Re: iwlagn: memory corruption with WPA enterprise

From: Stanislaw Gruszka
Date: Tue Feb 14 2012 - 04:21:03 EST

Next message: Ravi Kumar V: "[PATCH] Add support for MSM GPIO IR receiver driver"
Previous message: Laxman Dewangan: "Re: [PATCH V1 2/3] Documentation: gpio: Add details of open-drainconfiguration"
In reply to: TomÃÅ JanouÅek: "Re: iwlagn: memory corruption with WPA enterprise"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Feb 10, 2012 at 07:09:29PM +0100, TomÃÅ JanouÅek wrote:
> For the last few months, I've happily used a 64-bit kernel and have had no
> problems whatsoever. About a week ago, I started using virtual machines in
> KVM. And today I found that I have exactly the same problem, but only _inside_
> the virtual machine. I can't reliably scp a file from the internet to my
> virtual machine. It works fine when I scp to the host, it works fine when I'm
> on a WPA-PSK network. And it happens even if I tell kvm to emulate e1000, not
> only with virtio-net. How strange is that?
>
> And while this is happening, the host is running just fine. The host has a
> 64-bit kernel with a 32-bit userspace, so if something was wrong with the
> 32-bit mode of my processor, it would've appeared on the host as well, no?
>
> It's also worth mentioning that if I build openssl with "no-asm 386", scp
> works just fine.
Good hint.

> So it doesn't look like a memory corruption after all. It
> seems as if certain CPU instructions didn't work properly if running on a
> 32-bit kernel with a WiFi adapter doing something. But how can it be
> that those same CPU instructions work on a 64-bit host with 32-bit userspace?
> At the same time! That's just completely insane, and I can't think of an
> explanation. Shall I get a new CPU perhaps? :-)
>
>
> Please, give me any ideas that you might have.

That make sense! Your "CPU instructions break things" theory sounds crazy,
but I think it's logical. WPA enterprise differ from WPA-PSA (pre shared
key) that the key changed periodically, SSL is used when keys are changed
(via wpa_supplicant). So looks like 32-bit openssl generate object code
that trigger bug on CPU, which crash other processes.

Please forward details about this issue to security@xxxxxxxxxx and proper
vendor engineer in non public manner, as this hw bug could be possibly
exploitable (hardware bug can not be fixed, but kernel could disable
appropriate functionality or use some other workaround).

Thanks
Stanislaw
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ravi Kumar V: "[PATCH] Add support for MSM GPIO IR receiver driver"
Previous message: Laxman Dewangan: "Re: [PATCH V1 2/3] Documentation: gpio: Add details of open-drainconfiguration"
In reply to: TomÃÅ JanouÅek: "Re: iwlagn: memory corruption with WPA enterprise"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]