From: "Michał Kazior" <kazikcz@gmail.com>
To: Jouni Malinen <j@w1.fi>
Cc: "Toke Høiland-Jørgensen" <toke@redhat.com>,
"Pali Rohár" <pali@kernel.org>,
ath10k@lists.infradead.org, ath9k-devel@qca.qualcomm.com,
linux-wireless <linux-wireless@vger.kernel.org>,
"Kalle Valo" <kvalo@codeaurora.org>
Subject: Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips
Date: Wed, 12 Aug 2020 11:32:16 +0200
Message-ID: <CABvG-CVvPF++0vuGzCrBj8+s=Bcx1GwWfiW1_Somu_GVncTAcQ@mail.gmail.com> (raw)
In-Reply-To: <20200812092334.GA17878@w1.fi>
On Wed, 12 Aug 2020 at 11:26, Jouni Malinen <j@w1.fi> wrote:
>
> On Wed, Aug 12, 2020 at 11:17:47AM +0200, Toke Høiland-Jørgensen wrote:
> > Pali Rohár <pali@kernel.org> writes:
> > > Could somebody react and provide some details when fixes would be
> > > available for ath9k and ath10k Linux drivers? And what is current state
> > > of this issue for Linux?
> > >
> > > I'm looking at ath9k and ath10k git trees [1] [2] [3] and I do not see
> > > there any change which could be related to CVE-2020-3702.
> >
> > How about these, from March:
> >
> > a0761a301746 ("mac80211: drop data frames without key on encrypted links")
> > ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211_tx_dequeue() case")
> > b16798f5b907 ("mac80211: mark station unauthorized before key removal")
>
> Those cover most of the identified issues for drivers using mac80211
> (e.g., ath9k and ath10k; though, I don't remember whether I actually
> ever managed to reproduce this with ath10k in practice). I have couple
> of additional ath9k-specific patches that cover additional lower layer
> paths for this. I hope to get those out after confirming they work with
> the current kernel tree snapshot.
As far as I understand the problem can manifest on partial in-hw ampdu
retransmits if a key was removed in between. Not exactly an easy thing
to reproduce. The actual drivers (ath9k, ath10k) or their microcodes
may need to be fixed as well since mac80211 can only do so much.
Michal
next prev parent reply index
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-10 9:01 Pali Rohár
2020-08-12 8:36 ` Pali Rohár
2020-08-12 9:17 ` Toke Høiland-Jørgensen
2020-08-12 9:23 ` Jouni Malinen
2020-08-12 9:32 ` Michał Kazior [this message]
2020-10-07 8:25 ` Pali Rohár
2020-12-07 14:04 ` Pali Rohár
2020-12-14 17:41 ` Jouni Malinen
2020-12-17 9:35 ` Pali Rohár
2020-08-12 9:31 ` Pali Rohár
2020-08-17 9:58 ` Kalle Valo
2020-08-17 10:36 ` Pali Rohár
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CABvG-CVvPF++0vuGzCrBj8+s=Bcx1GwWfiW1_Somu_GVncTAcQ@mail.gmail.com' \
--to=kazikcz@gmail.com \
--cc=ath10k@lists.infradead.org \
--cc=ath9k-devel@qca.qualcomm.com \
--cc=j@w1.fi \
--cc=kvalo@codeaurora.org \
--cc=linux-wireless@vger.kernel.org \
--cc=pali@kernel.org \
--cc=toke@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Linux-Wireless Archive on lore.kernel.org
Archives are clonable:
git clone --mirror https://lore.kernel.org/linux-wireless/0 linux-wireless/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 linux-wireless linux-wireless/ https://lore.kernel.org/linux-wireless \
linux-wireless@vger.kernel.org
public-inbox-index linux-wireless
Example config snippet for mirrors
Newsgroup available over NNTP:
nntp://nntp.lore.kernel.org/org.kernel.vger.linux-wireless
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git