* CVE-2020-3702: Firmware updates for ath9k and ath10k chips
@ 2020-08-10 9:01 Pali Rohár
2020-08-12 8:36 ` Pali Rohár
2020-08-17 9:58 ` Kalle Valo
0 siblings, 2 replies; 12+ messages in thread
From: Pali Rohár @ 2020-08-10 9:01 UTC (permalink / raw)
To: ath10k, ath9k-devel, linux-wireless, Kalle Valo
Hello!
ESET engineers on their blog published some information about new
security vulnerability CVE-2020-3702 in ath9k wifi cards:
https://www.welivesecurity.com/2020/08/06/beyond-kr00k-even-more-wifi-chips-vulnerable-eavesdropping/
According to Qualcomm security bulletin this CVE-2020-3702 affects also
some Qualcomm IPQ chips which are handled by ath10k driver:
https://www.qualcomm.com/company/product-security/bulletins/august-2020-security-bulletin#_cve-2020-3702
Kalle, could you or other people from Qualcomm provide updated and fixed
version of ath9k and ath10k firmwares in linux-firmware git repository?
According to Qualcomm security bulletin this issue has Critical security
rating, so I think fixed firmware files should be updated also in stable
releases of linux distributions.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips
2020-08-10 9:01 CVE-2020-3702: Firmware updates for ath9k and ath10k chips Pali Rohár
@ 2020-08-12 8:36 ` Pali Rohár
2020-08-12 9:17 ` Toke Høiland-Jørgensen
2020-08-17 9:58 ` Kalle Valo
1 sibling, 1 reply; 12+ messages in thread
From: Pali Rohár @ 2020-08-12 8:36 UTC (permalink / raw)
To: ath10k, ath9k-devel, linux-wireless, Kalle Valo
On Monday 10 August 2020 11:01:26 Pali Rohár wrote:
> Hello!
>
> ESET engineers on their blog published some information about new
> security vulnerability CVE-2020-3702 in ath9k wifi cards:
> https://www.welivesecurity.com/2020/08/06/beyond-kr00k-even-more-wifi-chips-vulnerable-eavesdropping/
>
> According to Qualcomm security bulletin this CVE-2020-3702 affects also
> some Qualcomm IPQ chips which are handled by ath10k driver:
> https://www.qualcomm.com/company/product-security/bulletins/august-2020-security-bulletin#_cve-2020-3702
>
> Kalle, could you or other people from Qualcomm provide updated and fixed
> version of ath9k and ath10k firmwares in linux-firmware git repository?
>
> According to Qualcomm security bulletin this issue has Critical security
> rating, so I think fixed firmware files should be updated also in stable
> releases of linux distributions.
Hello!
Qualcomm has already sent following statement to media:
Qualcomm has already made mitigations available to OEMs in May 2020,
and we encourage end users to update their devices as patches have
become available from OEMs.
And based on information from ESET blog post, Qualcomm's proprietary
driver for these wifi cards is fixed since Qualcomm July release.
Could somebody react and provide some details when fixes would be
available for ath9k and ath10k Linux drivers? And what is current state
of this issue for Linux?
I'm looking at ath9k and ath10k git trees [1] [2] [3] and I do not see
there any change which could be related to CVE-2020-3702.
Based on ESET tests, wifi cards which use ath9k driver (opensource, not
that Qualcomm proprietary) are still vulnerable.
[1] - https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/log/ath10k
[2] - https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git/log/drivers/net/wireless/ath/ath10k?h=master-pending
[3] - https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git/log/drivers/net/wireless/ath/ath9k?h=master-pending
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips
2020-08-12 8:36 ` Pali Rohár
@ 2020-08-12 9:17 ` Toke Høiland-Jørgensen
2020-08-12 9:23 ` Jouni Malinen
2020-08-12 9:31 ` Pali Rohár
0 siblings, 2 replies; 12+ messages in thread
From: Toke Høiland-Jørgensen @ 2020-08-12 9:17 UTC (permalink / raw)
To: Pali Rohár, ath10k, ath9k-devel, linux-wireless, Kalle Valo
Pali Rohár <pali@kernel.org> writes:
> On Monday 10 August 2020 11:01:26 Pali Rohár wrote:
>> Hello!
