[PATCH 4.19 018/116] mac80211: prevent attacks on TKIP/WEP as well

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Johannes Berg <johannes.berg@intel.com>
Subject: [PATCH 4.19 018/116] mac80211: prevent attacks on TKIP/WEP as well
Date: Mon, 31 May 2021 15:13:14 +0200	[thread overview]
Message-ID: <20210531130640.777596703@linuxfoundation.org> (raw)
In-Reply-To: <20210531130640.131924542@linuxfoundation.org>

From: Johannes Berg <johannes.berg@intel.com>

commit 7e44a0b597f04e67eee8cdcbe7ee706c6f5de38b upstream.

Similar to the issues fixed in previous patches, TKIP and WEP
should be protected even if for TKIP we have the Michael MIC
protecting it, and WEP is broken anyway.

However, this also somewhat protects potential other algorithms
that drivers might implement.

Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20210511200110.430e8c202313.Ia37e4e5b6b3eaab1a5ae050e015f6c92859dbe27@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/mac80211/rx.c       |   12 ++++++++++++
 net/mac80211/sta_info.h |    3 ++-
 2 files changed, 14 insertions(+), 1 deletion(-)

--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -2158,6 +2158,7 @@ ieee80211_rx_h_defragment(struct ieee802
 			 * next fragment has a sequential PN value.
 			 */
 			entry->check_sequential_pn = true;
+			entry->is_protected = true;
 			entry->key_color = rx->key->color;
 			memcpy(entry->last_pn,
 			       rx->key->u.ccmp.rx_pn[queue],
@@ -2170,6 +2171,9 @@ ieee80211_rx_h_defragment(struct ieee802
 				     sizeof(rx->key->u.gcmp.rx_pn[queue]));
 			BUILD_BUG_ON(IEEE80211_CCMP_PN_LEN !=
 				     IEEE80211_GCMP_PN_LEN);
+		} else if (rx->key && ieee80211_has_protected(fc)) {
+			entry->is_protected = true;
+			entry->key_color = rx->key->color;
 		}
 		return RX_QUEUED;
 	}
@@ -2211,6 +2215,14 @@ ieee80211_rx_h_defragment(struct ieee802
 		if (memcmp(pn, rpn, IEEE80211_CCMP_PN_LEN))
 			return RX_DROP_UNUSABLE;
 		memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN);
+	} else if (entry->is_protected &&
+		   (!rx->key || !ieee80211_has_protected(fc) ||
+		    rx->key->color != entry->key_color)) {
+		/* Drop this as a mixed key or fragment cache attack, even
+		 * if for TKIP Michael MIC should protect us, and WEP is a
+		 * lost cause anyway.
+		 */
+		return RX_DROP_UNUSABLE;
 	}
 
 	skb_pull(rx->skb, ieee80211_hdrlen(fc));
--- a/net/mac80211/sta_info.h
+++ b/net/mac80211/sta_info.h
@@ -429,7 +429,8 @@ struct ieee80211_fragment_entry {
 	u16 extra_len;
 	u16 last_frag;
 	u8 rx_queue;
-	bool check_sequential_pn; /* needed for CCMP/GCMP */
+	u8 check_sequential_pn:1, /* needed for CCMP/GCMP */
+	   is_protected:1;
 	u8 last_pn[6]; /* PN of the last fragment if CCMP was used */
 	unsigned int key_color;
 };

next prev parent reply	other threads:[~2021-05-31 13:38 UTC|newest]

