm.linux.org.uk>,
	"Theodore Ts'o" <tytso@mit.edu>,
	Randy Dunlap <rdunlap@xenotime.net>,
	Dave Jones <davej@redhat.com>,
	Chuck Wolber <chuckw@quantumlinux.com>,
	Chris Wedgwood <reviews@ml.cw.f00f.org>,
	Michael Krufky <mkrufky@linuxtv.org>,
	Chuck Ebbert <cebbert@redhat.com>,
	Domenico Andreoli <cavokz@gmail.com>,
	torvalds@linux-foundation.org, akpm@linux-foundation.org,
	alan@lxorguk.ukuu.org.uk, linux-wireless@vger.kernel.org,
	bcm43xx-dev@lists.berlios.de, Michael Buesch <mb@bu3sch.de>,
	"John W. Linville" <linville@tuxdriver.com>,
	"David S. Miller" <davem@davemloft.net>
Subject: [patch 32/45] b43: Drop packets we are not able to encrypt
Date: Thu, 7 Feb 2008 12:47:54 -0800	[thread overview]
Message-ID: <20080207204754.GG16389@suse.de> (raw)
In-Reply-To: <20080207204549.GA16389@suse.de>

[-- Attachment #1: b43-drop-packets-we-are-not-able-to-encrypt.patch --]
[-- Type: text/plain, Size: 4173 bytes --]

2.6.24-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Michael Buesch <mb@bu3sch.de>

patch 09552ccd8277e6382097e93a40f7311a09449367 in mainline

We must drop any packets we are not able to encrypt.
We must not send them unencrypted or with an all-zero-key (which
basically is the same as unencrypted, from a security point of view).

This might only trigger shortly after resume before mac80211 reassociated
and reconfigured the keys.

It is safe to drop these packets, as the association they belong to
is not guaranteed anymore anyway.
This is a security fix in the sense that it prevents information leakage.

Signed-off-by: Michael Buesch <mb@bu3sch.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/net/wireless/b43/dma.c  |   11 ++++++++++-
 drivers/net/wireless/b43/xmit.c |   20 +++++++++++++++-----
 drivers/net/wireless/b43/xmit.h |    2 +-
 3 files changed, 26 insertions(+), 7 deletions(-)

--- a/drivers/net/wireless/b43/dma.c
+++ b/drivers/net/wireless/b43/dma.c
@@ -1122,9 +1122,11 @@ static int dma_tx_fragment(struct b43_dm
 	memset(meta_hdr, 0, sizeof(*meta_hdr));
 
 	header = &(ring->txhdr_cache[slot * sizeof(struct b43_txhdr_fw4)]);
-	b43_generate_txhdr(ring->dev, header,
+	err = b43_generate_txhdr(ring->dev, header,
 			   skb->data, skb->len, ctl,
 			   generate_cookie(ring, slot));
+	if (unlikely(err))
+		return err;
 
 	meta_hdr->dmaaddr = map_descbuffer(ring, (unsigned char *)header,
 					   sizeof(struct b43_txhdr_fw4), 1);
@@ -1219,6 +1221,13 @@ int b43_dma_tx(struct b43_wldev *dev,
 	B43_WARN_ON(ring->stopped);
 
 	err = dma_tx_fragment(ring, skb, ctl);
+	if (unlikely(err == -ENOKEY)) {
+		/* Drop this packet, as we don't have the encryption key
+		 * anymore and must not transmit it unencrypted. */
+		dev_kfree_skb_any(skb);
+		err = 0;
+		goto out_unlock;
+	}
 	if (unlikely(err)) {
 		b43err(dev->wl, "DMA tx mapping failure\n");
 		goto out_unlock;
--- a/drivers/net/wireless/b43/xmit.c
+++ b/drivers/net/wireless/b43/xmit.c
@@ -177,7 +177,7 @@ static u8 b43_calc_fallback_rate(u8 bitr
 	return 0;
 }
 
-static void generate_txhdr_fw4(struct b43_wldev *dev,
+static int generate_txhdr_fw4(struct b43_wldev *dev,
 			       struct b43_txhdr_fw4 *txhdr,
 			       const unsigned char *fragment_data,
 			       unsigned int fragment_len,
@@ -235,7 +235,15 @@ static void generate_txhdr_fw4(struct b4
 
 		B43_WARN_ON(key_idx >= dev->max_nr_keys);
 		key = &(dev->key[key_idx]);
-		B43_WARN_ON(!key->keyconf);
+
+		if (unlikely(!key->keyconf)) {
+			/* This key is invalid. This might only happen
+			 * in a short timeframe after machine resume before
+			 * we were able to reconfigure keys.
+			 * Drop this packet completely. Do not transmit it
+			 * unencrypted to avoid leaking information. */
+			return -ENOKEY;
+		}
 