>>
>> ESET engineers on their blog published some information about new
>> security vulnerability CVE-2020-3702 in ath9k wifi cards:
>> https://www.welivesecurity.com/2020/08/06/beyond-kr00k-even-more-wifi-chips-vulnerable-eavesdropping/
>>
>> According to Qualcomm security bulletin this CVE-2020-3702 affects also
>> some Qualcomm IPQ chips which are handled by ath10k driver:
>> https://www.qualcomm.com/company/product-security/bulletins/august-2020-security-bulletin#_cve-2020-3702
>>
>> Kalle, could you or other people from Qualcomm provide updated and fixed
>> version of ath9k and ath10k firmwares in linux-firmware git repository?
>>
>> According to Qualcomm security bulletin this issue has Critical security
>> rating, so I think fixed firmware files should be updated also in stable
>> releases of linux distributions.
>
> Hello!
>
> Qualcomm has already sent following statement to media:
>
> Qualcomm has already made mitigations available to OEMs in May 2020,
> and we encourage end users to update their devices as patches have
> become available from OEMs.
>
> And based on information from ESET blog post, Qualcomm's proprietary
> driver for these wifi cards is fixed since Qualcomm July release.
>
> Could somebody react and provide some details when fixes would be
> available for ath9k and ath10k Linux drivers? And what is current state
> of this issue for Linux?
>
> I'm looking at ath9k and ath10k git trees [1] [2] [3] and I do not see
> there any change which could be related to CVE-2020-3702.
How about these, from March:
a0761a301746 ("mac80211: drop data frames without key on encrypted links")
ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211_tx_dequeue() case")
b16798f5b907 ("mac80211: mark station unauthorized before key removal")
-Toke
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips
2020-08-12 9:17 ` Toke Høiland-Jørgensen
@ 2020-08-12 9:23 ` Jouni Malinen
2020-08-12 9:32 ` Michał Kazior
2020-10-07 8:25 ` Pali Rohár
2020-08-12 9:31 ` Pali Rohár
1 sibling, 2 replies; 12+ messages in thread
From: Jouni Malinen @ 2020-08-12 9:23 UTC (permalink / raw)
To: Toke Høiland-Jørgensen
Cc: Pali Rohár, ath10k, ath9k-devel, linux-wireless, Kalle Valo
On Wed, Aug 12, 2020 at 11:17:47AM +0200, Toke Høiland-Jørgensen wrote:
> Pali Rohár <pali@kernel.org> writes:
> > Could somebody react and provide some details when fixes would be
> > available for ath9k and ath10k Linux drivers? And what is current state
> > of this issue for Linux?
> >
> > I'm looking at ath9k and ath10k git trees [1] [2] [3] and I do not see
> > there any change which could be related to CVE-2020-3702.
>
> How about these, from March:
>
> a0761a301746 ("mac80211: drop data frames without key on encrypted links")
> ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211_tx_dequeue() case")
> b16798f5b907 ("mac80211: mark station unauthorized before key removal")
Those cover most of the identified issues for drivers using mac80211
(e.g., ath9k and ath10k; though, I don't remember whether I actually
ever managed to reproduce this with ath10k in practice). I have couple
of additional ath9k-specific patches that cover additional lower layer
paths for this. I hope to get those out after confirming they work with
the current kernel tree snapshot.
--
Jouni Malinen PGP id EFC895FA
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips
2020-08-12 9:23 ` Jouni Malinen
@ 2020-08-12 9:32 ` Michał Kazior
2020-10-07 8:25 ` Pali Rohár
1 sibling, 0 replies; 12+ messages in thread
From: Michał Kazior @ 2020-08-12 9:32 UTC (permalink / raw)
To: Jouni Malinen
Cc: Toke Høiland-Jørgensen, Pali Rohár, ath10k,
ath9k-devel, linux-wireless, Kalle Valo
On Wed, 12 Aug 2020 at 11:26, Jouni Malinen <j@w1.fi> wrote:
>
> On Wed, Aug 12, 2020 at 11:17:47AM +0200, Toke Høiland-Jørgensen wrote:
> > Pali Rohár <pali@kernel.org> writes:
> > > Could somebody react and provide some details when fixes would be
> > > available for ath9k and ath10k Linux drivers? And what is current state
> > > of this issue for Linux?
> > >
> > > I'm looking at ath9k and ath10k git trees [1] [2] [3] and I do not see
> > > there any change which could be related to CVE-2020-3702.
