[PW_SID:810745] dpp: fix data corruption around prf_plus() call #286

IWDTestBot · 2023-12-16T21:26:52Z

Without the change test-dpp fails on aarch64-linux as:

$ unit/test-dpp
TEST: DPP test responder-only key derivation
TEST: DPP test mutual key derivation
TEST: DPP test PKEX key derivation
test-dpp: unit/test-dpp.c:514: test_pkex_key_derivation: Assertion `!memcmp(tmp, __tmp, 32)' failed.

This happens due to int/size_t type mismatch passed to vararg
parameters to prf_plus():

bool prf_plus(enum l_checksum_type type, const void *key, size_t key_len,
           void *out, size_t out_len,
           size_t n_extra, ...)
{
   // ...
   va_start(va, n_extra);

   for (i = 0; i < n_extra; i++) {
           iov[i + 1].iov_base = va_arg(va, void *);
           iov[i + 1].iov_len = va_arg(va, size_t);
   // ...

Note that varargs here could only be a sequence of void * / size_t
values.

But in src/dpp-util.c iwd attempted to pass int there:

prf_plus(sha, prk, bytes, z_out, bytes, 5,
mac_i, 6, // <- here
mac_r, 6, // <- and here
m_x, bytes,
n_x, bytes,
key, strlen(key));

aarch64 stores only 32-bit value part of the register:

mov     w7, #0x6
str     w7, [sp, #...]

and loads full 64-bit form of the register:

ldr     x3, [x3]

As a result higher bits of iov[].iov_len contain unexpected values and
sendmsg sends a lot more data than expected to the kernel.

The change fixes test-dpp test for me.

While at it fixed obvious `int` / `size_t` mismatch in src/erp.c.

src/dpp-util.c | 5 +++--
src/erp.c | 2 +-
2 files changed, 4 insertions(+), 3 deletions(-)

This is taken care of by the individual cache items and if none exist, tar fails.

Without the change test-dpp fails on aarch64-linux as: $ unit/test-dpp TEST: DPP test responder-only key derivation TEST: DPP test mutual key derivation TEST: DPP test PKEX key derivation test-dpp: unit/test-dpp.c:514: test_pkex_key_derivation: Assertion `!memcmp(tmp, __tmp, 32)' failed. This happens due to int/size_t type mismatch passed to vararg parameters to prf_plus(): bool prf_plus(enum l_checksum_type type, const void *key, size_t key_len, void *out, size_t out_len, size_t n_extra, ...) { // ... va_start(va, n_extra); for (i = 0; i < n_extra; i++) { iov[i + 1].iov_base = va_arg(va, void *); iov[i + 1].iov_len = va_arg(va, size_t); // ... Note that varargs here could only be a sequence of `void *` / `size_t` values. But in src/dpp-util.c `iwd` attempted to pass `int` there: prf_plus(sha, prk, bytes, z_out, bytes, 5, mac_i, 6, // <- here mac_r, 6, // <- and here m_x, bytes, n_x, bytes, key, strlen(key)); aarch64 stores only 32-bit value part of the register: mov w7, #0x6 str w7, [sp, #...] and loads full 64-bit form of the register: ldr x3, [x3] As a result higher bits of `iov[].iov_len` contain unexpected values and sendmsg sends a lot more data than expected to the kernel. The change fixes test-dpp test for me. While at it fixed obvious `int` / `size_t` mismatch in src/erp.c.

IWDTestBot · 2023-12-16T21:30:09Z

Fetch PR
Test ID: fetch
Desc: Fetch the PR commits for this CI run
Duration: 3.07 seconds
Result: PASS

Make Distcheck
Test ID: makedistcheck
Desc: Run distcheck to check the distribution
Duration: 54.65 seconds
Result: PASS

Build - Configure
Test ID: build
Desc: Configure the BlueZ source tree
Duration: 10.53 seconds
Result: PASS

Make Check
Test ID: makecheck
Desc: Run 'make check'
Duration: 1.49 seconds
Result: PASS

Make Check w/Valgrind
Test ID: makecheckvalgrind
Desc: Run 'make check' with Valgrind
Duration: 70.53 seconds
Result: PASS

Incremental Build with patches
Test ID: incremental_build
Desc: Incremental build per patch in the series
Duration: 0.42 seconds
Result: PASS

IWDTestBot · 2023-12-16T21:57:47Z

Fetch PR
Test ID: fetch
Desc: Fetch the PR commits for this CI run
Duration: 2.32 seconds
Result: PASS

GitLint
Test ID: gitlint
Desc: Run gitlint with rule in .gitlint
Duration: 0.29 seconds
Result: FAIL

Output:

dpp: fix data corruption around prf_plus() call
9: B1 Line exceeds max length (104>80): "    test-dpp: unit/test-dpp.c:514: test_pkex_key_derivation: Assertion `!memcmp(tmp, __tmp, 32)' failed."

