* pull-request: mac80211 2017-10-16 @ 2017-10-16 13:46 ` Johannes Berg 0 siblings, 0 replies; 10+ messages in thread From: Johannes Berg @ 2017-10-16 13:46 UTC (permalink / raw) To: David Miller; +Cc: netdev, linux-wireless Hi Dave, Here's a fix, for a small part of the "KRACK" announced today (krackattacks.com). Please pull and let me know if there's any problem. Thanks, johannes The following changes since commit c0576e3975084d4699b7bfef578613fb8e1144f6: net: call cgroup_sk_alloc() earlier in sk_clone_lock() (2017-10-10 20:24:29 -0700) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211.git tags/mac80211-for-davem-2017-10-16 for you to fetch changes up to fdf7cb4185b60c68e1a75e61691c4afdc15dea0e: mac80211: accept key reinstall without changing anything (2017-10-16 13:02:03 +0200) ---------------------------------------------------------------- Just a single fix, for a WoWLAN-related part of CVE-2017-13080. ---------------------------------------------------------------- Johannes Berg (1): mac80211: accept key reinstall without changing anything net/mac80211/key.c | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) ^ permalink raw reply [flat|nested] 10+ messages in thread
* pull-request: mac80211 2017-10-16 @ 2017-10-16 13:46 ` Johannes Berg 0 siblings, 0 replies; 10+ messages in thread From: Johannes Berg @ 2017-10-16 13:46 UTC (permalink / raw) To: David Miller Cc: netdev-u79uwXL29TY76Z2rM5mHXA, linux-wireless-u79uwXL29TY76Z2rM5mHXA Hi Dave, Here's a fix, for a small part of the "KRACK" announced today (krackattacks.com). Please pull and let me know if there's any problem. Thanks, johannes The following changes since commit c0576e3975084d4699b7bfef578613fb8e1144f6: net: call cgroup_sk_alloc() earlier in sk_clone_lock() (2017-10-10 20:24:29 -0700) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211.git tags/mac80211-for-davem-2017-10-16 for you to fetch changes up to fdf7cb4185b60c68e1a75e61691c4afdc15dea0e: mac80211: accept key reinstall without changing anything (2017-10-16 13:02:03 +0200) ---------------------------------------------------------------- Just a single fix, for a WoWLAN-related part of CVE-2017-13080. ---------------------------------------------------------------- Johannes Berg (1): mac80211: accept key reinstall without changing anything net/mac80211/key.c | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: pull-request: mac80211 2017-10-16 2017-10-16 13:46 ` Johannes Berg (?) @ 2017-10-16 20:29 ` David Miller -1 siblings, 0 replies; 10+ messages in thread From: David Miller @ 2017-10-16 20:29 UTC (permalink / raw) To: johannes; +Cc: netdev, linux-wireless From: Johannes Berg <johannes@sipsolutions.net> Date: Mon, 16 Oct 2017 15:46:17 +0200 > Here's a fix, for a small part of the "KRACK" announced today > (krackattacks.com). > > Please pull and let me know if there's any problem. Pulled. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: pull-request: mac80211 2017-10-16 2017-10-16 13:46 ` Johannes Berg (?) (?) @ 2017-10-16 23:30 ` Jason A. Donenfeld 2017-10-17 5:46 ` Johannes Berg -1 siblings, 1 reply; 10+ messages in thread From: Jason A. Donenfeld @ 2017-10-16 23:30 UTC (permalink / raw) To: Johannes Berg; +Cc: David Miller, netdev, linux-wireless Mobile phone right now, so not able to write patch, but you probably should be using crypto_memneq for comparing those two keys, not memcmp. Jason ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: pull-request: mac80211 2017-10-16 @ 2017-10-17 5:46 ` Johannes Berg 0 siblings, 0 replies; 10+ messages in thread From: Johannes Berg @ 2017-10-17 5:46 UTC (permalink / raw) To: Jason A. Donenfeld; +Cc: David Miller, netdev, linux-wireless On Tue, 2017-10-17 at 01:30 +0200, Jason A. Donenfeld wrote: > Mobile phone right now, so not able to write patch, but you probably > should be using crypto_memneq for comparing those two keys, not > memcmp. I know that's a gut instinct, but I really don't see the point. If you actually get this to evaluate to "equal", you're already being attacked, and the attacker already knows they're trying to get the same key to be installed again. If it's not equal, you execute so much code beneath, going to the driver etc., that I'd think this particular time is in the noise. Also, this isn't something that the attacker can directly observe anyway, and if they can, then surely the fact that we *skip* a large amount of code when returning 0 is also observable. Besides, the only thing that can observe the timing is hostapd or wpa_supplicant, which obviously know the key (and in the fixed versions will already have done the comparison themselves). And lastly, if you wanted to use this as an oracle to get the key back from the kernel, then you already have admin permissions (in your network namespace), and can just sniff netlink traffic anyway. johannes ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: pull-request: mac80211 2017-10-16 @ 2017-10-17 5:46 ` Johannes Berg 0 siblings, 0 replies; 10+ messages in thread From: Johannes Berg @ 2017-10-17 5:46 UTC (permalink / raw) To: Jason A. Donenfeld Cc: David Miller, netdev-u79uwXL29TY76Z2rM5mHXA, linux-wireless-u79uwXL29TY76Z2rM5mHXA On Tue, 2017-10-17 at 01:30 +0200, Jason A. Donenfeld wrote: > Mobile phone right now, so not able to write patch, but you probably > should be using crypto_memneq for comparing those two keys, not > memcmp. I know that's a gut instinct, but I really don't see the point. If