diff options
| author | Ashish Kumar Dhanotiya <adhanoti@codeaurora.org> | 2019-02-20 22:13:25 +0530 |
|---|---|---|
| committer | Ashish Kumar Dhanotiya <adhanoti@codeaurora.org> | 2019-02-21 20:24:33 +0530 |
| commit | 37f09dd5e2deaa9537eb8581e16003116a1db114 (patch) | |
| tree | 5f0f12c0aee1890f4faff3922654331a96cb8106 | |
| parent | a7a2324071d0c7a97db714caee236e402967c44f (diff) | |
qcacld-3.0: Clear PMK cache from driver
Currently PMK cache is not getting cleared inside driver,
which can lead to information disclosure.
To address this issue, clear PMK information from all the
possible places in the driver.
Change-Id: I83758920f414c5287292ebdbebdcc9bf7238103c
CRs-fixed: 2403441
| -rw-r--r-- | core/hdd/src/wlan_hdd_cfg80211.c | 6 | ||||
| -rw-r--r-- | core/hdd/src/wlan_hdd_main.c | 8 | ||||
| -rw-r--r-- | core/sme/src/common/sme_api.c | 4 | ||||
| -rw-r--r-- | core/sme/src/csr/csr_api_roam.c | 2 | ||||
| -rw-r--r-- | core/sme/src/csr/csr_util.c | 1 | ||||
| -rw-r--r-- | core/wma/src/wma_main.c | 6 |
6 files changed, 23 insertions, 4 deletions
diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c index 5f8a22eb398b..a89f80696a24 100644 --- a/core/hdd/src/wlan_hdd_cfg80211.c +++ b/core/hdd/src/wlan_hdd_cfg80211.c @@ -4966,6 +4966,8 @@ static int __wlan_hdd_cfg80211_keymgmt_set_key(struct wiphy *wiphy, qdf_mem_copy(local_pmk, data, data_len); sme_roam_set_psk_pmk(WLAN_HDD_GET_HAL_CTX(hdd_adapter_ptr), hdd_adapter_ptr->sessionId, local_pmk, data_len); + qdf_mem_zero(&local_pmk, SIR_ROAM_SCAN_PSK_SIZE); + return 0; } @@ -20229,6 +20231,8 @@ static int __wlan_hdd_cfg80211_set_pmksa(struct wiphy *wiphy, sme_set_del_pmkid_cache(halHandle, pAdapter->sessionId, &pmk_cache, true); + qdf_mem_zero(&pmk_cache, sizeof(pmk_cache)); + EXIT(); return QDF_IS_STATUS_SUCCESS(result) ? 0 : -EINVAL; } @@ -20319,6 +20323,8 @@ static int __wlan_hdd_cfg80211_del_pmksa(struct wiphy *wiphy, sme_set_del_pmkid_cache(halHandle, pAdapter->sessionId, &pmk_cache, false); + qdf_mem_zero(&pmk_cache, sizeof(pmk_cache)); + EXIT(); return status; } diff --git a/core/hdd/src/wlan_hdd_main.c b/core/hdd/src/wlan_hdd_main.c index 3c989d4f9ffb..a12ff1cfc39c 100644 --- a/core/hdd/src/wlan_hdd_main.c +++ b/core/hdd/src/wlan_hdd_main.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2018 The Linux Foundation. All rights reserved. + * Copyright (c) 2012-2019 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -4962,6 +4962,12 @@ QDF_STATUS hdd_stop_adapter(hdd_context_t *hdd_ctx, hdd_adapter_t *adapter, wlan_hdd_tdls_exit(adapter); wlan_hdd_cleanup_remain_on_channel_ctx(adapter); hdd_clear_fils_connection_info(adapter); + qdf_ret_status = sme_roam_del_pmkid_from_cache( + hdd_ctx->hHal, + adapter->sessionId, + NULL, true); + if (QDF_IS_STATUS_ERROR(qdf_ret_status)) + hdd_err("Cannot flush PMKIDCache"); #ifdef WLAN_OPEN_SOURCE cancel_work_sync(&adapter->ipv4NotifierWorkQueue); diff --git a/core/sme/src/common/sme_api.c b/core/sme/src/common/sme_api.c index 6beb9d83417d..268a3ff576e7 100644 --- a/core/sme/src/common/sme_api.c +++ b/core/sme/src/common/sme_api.c @@ -18451,8 +18451,10 @@ send_flush_cmd: cds_mq_post_message(QDF_MODULE_ID_WMA, &msg)) { sme_err("Not able to post message to WDA"); - if (pmk_cache) + if (pmk_cache) { + qdf_mem_zero(pmk_cache, sizeof(*pmk_cache)); qdf_mem_free(pmk_cache); + } return QDF_STATUS_E_FAILURE; } diff --git a/core/sme/src/csr/csr_api_roam.c b/core/sme/src/csr/csr_api_roam.c index 211806b3f358..1085a6673104 100644 --- a/core/sme/src/csr/csr_api_roam.c +++ b/core/sme/src/csr/csr_api_roam.c @@ -14789,6 +14789,8 @@ QDF_STATUS csr_roam_del_pmkid_from_cache(tpAniSirGlobal pMac, sizeof(tPmkidCacheInfo) * CSR_MAX_PMKID_ALLOWED); pSession->NumPmkidCache = 0; pSession->curr_cache_idx = 0; + qdf_mem_zero(pSession->psk_pmk, sizeof(pSession->psk_pmk)); + pSession->pmk_len = 0; return QDF_STATUS_SUCCESS; } diff --git a/core/sme/src/csr/csr_util.c b/core/sme/src/csr/csr_util.c index 35e6d015ecbc..f844303e835b 100644 --- a/core/sme/src/csr/csr_util.c +++ b/core/sme/src/csr/csr_util.c @@ -3808,6 +3808,7 @@ uint8_t csr_construct_rsn_ie(tHalHandle hHal, uint32_t sessionId, } else { pPMK->cPMKIDs = 0; } + qdf_mem_zero(&pmkid_cache, sizeof(pmkid_cache)); #ifdef WLAN_FEATURE_11W /* Advertise BIP in group cipher key management only if PMF is diff --git a/core/wma/src/wma_main.c b/core/wma/src/wma_main.c index f15e175e59d1..d9d06e49fb08 100644 --- a/core/wma/src/wma_main.c +++ b/core/wma/src/wma_main.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013-2018 The Linux Foundation. All rights reserved. + * Copyright (c) 2013-2019 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -8325,8 +8325,10 @@ QDF_STATUS wma_mc_process_msg(void *cds_context, cds_msg_t *msg) case SIR_HAL_SET_DEL_PMKID_CACHE: wma_set_del_pmkid_cache(wma_handle, (wmi_pmk_cache *) msg->bodyptr, msg->reserved); - if (msg->bodyptr) + if (msg->bodyptr) { + qdf_mem_zero(msg->bodyptr, sizeof(wmi_pmk_cache)); qdf_mem_free(msg->bodyptr); + } break; case SIR_HAL_HLP_IE_INFO: wma_roam_scan_send_hlp(wma_handle, |