Make Distcheck
Test ID: makedistcheck
Desc: Run distcheck to check the distribution
Duration: 37.48 seconds
Result: PASS

Build - Configure
Test ID: build
Desc: Configure the BlueZ source tree
Duration: 8.83 seconds
Result: PASS

Make Check
Test ID: makecheck
Desc: Run 'make check'
Duration: 5.22 seconds
Result: PASS

Make Check w/Valgrind
Test ID: makecheckvalgrind
Desc: Run 'make check' with Valgrind
Duration: 59.87 seconds
Result: PASS

Incremental Build with patches
Test ID: incremental_build
Desc: Incremental build per patch in the series
Duration: 0.30 seconds
Result: PASS

Autotest Runner
Test ID: testrunner
Desc: Runs IWD's autotest framework
Duration: 1664.39 seconds
Result: PASS

Clang Build
Test ID: clang
Desc: Build IWD using clang compiler
Duration: 65.13 seconds
Result: PASS

denkenz and others added 9 commits December 15, 2023 16:29

pmksa: Add skeleton

8eb30d6

unit: Add basic pmksa test

17c89d3

Workflow's for syncing with upstream, build, unit test, and test-runner

427b83f

workflow: use newer commit for hostapd

a3f5df4

ci: remove cache/ from tar file list

d78f6bb

This is taken care of by the individual cache items and if none exist, tar fails.

ci: use kernel 5.19

a9e9b2b

ci: use iwd-ci after renaming to remove -v2

fa919e7

ci: remove set-output use, now deprecated

ea08c28

github-actions bot force-pushed the workflow branch 2 times, most recently from a6b078e to 1c88fa1 Compare December 20, 2023 02:00

github-actions bot force-pushed the workflow branch 5 times, most recently from d7c5f62 to 2526ce4 Compare January 2, 2024 17:24

github-actions bot force-pushed the workflow branch 4 times, most recently from c08a6fa to 1106532 Compare January 10, 2024 03:30

jprestwo force-pushed the workflow branch from 1106532 to ae01e93 Compare January 29, 2024 16:55

github-actions bot force-pushed the workflow branch 4 times, most recently from 263e09e to a7e34e0 Compare January 30, 2024 20:20

github-actions bot force-pushed the workflow branch 2 times, most recently from cf3bcb6 to 46b3556 Compare February 13, 2024 23:20

github-actions bot force-pushed the workflow branch from 46b3556 to 71b4ca4 Compare February 22, 2024 14:45

github-actions bot force-pushed the workflow branch 9 times, most recently from 9eef0d5 to d3b4175 Compare February 28, 2024 18:01

github-actions bot force-pushed the workflow branch 4 times, most recently from 68c71d2 to 43f4327 Compare March 4, 2024 20:00

github-actions bot force-pushed the workflow branch 2 times, most recently from 4170bb4 to c067bc7 Compare March 15, 2024 14:00

github-actions bot force-pushed the workflow branch 4 times, most recently from f10f2fc to c2be9ec Compare March 28, 2024 23:30

github-actions bot force-pushed the workflow branch 2 times, most recently from ebbbc93 to 089fa9a Compare April 16, 2024 13:02

github-actions bot force-pushed the workflow branch 4 times, most recently from 2192e98 to 43a07cc Compare May 9, 2024 15:24

github-actions bot force-pushed the workflow branch 3 times, most recently from 2c7b52e to 58d64d4 Compare May 14, 2024 15:45

github-actions bot force-pushed the workflow branch 2 times, most recently from f7c5ee3 to 38fe7c3 Compare May 31, 2024 21:30

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[PW_SID:810745] dpp: fix data corruption around prf_plus() call #286

[PW_SID:810745] dpp: fix data corruption around prf_plus() call #286

IWDTestBot commented Dec 16, 2023

IWDTestBot commented Dec 16, 2023

IWDTestBot commented Dec 16, 2023

[PW_SID:810745] dpp: fix data corruption around prf_plus() call #286

Are you sure you want to change the base?

[PW_SID:810745] dpp: fix data corruption around prf_plus() call #286

Conversation

IWDTestBot commented Dec 16, 2023

While at it fixed obvious int / size_t mismatch in src/erp.c.

IWDTestBot commented Dec 16, 2023

IWDTestBot commented Dec 16, 2023

While at it fixed obvious `int` / `size_t` mismatch in src/erp.c.