Thread overview: 122+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-31 13:12 [PATCH 4.19 000/116] 4.19.193-rc1 review Greg Kroah-Hartman
2021-05-31 13:12 ` [PATCH 4.19 001/116] mm, vmstat: drop zone->lock in /proc/pagetypeinfo Greg Kroah-Hartman
2021-05-31 13:12 ` [PATCH 4.19 002/116] usb: dwc3: gadget: Enable suspend events Greg Kroah-Hartman
2021-05-31 13:12 ` [PATCH 4.19 003/116] NFC: nci: fix memory leak in nci_allocate_device Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 004/116] cifs: set server->cipher_type to AES-128-CCM for SMB3.0 Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 005/116] NFSv4: Fix a NULL pointer dereference in pnfs_mark_matching_lsegs_return() Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 006/116] iommu/vt-d: Fix sysfs leak in alloc_iommu() Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 007/116] perf intel-pt: Fix sample instruction bytes Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 008/116] perf intel-pt: Fix transaction abort handling Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 009/116] proc: Check /proc/$pid/attr/ writes against file opener Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 010/116] net: hso: fix control-request directions Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 011/116] mac80211: assure all fragments are encrypted Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 012/116] mac80211: prevent mixed key and fragment cache attacks Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 013/116] mac80211: properly handle A-MSDUs that start with an RFC 1042 header Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 014/116] cfg80211: mitigate A-MSDU aggregation attacks Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 015/116] mac80211: drop A-MSDUs on old ciphers Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 016/116] mac80211: add fragment cache to sta_info Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 017/116] mac80211: check defrag PN against current frame Greg Kroah-Hartman
2021-05-31 13:13 ` Greg Kroah-Hartman [this message]
2021-05-31 13:13 ` [PATCH 4.19 019/116] mac80211: do not accept/forward invalid EAPOL frames Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 020/116] mac80211: extend protection against mixed key and fragment cache attacks Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 021/116] ath10k: Validate first subframe of A-MSDU before processing the list Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 022/116] dm snapshot: properly fix a crash when an origin has no snapshots Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 023/116] kgdb: fix gcc-11 warnings harder Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 024/116] misc/uss720: fix memory leak in uss720_probe Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 025/116] thunderbolt: dma_port: Fix NVM read buffer bounds and offset issue Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 026/116] mei: request autosuspend after sending rx flow control Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 027/116] staging: iio: cdc: ad7746: avoid overwrite of num_channels Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 028/116] iio: adc: ad7793: Add missing error code in ad7793_setup() Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 029/116] USB: trancevibrator: fix control-request direction Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 030/116] USB: usbfs: Dont WARN about excessively large memory allocations Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 031/116] serial: sh-sci: Fix off-by-one error in FIFO threshold register setting Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 032/116] serial: rp2: use request_firmware instead of request_firmware_nowait Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 033/116] USB: serial: ti_usb_3410_5052: add startech.com device id Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 034/116] USB: serial: option: add Telit LE910-S1 compositions 0x7010, 0x7011 Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 035/116] USB: serial: ftdi_sio: add IDs for IDS GmbH Products Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 036/116] USB: serial: pl2303: add device id for ADLINK ND-6530 GC Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 037/116] usb: dwc3: gadget: Properly track pending and queued SG Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 038/116] usb: gadget: udc: renesas_usb3: Fix a race in usb3_start_pipen() Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 039/116] net: usb: fix memory leak in smsc75xx_bind Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 040/116] bpf: fix up selftests after backports were fixed Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 041/116] bpf, selftests: Fix up some test_verifier cases for unprivileged Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 042/116] selftests/bpf: Test narrow loads with off > 0 in test_verifier Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 043/116] selftests/bpf: add selftest part of "bpf: improve verifier branch analysis" Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 044/116] bpf: extend is_branch_taken to registers Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 045/116] bpf: Test_verifier, bpf_get_stack return value add <0 Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 046/116] bpf, test_verifier: switch bpf_get_stacks 0 s> r8 test Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 047/116] bpf: Move off_reg into sanitize_ptr_alu Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 048/116] bpf: Ensure off_reg has no mixed signed bounds for all types Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 049/116] bpf: Rework ptr_limit into alu_limit and add common error path Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 050/116] bpf: Improve verifier error messages for users Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 051/116] bpf: Refactor and streamline bounds check into helper Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 052/116] bpf: Move sanitize_val_alu out of op switch Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 053/116] bpf: Tighten speculative pointer arithmetic mask Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 054/116] bpf: Update selftests to reflect new error states Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 055/116] bpf: Fix leakage of uninitialized bpf stack under speculation Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 056/116] bpf: Wrap aux data inside bpf_sanitize_info container Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 057/116] bpf: Fix mask direction swap upon off reg sign change Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 058/116] bpf: No need to simulate speculative domain for immediates Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 059/116] spi: gpio: Dont leak SPI master in probe error path Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 060/116] spi: mt7621: Disable clock " Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 061/116] spi: mt7621: Dont leak SPI master " Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 062/116] Bluetooth: cmtp: fix file refcount when cmtp_attach_device fails Greg Kroah-Hartman
