From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
To: Zheng Yejian <zhengyejian1@huawei.com>,
gregkh@linuxfoundation.org, johannes.berg@intel.com
Cc: stable@vger.kernel.org, yuehaibing@huawei.com, zhangjinhao2@huawei.com
Subject: Re: [RFC PATCH 4.4] mac80211: fix handling A-MSDUs that start with an RFC 1042 header
Date: Sat, 17 Jul 2021 15:54:36 +0400 [thread overview]
Message-ID: <7272a9da-8cff-a815-963c-a36fc025eda5@kuleuven.be> (raw)
In-Reply-To: <20210716071126.672549-1-zhengyejian1@huawei.com>
On 7/16/21 11:11 AM, Zheng Yejian wrote:
> In v4.4, commit e76511a6fbb5 ("mac80211: properly handle A-MSDUs that
> start with an RFC 1042 header") looks like an incomplete backport.
>
> There is no functional changes in the commit, since
> __ieee80211_data_to_8023() which defined in net/wireless/util.c is
> only called by ieee80211_data_to_8023() and parameter 'is_amsdu' is
> always input as false.
I don't think there's a problem here. The core commit that prevents the
A-MSDU attack is "[PATCH 04/18] cfg80211: mitigate A-MSDU aggregation
attacks":
https://lore.kernel.org/linux-wireless/20210511200110.25d93176ddaf.I9e265b597f2cd23eb44573f35b625947b386a9de@changeid/
That commit states: "for kernel 4.9 and above this patch depends on
"mac80211: properly handle A-MSDUs that start with a rfc1042 header".
Otherwise this patch has no impact and attacks will remain possible."
Put differently, when patching v4.4 there was in fact no need to
backport the patch that we're discussing here. So it makes sense that
the "backported" patches causes no functional changes.
Section 3.6 of https://papers.mathyvanhoef.com/usenix2021.pdf briefly
discusses the wrong behavior of Linux 4.9+ that this patch tries to fix:
"Linux 4.9 and above .. strip away the first 8 bytes of an A-MSDU frame
if these bytes look like a valid LLC/SNAP header, and then further
process the frame. This behavior is not compliant with the 802.11 standard."
That said, I didn't yet run the test tool against a patched 4.4 kernel,
so I hope my understanding of this code in this version is correct.
Best regards,
Mathy
next prev parent reply other threads:[~2021-07-17 12:00 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-16 7:11 [RFC PATCH 4.4] mac80211: fix handling A-MSDUs that start with an RFC 1042 header Zheng Yejian
2021-07-17 11:54 ` Mathy Vanhoef [this message]
2021-07-19 9:32 Zhengyejian (Zetta)
2021-07-20 6:59 ` Mathy Vanhoef
2021-07-20 7:39 Zhengyejian (Zetta)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7272a9da-8cff-a815-963c-a36fc025eda5@kuleuven.be \
--to=mathy.vanhoef@kuleuven.be \
--cc=gregkh@linuxfoundation.org \
--cc=johannes.berg@intel.com \
--cc=stable@vger.kernel.org \
--cc=yuehaibing@huawei.com \
--cc=zhangjinhao2@huawei.com \
--cc=zhengyejian1@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).