> >
> > How about these, from March:
> >
> > a0761a301746 ("mac80211: drop data frames without key on encrypted links")
> > ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211_tx_dequeue() case")
> > b16798f5b907 ("mac80211: mark station unauthorized before key removal")
>
> Those cover most of the identified issues for drivers using mac80211
> (e.g., ath9k and ath10k; though, I don't remember whether I actually
> ever managed to reproduce this with ath10k in practice). I have couple
> of additional ath9k-specific patches that cover additional lower layer
> paths for this. I hope to get those out after confirming they work with
> the current kernel tree snapshot.
As far as I understand the problem can manifest on partial in-hw ampdu
retransmits if a key was removed in between. Not exactly an easy thing
to reproduce. The actual drivers (ath9k, ath10k) or their microcodes
may need to be fixed as well since mac80211 can only do so much.
Michal
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips
2020-08-12 9:23 ` Jouni Malinen
2020-08-12 9:32 ` Michał Kazior
@ 2020-10-07 8:25 ` Pali Rohár
2020-12-07 14:04 ` Pali Rohár
1 sibling, 1 reply; 12+ messages in thread
From: Pali Rohár @ 2020-10-07 8:25 UTC (permalink / raw)
To: Jouni Malinen
Cc: Toke Høiland-Jørgensen, ath10k, ath9k-devel,
linux-wireless, Kalle Valo
On Wednesday 12 August 2020 12:23:34 Jouni Malinen wrote:
> On Wed, Aug 12, 2020 at 11:17:47AM +0200, Toke Høiland-Jørgensen wrote:
> > Pali Rohár <pali@kernel.org> writes:
> > > Could somebody react and provide some details when fixes would be
> > > available for ath9k and ath10k Linux drivers? And what is current state
> > > of this issue for Linux?
> > >
> > > I'm looking at ath9k and ath10k git trees [1] [2] [3] and I do not see
> > > there any change which could be related to CVE-2020-3702.
> >
> > How about these, from March:
> >
> > a0761a301746 ("mac80211: drop data frames without key on encrypted links")
> > ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211_tx_dequeue() case")
> > b16798f5b907 ("mac80211: mark station unauthorized before key removal")
>
> Those cover most of the identified issues for drivers using mac80211
> (e.g., ath9k and ath10k; though, I don't remember whether I actually
> ever managed to reproduce this with ath10k in practice). I have couple
> of additional ath9k-specific patches that cover additional lower layer
> paths for this. I hope to get those out after confirming they work with
> the current kernel tree snapshot.
Hello! Could you please share your ath9k patches which address this issue?
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips
2020-10-07 8:25 ` Pali Rohár
@ 2020-12-07 14:04 ` Pali Rohár
2020-12-14 17:41 ` Jouni Malinen
0 siblings, 1 reply; 12+ messages in thread
From: Pali Rohár @ 2020-12-07 14:04 UTC (permalink / raw)
To: Jouni Malinen
Cc: Toke Høiland-Jørgensen, ath10k, ath9k-devel,
linux-wireless, Kalle Valo
On Wednesday 07 October 2020 10:25:02 Pali Rohár wrote:
> On Wednesday 12 August 2020 12:23:34 Jouni Malinen wrote:
> > On Wed, Aug 12, 2020 at 11:17:47AM +0200, Toke Høiland-Jørgensen wrote:
> > > Pali Rohár <pali@kernel.org> writes:
> > > > Could somebody react and provide some details when fixes would be
> > > > available for ath9k and ath10k Linux drivers? And what is current state
> > > > of this issue for Linux?
> > > >
> > > > I'm looking at ath9k and ath10k git trees [1] [2] [3] and I do not see
> > > > there any change which could be related to CVE-2020-3702.
> > >
> > > How about these, from March:
> > >
> > > a0761a301746 ("mac80211: drop data frames without key on encrypted links")
> > > ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211_tx_dequeue() case")
> > > b16798f5b907 ("mac80211: mark station unauthorized before key removal")
> >
> > Those cover most of the identified issues for drivers using mac80211
> > (e.g., ath9k and ath10k; though, I don't remember whether I actually
> > ever managed to reproduce this with ath10k in practice). I have couple
> > of additional ath9k-specific patches that cover additional lower layer
> > paths for this. I hope to get those out after confirming they work with
> > the current kernel tree snapshot.
>
> Hello! Could you please share your ath9k patches which address this issue?