2021-05-31 13:13 ` [PATCH 4.19 063/116] NFS: fix an incorrect limit in filelayout_decode_layout() Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 064/116] NFS: Dont corrupt the value of pg_bytes_written in nfs_do_recoalesce() Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 065/116] NFSv4: Fix v4.0/v4.1 SEEK_DATA return -ENOTSUPP when set NFS_V4_2 config Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 066/116] drm/meson: fix shutdown crash when component not probed Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 067/116] net/mlx4: Fix EEPROM dump support Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 068/116] Revert "net:tipc: Fix a double free in tipc_sk_mcast_rcv" Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 069/116] tipc: skb_linearize the head skb when reassembling msgs Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 070/116] net: dsa: mt7530: fix VLAN traffic leaks Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 071/116] net: dsa: fix a crash if ->get_sset_count() fails Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 072/116] i2c: s3c2410: fix possible NULL pointer deref on read message after write Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 073/116] i2c: i801: Dont generate an interrupt on bus reset Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 074/116] perf jevents: Fix getting maximum number of fds Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 075/116] platform/x86: hp_accel: Avoid invoking _INI to speed up resume Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 076/116] serial: max310x: unregister uart driver in case of failure and abort Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 077/116] net: fujitsu: fix potential null-ptr-deref Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 078/116] net: caif: remove BUG_ON(dev == NULL) in caif_xmit Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 079/116] char: hpet: add checks after calling ioremap Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 080/116] ALSA: sb8: Add a comment note regarding an unused pointer Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 081/116] isdn: mISDNinfineon: check/cleanup ioremap failure correctly in setup_io Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 082/116] dmaengine: qcom_hidma: comment platform_driver_register call Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 083/116] libertas: register sysfs groups properly Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 084/116] ASoC: cs43130: handle errors in cs43130_probe() properly Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 085/116] media: dvb: Add check on sp8870_readreg return Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 086/116] media: gspca: properly check for errors in po1030_probe() Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 087/116] scsi: BusLogic: Fix 64-bit system enumeration error for Buslogic Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 088/116] openrisc: Define memory barrier mb Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 089/116] btrfs: do not BUG_ON in link_to_fixup_dir Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 090/116] platform/x86: hp-wireless: add AMDs hardware id to the supported list Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 091/116] platform/x86: intel_punit_ipc: Append MODULE_DEVICE_TABLE for ACPI Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 092/116] SMB3: incorrect file id in requests compounded with open Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 093/116] drm/amd/display: Disconnect non-DP with no EDID Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 094/116] drm/amd/amdgpu: fix refcount leak Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 095/116] drm/amdgpu: Fix a use-after-free Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 096/116] net: netcp: Fix an error message Greg Kroah-Hartman
2021-05-31 18:44   ` Marion & Christophe JAILLET
2021-05-31 13:14 ` [PATCH 4.19 097/116] net: dsa: fix error code getting shifted with 4 in dsa_slave_get_sset_count Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 098/116] net: fec: fix the potential memory leak in fec_enet_init() Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 099/116] net: mdio: thunder: Fix a double free issue in the .remove function Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 100/116] net: mdio: octeon: Fix some double free issues Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 101/116] openvswitch: meter: fix race when getting now_ms Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 102/116] net: bnx2: Fix error return code in bnx2_init_board() Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 103/116] mld: fix panic in mld_newpack() Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 104/116] staging: emxx_udc: fix loop in _nbu2ss_nuke() Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 105/116] ASoC: cs35l33: fix an error code in probe() Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 106/116] bpf: Set mac_len in bpf_skb_change_head Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 107/116] ixgbe: fix large MTU request from VF Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 108/116] scsi: libsas: Use _safe() loop in sas_resume_port() Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 109/116] ipv6: record frag_max_size in atomic fragments in input path Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 110/116] sch_dsmark: fix a NULL deref in qdisc_reset() Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 111/116] MIPS: alchemy: xxs1500: add gpio-au1000.h header file Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 112/116] MIPS: ralink: export rt_sysc_membase for rt2880_wdt.c Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 113/116] hugetlbfs: hugetlb_fault_mutex_hash() cleanup Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 114/116] drivers/net/ethernet: clean up unused assignments Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 115/116] net: hns3: check the return of skb_checksum_help() Greg Kroah-Hartman
2021-05-31 13:14 ` [PATCH 4.19 116/116] usb: core: reduce power-on-good delay time of root hub Greg Kroah-Hartman
2021-06-01  8:22 ` [PATCH 4.19 000/116] 4.19.193-rc1 review Samuel Zou
2021-06-01  9:06 ` Pavel Machek
2021-06-01  9:32 ` Naresh Kamboju
2021-06-02  2:23 ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210531130640.777596703@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=johannes.berg@intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.