From: Johannes Berg <johannes@sipsolutions.net>
To: linux-wireless@vger.kernel.org
Cc: stable@vger.kernel.org, Wen Gong <wgong@codeaurora.org>
Subject: [PATCH v4.4 10/10] mac80211: extend protection against mixed key and fragment cache attacks
Date: Mon, 31 May 2021 22:28:34 +0200 [thread overview]
Message-ID: <20210531202834.179810-11-johannes@sipsolutions.net> (raw)
In-Reply-To: <20210531202834.179810-1-johannes@sipsolutions.net>
From: Wen Gong <wgong@codeaurora.org>
commit 3edc6b0d6c061a70d8ca3c3c72eb1f58ce29bfb1 upstream.
For some chips/drivers, e.g., QCA6174 with ath10k, the decryption is
done by the hardware, and the Protected bit in the Frame Control field
is cleared in the lower level driver before the frame is passed to
mac80211. In such cases, the condition for ieee80211_has_protected() is
not met in ieee80211_rx_h_defragment() of mac80211 and the new security
validation steps are not executed.
Extend mac80211 to cover the case where the Protected bit has been
cleared, but the frame is indicated as having been decrypted by the
hardware. This extends protection against mixed key and fragment cache
attack for additional drivers/chips. This fixes CVE-2020-24586 and
CVE-2020-24587 for such cases.
Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1
Cc: stable@vger.kernel.org
Signed-off-by: Wen Gong <wgong@codeaurora.org>
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Link: https://lore.kernel.org/r/20210511200110.037aa5ca0390.I7bb888e2965a0db02a67075fcb5deb50eb7408aa@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
net/mac80211/rx.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 1a7267448dc8..ae0fba044cd0 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1842,7 +1842,7 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
unsigned int frag, seq;
struct ieee80211_fragment_entry *entry;
struct sk_buff *skb;
- struct ieee80211_rx_status *status;
+ struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
hdr = (struct ieee80211_hdr *)rx->skb->data;
fc = hdr->frame_control;
@@ -1901,7 +1901,9 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
sizeof(rx->key->u.gcmp.rx_pn[queue]));
BUILD_BUG_ON(IEEE80211_CCMP_PN_LEN !=
IEEE80211_GCMP_PN_LEN);
- } else if (rx->key && ieee80211_has_protected(fc)) {
+ } else if (rx->key &&
+ (ieee80211_has_protected(fc) ||
+ (status->flag & RX_FLAG_DECRYPTED))) {
entry->is_protected = true;
entry->key_color = rx->key->color;
}
@@ -1946,13 +1948,19 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
return RX_DROP_UNUSABLE;
memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN);
} else if (entry->is_protected &&
- (!rx->key || !ieee80211_has_protected(fc) ||
+ (!rx->key ||
+ (!ieee80211_has_protected(fc) &&
+ !(status->flag & RX_FLAG_DECRYPTED)) ||
rx->key->color != entry->key_color)) {
/* Drop this as a mixed key or fragment cache attack, even
* if for TKIP Michael MIC should protect us, and WEP is a
* lost cause anyway.
*/
return RX_DROP_UNUSABLE;
+ } else if (entry->is_protected && rx->key &&
+ entry->key_color != rx->key->color &&
+ (status->flag & RX_FLAG_DECRYPTED)) {
+ return RX_DROP_UNUSABLE;
}
skb_pull(rx->skb, ieee80211_hdrlen(fc));
--
2.31.1
next prev parent reply other threads:[~2021-05-31 20:29 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-31 20:28 [PATCH v4.4 00/10] security fixes backports Johannes Berg
2021-05-31 20:28 ` [PATCH v4.4 01/10] mac80211: assure all fragments are encrypted Johannes Berg
2021-05-31 20:28 ` [PATCH v4.4 02/10] mac80211: prevent mixed key and fragment cache attacks Johannes Berg
2021-05-31 20:28 ` [PATCH v4.4 03/10] mac80211: properly handle A-MSDUs that start with an RFC 1042 header Johannes Berg
2021-05-31 20:28 ` [PATCH v4.4 04/10] cfg80211: mitigate A-MSDU aggregation attacks Johannes Berg
2021-05-31 20:28 ` [PATCH v4.4 05/10] mac80211: drop A-MSDUs on old ciphers Johannes Berg
2021-05-31 20:28 ` [PATCH v4.4 06/10] mac80211: add fragment cache to sta_info Johannes Berg
2021-05-31 20:28 ` [PATCH v4.4 07/10] mac80211: check defrag PN against current frame Johannes Berg
2021-05-31 20:28 ` [PATCH v4.4 08/10] mac80211: prevent attacks on TKIP/WEP as well Johannes Berg
2021-05-31 20:28 ` [PATCH v4.4 09/10] mac80211: do not accept/forward invalid EAPOL frames Johannes Berg
2021-05-31 20:28 ` Johannes Berg [this message]
2021-06-01 8:36 ` [PATCH v4.4 00/10] security fixes backports Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210531202834.179810-11-johannes@sipsolutions.net \
--to=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=wgong@codeaurora.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.