you actually get this to evaluate to "equal", you're already being attacked, and the attacker already knows they're trying to get the same key to be installed again. If it's not equal, you execute so much code beneath, going to the driver etc., that I'd think this particular time is in the noise. Also, this isn't something that the attacker can directly observe anyway, and if they can, then surely the fact that we *skip* a large amount of code when returning 0 is also observable. Besides, the only thing that can observe the timing is hostapd or wpa_supplicant, which obviously know the key (and in the fixed versions will already have done the comparison themselves). And lastly, if you wanted to use this as an oracle to get the key back from the kernel, then you already have admin permissions (in your network namespace), and can just sniff netlink traffic anyway. johannes ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: pull-request: mac80211 2017-10-16 2017-10-17 5:46 ` Johannes Berg (?) @ 2017-10-17 18:21 ` Jason A. Donenfeld 2017-10-17 18:32 ` Jason A. Donenfeld -1 siblings, 1 reply; 10+ messages in thread From: Jason A. Donenfeld @ 2017-10-17 18:21 UTC (permalink / raw) To: Johannes Berg; +Cc: David Miller, Netdev, linux-wireless On Tue, Oct 17, 2017 at 7:46 AM, Johannes Berg <johannes@sipsolutions.net> wrote: > If it's not equal, you execute so much code > beneath, going to the driver etc., that I'd think this particular time > is in the noise. Usually presumptions like this get you in trouble when some crafty academic has a smart idea about that noise. I'll send a patch. ^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH] mac80211: use constant time comparison with keys @ 2017-10-17 18:32 ` Jason A. Donenfeld 0 siblings, 0 replies; 10+ messages in thread From: Jason A. Donenfeld @ 2017-10-17 18:32 UTC (permalink / raw) To: Johannes Berg, David Miller, netdev, linux-wireless; +Cc: Jason A. Donenfeld Otherwise we risk leaking information via timing side channel. Fixes: fdf7cb4185b6 ("mac80211: accept key reinstall without changing anything") Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> --- net/mac80211/key.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/mac80211/key.c b/net/mac80211/key.c index ae995c8480db..035d16fe926e 100644 --- a/net/mac80211/key.c +++ b/net/mac80211/key.c @@ -19,6 +19,7 @@ #include <linux/slab.h> #include <linux/export.h> #include <net/mac80211.h> +#include <crypto/algapi.h> #include <asm/unaligned.h> #include "ieee80211_i.h" #include "driver-ops.h" @@ -635,7 +636,7 @@ int ieee80211_key_link(struct ieee80211_key *key, * new version of the key to avoid nonce reuse or replay issues. */ if (old_key && key->conf.keylen == old_key->conf.keylen && - !memcmp(key->conf.key, old_key->conf.key, key->conf.keylen)) { + !crypto_memneq(key->conf.key, old_key->conf.key, key->conf.keylen)) { ieee80211_key_free_unused(key); ret = 0; goto out; -- 2.14.2 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH] mac80211: use constant time comparison with keys @ 2017-10-17 18:32 ` Jason A. Donenfeld 0 siblings, 0 replies; 10+ messages in thread From: Jason A. Donenfeld @ 2017-10-17 18:32 UTC (permalink / raw) To: Johannes Berg, David Miller, netdev-u79uwXL29TY76Z2rM5mHXA, linux-wireless-u79uwXL29TY76Z2rM5mHXA Cc: Jason A. Donenfeld Otherwise we risk leaking information via timing side channel. Fixes: fdf7cb4185b6 ("mac80211: accept key reinstall without changing anything") Signed-off-by: Jason A. Donenfeld <Jason-OnJsPKxuuEcAvxtiuMwx3w@public.gmane.org> --- net/mac80211/key.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/mac80211/key.c b/net/mac80211/key.c index ae995c8480db..035d16fe926e 100644 --- a/net/mac80211/key.c +++ b/net/mac80211/key.c @@ -19,6 +19,7 @@ #include <linux/slab.h> #include <linux/export.h> #include <net/mac80211.h> +#include <crypto/algapi.h> #include <asm/unaligned.h> #include "ieee80211_i.h" #include "driver-ops.h" @@ -635,7 +636,7 @@ int ieee80211_key_link(struct ieee80211_key *key, * new version of the key to avoid nonce reuse or replay issues. */ if (old_key && key->conf.keylen == old_key->conf.keylen && - !memcmp(key->conf.key, old_key->conf.key, key->conf.keylen)) { + !crypto_memneq(key->conf.key, old_key->conf.key, key->conf.keylen)) { ieee80211_key_free_unused(key); ret = 0; goto out; -- 2.14.2 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH] mac80211: use constant time comparison with keys 2017-10-17 18:32 ` Jason A. Donenfeld (?) @ 2017-10-18 10:17 ` Johannes Berg -1 siblings, 0 replies; 10+ messages in thread From: Johannes Berg @ 2017-10-18 10:17 UTC (permalink / raw) To: Jason A. Donenfeld, David Miller, netdev, linux-wireless On Tue, 2017-10-17 at 20:32 +0200, Jason A. Donenfeld wrote: > Otherwise we risk leaking information via timing side channel. > Applied. johannes ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2017-10-18 10:17 UTC | newest] Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-10-16 13:46 pull-request: mac80211 2017-10-16 Johannes Berg 2017-10-16 13:46 ` Johannes Berg 2017-10-16 20:29 ` David Miller 2017-10-16 23:30 ` Jason A. Donenfeld 2017-10-17 5:46 ` Johannes Berg 2017-10-17 5:46 ` Johannes Berg 2017-10-17 18:21 ` Jason A. Donenfeld 2017-10-17 18:32 ` [PATCH] mac80211: use constant time comparison with keys Jason A. Donenfeld 2017-10-17 18:32 ` Jason A. Donenfeld 2017-10-18 10:17 ` Johannes Berg
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.