Hello! Has somebody fixes this security issue in ath9k driver? About
4 months passed and if this issue is not fixed, could you please share
at least incomplete / WIP patches? I would like to look at it and have
this issue finally fixed.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips
2020-08-12 9:17 ` Toke Høiland-Jørgensen
2020-08-12 9:23 ` Jouni Malinen
@ 2020-08-12 9:31 ` Pali Rohár
1 sibling, 0 replies; 12+ messages in thread
From: Pali Rohár @ 2020-08-12 9:31 UTC (permalink / raw)
To: Toke Høiland-Jørgensen
Cc: ath10k, ath9k-devel, linux-wireless, Kalle Valo
On Wednesday 12 August 2020 11:17:47 Toke Høiland-Jørgensen wrote:
> Pali Rohár <pali@kernel.org> writes:
>
> > On Monday 10 August 2020 11:01:26 Pali Rohár wrote:
> >> Hello!
> >>
> >> ESET engineers on their blog published some information about new
> >> security vulnerability CVE-2020-3702 in ath9k wifi cards:
> >> https://www.welivesecurity.com/2020/08/06/beyond-kr00k-even-more-wifi-chips-vulnerable-eavesdropping/
> >>
> >> According to Qualcomm security bulletin this CVE-2020-3702 affects also
> >> some Qualcomm IPQ chips which are handled by ath10k driver:
> >> https://www.qualcomm.com/company/product-security/bulletins/august-2020-security-bulletin#_cve-2020-3702
> >>
> >> Kalle, could you or other people from Qualcomm provide updated and fixed
> >> version of ath9k and ath10k firmwares in linux-firmware git repository?
> >>
> >> According to Qualcomm security bulletin this issue has Critical security
> >> rating, so I think fixed firmware files should be updated also in stable
> >> releases of linux distributions.
> >
> > Hello!
> >
> > Qualcomm has already sent following statement to media:
> >
> > Qualcomm has already made mitigations available to OEMs in May 2020,
> > and we encourage end users to update their devices as patches have
> > become available from OEMs.
> >
> > And based on information from ESET blog post, Qualcomm's proprietary
> > driver for these wifi cards is fixed since Qualcomm July release.
> >
> > Could somebody react and provide some details when fixes would be
> > available for ath9k and ath10k Linux drivers? And what is current state
> > of this issue for Linux?
> >
> > I'm looking at ath9k and ath10k git trees [1] [2] [3] and I do not see
> > there any change which could be related to CVE-2020-3702.
>
> How about these, from March:
>
> a0761a301746 ("mac80211: drop data frames without key on encrypted links")
> ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211_tx_dequeue() case")
> b16798f5b907 ("mac80211: mark station unauthorized before key removal")
Thank you for update! I will look at these commits if they are relevant.
Because ESET wrote that problem is in ath9k driver I have not looked at
mac80211 layer code.
> -Toke
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips
2020-08-10 9:01 CVE-2020-3702: Firmware updates for ath9k and ath10k chips Pali Rohár
2020-08-12 8:36 ` Pali Rohár
@ 2020-08-17 9:58 ` Kalle Valo
2020-08-17 10:36 ` Pali Rohár
1 sibling, 1 reply; 12+ messages in thread
From: Kalle Valo @ 2020-08-17 9:58 UTC (permalink / raw)
To: Pali Rohár; +Cc: ath10k, ath9k-devel, linux-wireless
Pali Rohár <pali@kernel.org> writes:
> ESET engineers on their blog published some information about new
> security vulnerability CVE-2020-3702 in ath9k wifi cards:
> https://www.welivesecurity.com/2020/08/06/beyond-kr00k-even-more-wifi-chips-vulnerable-eavesdropping/
>
> According to Qualcomm security bulletin this CVE-2020-3702 affects also
> some Qualcomm IPQ chips which are handled by ath10k driver:
> https://www.qualcomm.com/company/product-security/bulletins/august-2020-security-bulletin#_cve-2020-3702
I can't find any refererences to ath10k, or hardware with ath10k
chipsets, in the links above. Where did you see it?
--
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2020-12-17 9:36 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-10 9:01 CVE-2020-3702: Firmware updates for ath9k and ath10k chips Pali Rohár
2020-08-12 8:36 ` Pali Rohár
2020-08-12 9:17 ` Toke Høiland-Jørgensen
2020-08-12 9:23 ` Jouni Malinen
2020-08-12 9:32 ` Michał Kazior
2020-10-07 8:25 ` Pali Rohár
2020-12-07 14:04 ` Pali Rohár
2020-12-14 17:41 ` Jouni Malinen
2020-12-17 9:35 ` Pali Rohár
2020-08-12 9:31 ` Pali Rohár
2020-08-17 9:58 ` Kalle Valo
2020-08-17 10:36 ` Pali Rohár
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).