Commit 7363e91c authored Mar 19, 2024 by Stanislaw Gruszka Committed by Pu Lehui Mar 19, 2024

rt2x00: clear up IV's on key removal

mainline inclusion
from mainline-v5.3-rc8
commit 14d5e14c
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I96GO9
CVE: CVE-2023-52595

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=14d5e14c8a6c



--------------------------------

After looking at code I realized that my previous fix
95844124 ("rt2x00: clear IV's on start to fix AP mode regression")
was incomplete. We can still have wrong IV's after re-keyring.
To fix that, clear up IV's also on key removal.

Fixes: 710e6cc1 ("rt2800: do not nullify initialization vector data")
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
tested-by: Emil Karlson <jekarl@iki.fi>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Pu Lehui <pulehui@huawei.com>

parent 5bd8d4e2

drivers/net/wireless/ralink/rt2x00/rt2800lib.c

+12 −7

Original line number	Diff line number	Diff line
		@@ -1440,6 +1440,7 @@ static void rt2800_config_wcid_attr_cipher(struct rt2x00_dev *rt2x00dev,

		offset = MAC_IVEIV_ENTRY(key->hw_key_idx);

		if (crypto->cmd == SET_KEY) {
		rt2800_register_multiread(rt2x00dev, offset,
		&iveiv_entry, sizeof(iveiv_entry));
		if ((crypto->cipher == CIPHER_TKIP) \|\|
		@@ -1447,6 +1448,10 @@ static void rt2800_config_wcid_attr_cipher(struct rt2x00_dev *rt2x00dev,
		(crypto->cipher == CIPHER_AES))
		iveiv_entry.iv[3] \|= 0x20;
		iveiv_entry.iv[3] \|= key->keyidx << 6;
		} else {
		memset(&iveiv_entry, 0, sizeof(iveiv_entry));
		}

		rt2800_register_multiwrite(rt2x00dev, offset,
		&iveiv_entry, sizeof(iveiv_entry));
		}