 		/* Hardware appends ICV. */
 		plcp_fragment_len += txctl->icv_len;
@@ -352,16 +360,18 @@ static void generate_txhdr_fw4(struct b4
 	txhdr->mac_ctl = cpu_to_le32(mac_ctl);
 	txhdr->phy_ctl = cpu_to_le16(phy_ctl);
 	txhdr->extra_ft = extra_ft;
+
+	return 0;
 }
 
-void b43_generate_txhdr(struct b43_wldev *dev,
+int b43_generate_txhdr(struct b43_wldev *dev,
 			u8 * txhdr,
 			const unsigned char *fragment_data,
 			unsigned int fragment_len,
 			const struct ieee80211_tx_control *txctl, u16 cookie)
 {
-	generate_txhdr_fw4(dev, (struct b43_txhdr_fw4 *)txhdr,
-			   fragment_data, fragment_len, txctl, cookie);
+	return generate_txhdr_fw4(dev, (struct b43_txhdr_fw4 *)txhdr,
+				  fragment_data, fragment_len, txctl, cookie);
 }
 
 static s8 b43_rssi_postprocess(struct b43_wldev *dev,
--- a/drivers/net/wireless/b43/xmit.h
+++ b/drivers/net/wireless/b43/xmit.h
@@ -82,7 +82,7 @@ struct b43_txhdr_fw4 {
 #define  B43_TX4_PHY_ANT1		0x0100	/* Use antenna 1 */
 #define  B43_TX4_PHY_ANTLAST	0x0300	/* Use last used antenna */
 
-void b43_generate_txhdr(struct b43_wldev *dev,
+int b43_generate_txhdr(struct b43_wldev *dev,
 			u8 * txhdr,
 			const unsigned char *fragment_data,
 			unsigned int fragment_len,

-- 

  parent reply	other threads:[~2008-02-07 21:07 UTC|newest]

