Re: [PATCH] wifi: iwlwifi: dvm: Add struct_group for struct iwl_keyinfo keys

[Kees Cook]

On Sun, Feb 19, 2023 at 04:12:05PM +0100, Johannes Berg wrote:
> On Sat, 2023-02-18 at 11:11 -0800, Kees Cook wrote:
> > 
> >  	case WLAN_CIPHER_SUITE_CCMP:
> >  		key_flags |= STA_KEY_FLG_CCMP;
> > -		memcpy(sta_cmd.key.key, keyconf->key, keyconf->keylen);
> > +		memcpy(&sta_cmd.key.keys, keyconf->key, keyconf->keylen);
> 
> This should be fine though, only up to 16 bytes for CCMP.
> 
> >  	case WLAN_CIPHER_SUITE_TKIP:
> >  		key_flags |= STA_KEY_FLG_TKIP;
> >  		sta_cmd.key.tkip_rx_tsc_byte2 = tkip_iv32;
> >  		for (i = 0; i < 5; i++)
> >  			sta_cmd.key.tkip_rx_ttak[i] = cpu_to_le16(tkip_p1k[i]);
> > -		memcpy(sta_cmd.key.key, keyconf->key, keyconf->keylen);
> > +		memcpy(&sta_cmd.key.keys, keyconf->key, keyconf->keylen);
> 
> And that's actually a bug, we should've copied only 16 bytes, I guess.
> DVM didn't support MIC offload anyway (at least the way Linux uses the
> firmware, though I thought it doesn't at all), so we don't need the MIC
> RX/TX keys in there, but anyway the sequence counter values are not part
> of the key material on the host.
> 
> I don't think I have a machine now to test this with (nor a TKIP AP, of
> course, but that could be changed) - but I suspect that since we
> actually calculate the TTAK above, we might not even need this memcpy()
> at all?

It's the latter that is triggered in the real world, though. See the
referenced URL and also now on bugzilla:
https://bugzilla.kernel.org/show_bug.cgi?id=217214
i.e.: drivers/net/wireless/intel/iwlwifi/dvm/sta.c:1103

So keyconf->keylen is coming in as 32. If this is a bug, I'm not sure
where/how to fix it.

Perhaps this patch can be taken as-is, and a WARN_ON added for the >16
case to be tracked down separately?

-- 
Kees Cook