From: "Zhengyejian (Zetta)" <zhengyejian1@huawei.com>
To: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>,
"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
"johannes.berg@intel.com" <johannes.berg@intel.com>
Cc: "stable@vger.kernel.org" <stable@vger.kernel.org>,
yuehaibing <yuehaibing@huawei.com>,
Zhangjinhao <zhangjinhao2@huawei.com>
Subject: Re: [RFC PATCH 4.4] mac80211: fix handling A-MSDUs that start with an RFC 1042 header
Date: Mon, 19 Jul 2021 09:32:33 +0000 [thread overview]
Message-ID: <dafba7c92a8b434fb5f1644d379af4fd@huawei.com> (raw)
On 7/17/21 19:55, Mathy Vanhoef wrote:
> On 7/16/21 11:11 AM, Zheng Yejian wrote:
> > In v4.4, commit e76511a6fbb5 ("mac80211: properly handle A-MSDUs that
> > start with an RFC 1042 header") looks like an incomplete backport.
> >
> > There is no functional changes in the commit, since
> > __ieee80211_data_to_8023() which defined in net/wireless/util.c is
> > only called by ieee80211_data_to_8023() and parameter 'is_amsdu' is
> > always input as false.
>
> I don't think there's a problem here. The core commit that prevents the
> A-MSDU attack is "[PATCH 04/18] cfg80211: mitigate A-MSDU aggregation
> attacks":
> https://lore.kernel.org/linux-
> wireless/20210511200110.25d93176ddaf.I9e265b597f2cd23eb44573f35b62594
> 7b386a9de@changeid/
>
> That commit states: "for kernel 4.9 and above this patch depends on
> "mac80211: properly handle A-MSDUs that start with a rfc1042 header".
> Otherwise this patch has no impact and attacks will remain possible."
>
> Put differently, when patching v4.4 there was in fact no need to
> backport the patch that we're discussing here. So it makes sense that
> the "backported" patches causes no functional changes.
>
> Section 3.6 of https://papers.mathyvanhoef.com/usenix2021.pdf briefly
> discusses the wrong behavior of Linux 4.9+ that this patch tries to fix:
> "Linux 4.9 and above .. strip away the first 8 bytes of an A-MSDU frame
> if these bytes look like a valid LLC/SNAP header, and then further
> process the frame. This behavior is not compliant with the 802.11 standard."
>
How about linux 4.9 below, are they compliant with 802.11 standard or not?
Would they need additional patches to mitigate the aggregation attack?
I know little about 802.11 standard, sorry for that : (
> That said, I didn't yet run the test tool against a patched 4.4 kernel,
> so I hope my understanding of this code in this version is correct.
>
> Best regards,
> Mathy
Thanks,
Zheng Yejian
next reply other threads:[~2021-07-19 9:32 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-19 9:32 Zhengyejian (Zetta) [this message]
2021-07-20 6:59 ` [RFC PATCH 4.4] mac80211: fix handling A-MSDUs that start with an RFC 1042 header Mathy Vanhoef
-- strict thread matches above, loose matches on Subject: below --
2021-07-20 7:39 Zhengyejian (Zetta)
2021-07-16 7:11 Zheng Yejian
2021-07-17 11:54 ` Mathy Vanhoef
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dafba7c92a8b434fb5f1644d379af4fd@huawei.com \
--to=zhengyejian1@huawei.com \
--cc=Mathy.Vanhoef@kuleuven.be \
--cc=gregkh@linuxfoundation.org \
--cc=johannes.berg@intel.com \
--cc=stable@vger.kernel.org \
--cc=yuehaibing@huawei.com \
--cc=zhangjinhao2@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).