Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2650582pxj; Mon, 31 May 2021 07:24:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxQbu0utKKg1DUMH40xPmXG6DYSLyHnInDbkacYBluouUwtI/5NqqqexVufkz9KUMiIh/iK X-Received: by 2002:aa7:cfd4:: with SMTP id r20mr2366583edy.237.1622471045275; Mon, 31 May 2021 07:24:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622471045; cv=none; d=google.com; s=arc-20160816; b=UZTwqKz1oygO8SSC5oAQdXEWFRZvCfJuJ3cSFbn60mSbqcXSUgBhP5jWsd2ax2+olH gxZRGjSfsz5P3TL6zMKibqp7Z/vBVE9xlKLEh3zIZUuyg2Y9x5TFGrvV7SnuSr+w+71Z vjQHTiUPvgoScNeRFiNsnSsEUgG4JXI87oaECPK47z9NALAVRAVGsqRtve7AGE0WKt37 I98T1ILAZCf5eZxc+rGwtaRBRG41QtTLEtdWog9QzDtKd5oQGVesAgFEBiaeIppJurwO uY+4CQYuXmq81ho53VovOmxmtb5LYDEuVLOqVaGK1XRs4yvwyT7qSAC0qkSrxudMB0ak oGBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=70F18GDKjypfOWOmWl5p9r8JOdLDpfkp0SNB8ATy12Q=; b=zkZLkNw6H7rqBC1TurRz5+boEiT6XX91oRFe5c6bYBhhUeAOZn+52PPaA4f8+b8uKl WPZtCWQQtu1B4JR8taQc6p92XtF97hXhWER7HEyX5D1LCSafc9Q6NejBjB0uKbWg/k8X Dqfhfg964Ak+XEdRN7RyTa/eu32wzL0Nq8qFhbP3swVBAIdY7c74rQZjh1NChLzVZVes xKT/Yf8JYekY7HUMBB7jES/PtSH+7318HY0Tappif32wTguCqzHkuk8TU9qvdTIvSDNa Z9/HpuVlNm3O25jSsFBh+jZvQEAJi74qP+zsLLHSoJGAEH2sZeYv56CLKXxfCqbaz7t3 47Ig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=QeHTdeAv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v18si12259918ejy.223.2021.05.31.07.23.43; Mon, 31 May 2021 07:24:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=QeHTdeAv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233548AbhEaOT1 (ORCPT + 99 others); Mon, 31 May 2021 10:19:27 -0400 Received: from mail.kernel.org ([198.145.29.99]:50918 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232812AbhEaNsk (ORCPT ); Mon, 31 May 2021 09:48:40 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id C22B961624; Mon, 31 May 2021 13:31:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1622467871; bh=NgRR8mgDNqG5NHLe2RlO4U9I5TZLstaLBSAFI+Uwom0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QeHTdeAvTFR2zUqZ7xqAxhneAuWG/ul437hh2T6evxJ/yzOXgEuq4Hm5uhw8QUl8G FeqgJT+uq+3S7/LHUu4LO2Y0p53qFmft1ZU6+5b+nG9j6ttFaRH+9U+9IMqBCKPxbO 1M+Ysk0rbffoGiM8r1/kS7Pvmfqs0+ahNZHC5chs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Johannes Berg Subject: [PATCH 5.10 030/252] mac80211: prevent attacks on TKIP/WEP as well Date: Mon, 31 May 2021 15:11:35 +0200 Message-Id: <20210531130659.005193399@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210531130657.971257589@linuxfoundation.org> References: <20210531130657.971257589@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johannes Berg commit 7e44a0b597f04e67eee8cdcbe7ee706c6f5de38b upstream. Similar to the issues fixed in previous patches, TKIP and WEP should be protected even if for TKIP we have the Michael MIC protecting it, and WEP is broken anyway. However, this also somewhat protects potential other algorithms that drivers might implement. Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210511200110.430e8c202313.Ia37e4e5b6b3eaab1a5ae050e015f6c92859dbe27@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/mac80211/rx.c | 12 ++++++++++++ net/mac80211/sta_info.h | 3 ++- 2 files changed, 14 insertions(+), 1 deletion(-) --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -2284,6 +2284,7 @@ ieee80211_rx_h_defragment(struct ieee802 * next fragment has a sequential PN value. */ entry->check_sequential_pn = true; + entry->is_protected = true; entry->key_color = rx->key->color; memcpy(entry->last_pn, rx->key->u.ccmp.rx_pn[queue], @@ -2296,6 +2297,9 @@ ieee80211_rx_h_defragment(struct ieee802 sizeof(rx->key->u.gcmp.rx_pn[queue])); BUILD_BUG_ON(IEEE80211_CCMP_PN_LEN != IEEE80211_GCMP_PN_LEN); + } else if (rx->key && ieee80211_has_protected(fc)) { + entry->is_protected = true; + entry->key_color = rx->key->color; } return RX_QUEUED; } @@ -2337,6 +2341,14 @@ ieee80211_rx_h_defragment(struct ieee802 if (memcmp(pn, rpn, IEEE80211_CCMP_PN_LEN)) return RX_DROP_UNUSABLE; memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN); + } else if (entry->is_protected && + (!rx->key || !ieee80211_has_protected(fc) || + rx->key->color != entry->key_color)) { + /* Drop this as a mixed key or fragment cache attack, even + * if for TKIP Michael MIC should protect us, and WEP is a + * lost cause anyway. + */ + return RX_DROP_UNUSABLE; } skb_pull(rx->skb, ieee80211_hdrlen(fc)); --- a/net/mac80211/sta_info.h +++ b/net/mac80211/sta_info.h @@ -453,7 +453,8 @@ struct ieee80211_fragment_entry { u16 extra_len; u16 last_frag; u8 rx_queue; - bool check_sequential_pn; /* needed for CCMP/GCMP */ + u8 check_sequential_pn:1, /* needed for CCMP/GCMP */ + is_protected:1; u8 last_pn[6]; /* PN of the last fragment if CCMP was used */ unsigned int key_color; };