Thread overview: 64+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20080207204118.202098927@mini.kroah.org>
2008-02-07 20:45 ` [patch 00/45] 2.6.24-stable review Greg KH
2008-02-07 20:46   ` [patch 01/45] DVB: cx23885: add missing subsystem ID for Hauppauge HVR1800 Retail Greg KH
2008-02-07 20:46   ` [patch 02/45] slab: fix bootstrap on memoryless node Greg KH
2008-02-07 20:46   ` [patch 03/45] vm audit: add VM_DONTEXPAND to mmap for drivers that need it (CVE-2008-0007) Greg KH
2008-02-07 20:46   ` [patch 04/45] USB: keyspan: Fix oops Greg KH
2008-02-07 20:46   ` [patch 05/45] usb gadget: fix fsl_usb2_udc potential OOPS Greg KH
2008-02-07 20:46   ` [patch 06/45] USB: CP2101 New Device IDs Greg KH
2008-02-07 20:46   ` [patch 07/45] USB: add support for 4348:5523 WinChipHead USB->RS 232 adapter Greg KH
2008-02-07 20:46   ` [patch 08/45] USB: Sierra - Add support for Aircard 881U Greg KH
2008-02-07 20:46   ` [patch 09/45] USB: Adding YC Cable USB Serial device to pl2303 Greg KH
2008-02-07 20:47   ` [patch 10/45] USB: sierra driver - add devices Greg KH
2008-02-07 20:47   ` [patch 11/45] USB: ftdi_sio - enabling multiple ELV devices, adding EM1010PC Greg KH
2008-02-07 20:47   ` [patch 12/45] USB: ftdi-sio: Patch to add vendor/device id for ATK_16IC CCD Greg KH
2008-02-07 20:47   ` [patch 13/45] USB: sierra: add support for Onda H600/Zte MF330 datacard to USB Driver for Sierra Wireless Greg KH
2008-02-08  2:21     ` [patch 13/45] USB: sierra: add support for Onda H600/Zte MF330datacard " Kevin Lloyd
2008-02-08  4:11       ` Greg KH
2008-02-08 16:50         ` [patch 13/45] USB: sierra: add support for Onda H600/ZteMF330datacard " Kevin Lloyd
2008-02-08 18:47           ` Greg KH
2008-02-07 20:47   ` [patch 14/45] USB: remove duplicate entry in Option driver and Pl2303 driver for Huawei modem Greg KH
2008-02-07 20:47   ` [patch 15/45] USB: pl2303: add support for RATOC REX-USB60F Greg KH
2008-02-07 20:47   ` [patch 16/45] USB: ftdi driver - add support for optical probe device Greg KH
2008-02-07 20:47   ` [patch 17/45] USB: use GFP_NOIO in reset path Greg KH
2008-02-07 20:47   ` [patch 18/45] USB: Variant of the Dell Wireless 5520 driver Greg KH
2008-02-07 20:47   ` [patch 19/45] USB: storage: Add unusual_dev for HP r707 Greg KH
2008-02-07 20:47   ` [patch 20/45] USB: fix usbtest halt check on big endian systems Greg KH
2008-02-07 20:47   ` [patch 21/45] USB: handle idVendor of 0x0000 Greg KH
2008-02-07 20:47   ` [patch 22/45] USB: Fix usb_serial_driver structure for Kobil cardreader driver Greg KH
2008-02-07 20:47   ` [patch 23/45] forcedeth: mac address mcp77/79 Greg KH
2008-02-07 20:47   ` [patch 24/45] lockdep: annotate epoll Greg KH
2008-02-07 20:47   ` [patch 25/45] sys_remap_file_pages: fix ->vm_file accounting Greg KH
2008-02-07 20:47   ` [patch 26/45] PCI: Fix fakephp deadlock Greg KH
2008-02-07 20:47   ` [patch 27/45] ACPI: update ACPI blacklist Greg KH
2008-02-07 20:47   ` [patch 28/45] x86: restore correct module name for apm Greg KH
2008-02-07 20:47   ` [patch 29/45] sky2: restore multicast addresses after recovery Greg KH
2008-02-07 20:47   ` [patch 30/45] sky2: fix for WOL on some devices Greg KH
2008-02-07 20:47   ` [patch 31/45] b43: Fix suspend/resume Greg KH
2008-02-07 20:47   ` Greg KH [this message]
2008-02-07 20:47   ` [patch 33/45] b43: Fix dma-slot resource leakage Greg KH
2008-02-07 20:47   ` [patch 34/45] b43legacy: fix PIO crash Greg KH
2008-02-07 20:48   ` [patch 35/45] b43legacy: fix suspend/resume Greg KH
2008-02-07 20:48   ` [patch 36/45] b43legacy: drop packets we are not able to encrypt Greg KH
2008-02-07 20:48   ` [patch 37/45] b43legacy: fix DMA slot resource leakage Greg KH
2008-02-07 20:48   ` [patch 38/45] selinux: fix labeling of /proc/net inodes Greg KH
2008-02-07 20:48   ` [patch 39/45] b43: Reject new firmware early Greg KH
2008-02-07 20:48   ` [patch 40/45] sched: let +nice tasks have smaller impact Greg KH
2008-02-07 20:48   ` [patch 41/45] sched: fix high wake up latencies with FAIR_USER_SCHED Greg KH
2008-02-07 20:48   ` [patch 42/45] fix writev regression: pan hanging unkillable and un-straceable Greg KH
2008-02-07 20:48   ` [patch 43/45] x86: replace LOCK_PREFIX in futex.h Greg KH
2008-02-08 18:35     ` Stefan Lippers-Hollmann
2008-02-08 19:19       ` Greg KH
2008-02-08 21:45       ` Chuck Ebbert
2008-02-07 20:48   ` [patch 44/45] Driver core: Revert "Fix Firmware class name collision" Greg KH
2008-02-07 20:48   ` [patch 45/45] drm: the drm really should call pci_set_master Greg KH
2008-02-07 21:41   ` [patch 00/45] 2.6.24-stable review S.Çağlar Onur
2008-02-07 21:58     ` Greg KH
2008-02-09  0:57       ` [stable] " Greg KH
2008-02-07 23:50   ` Chuck Ebbert
2008-02-08  1:32     ` [stable] " Greg KH
2008-02-08  0:44   ` David Chinner
2008-02-08  1:12     ` [stable] " Greg KH
2008-02-08  1:24       ` David Chinner
2008-02-08  1:35         ` Greg KH
2008-02-08 22:26           ` [PATCH] stable_kernel_rules: fix must already be in mainline Stefan Richter
2008-02-08  5:31   ` [stable] [patch 00/45] 2.6.24-stable review Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080207204754.GG16389@suse.de \
    --to=gregkh@suse.de \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=bcm43xx-dev@lists.berlios.de \
    --cc=cavokz@gmail.com \
    --cc=cebbert@redhat.com \
    --cc=chuckw@quantumlinux.com \
    --cc=davej@redhat.com \
    --cc=davem@davemloft.net \
    --cc=jmforbes@linuxtx.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=linville@tuxdriver.com \
    --cc=mb@bu3sch.de \
    --cc=mkrufky@linuxtv.org \
    --cc=rdunlap@xenotime.net \
    --cc=reviews@ml.cw.f00f.org \
    --cc=stable@kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=tytso@mit.edu \
    --cc=zwane@arm.linux.org.uk \
    --subject='Re: [patch 32/45] b43: Drop packets we are not able to encrypt' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).