Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2686945pxj; Mon, 31 May 2021 08:15:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwjPtZhsNi3bLLbwWl+wTtMkOgV20OyTIBCV6kDoGFk7LijtpQqLekHf7DSWeEEs6nxeeB0 X-Received: by 2002:a17:906:dc4c:: with SMTP id yz12mr22964725ejb.364.1622474134853; Mon, 31 May 2021 08:15:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622474134; cv=none; d=google.com; s=arc-20160816; b=iXMOXuqtpdiJAt1K7DLKr8JS5CP/6irIuQc4h+BDjXSyQsJmEJ4re+CacP985e97c4 36urnA3ZwN0dqIvbBolE/fqErsOuwNDYjXygwnSkC4DzyHdsP+cs4jS+81i8c0th7RYb Vg5xIqxgodM3sTnY0lCIR/NrYbwOiXQrbvF/leEE+Thk7I0hDq2wbzZH/BdFFog01w57 5Utptzj/7pI14PLuu4/PjdyoR2XCvQGS319vf+UYEe2F6AHAAEWGw80J8z96lMg+f82O m9nVYyNiO4eQpuoP/kea8Dz7adX85ZCHBLJp+YIeYiMPkQRsHZ1z/Sr2o8QRyBE3wbCi tQyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=mxtDwQh/zMDLpUdepZUaCgYev/qhbF3c+TRo5yyYAQs=; b=yMJP5rnaVjNBD/TWNGXMHptcH99KlAOmYmQmwtQvykBuNGIJsCLgrN/Pu60gO76Uje wVEVzruHUQn/2mffy1cNaIdvdebNCZTvi7oaaWC6Dh6sXUJ1rn/SznGe41EjuL1fDlpt BZ8eDGQ5+TtO7h95GxXfmyYeeAa7Ugzb+I5c61pH/9UZbO6YbdfRRO5Dw5PIEZ10mZwy 6UoGAbTcs0yibpuAwOK7nuhfncHcFWw8Ja+yF78ZjyhJXJHkCjjI5WNSHHa1NK0nbEcS OhVTpvPxHEFNOhUm5wIxqSGVau9dW7+WEQDMpSYmc62FAqvzahXnVeWNHa9n5629DjKI nCdw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=oLRirgP2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d10si8907526ede.460.2021.05.31.08.15.12; Mon, 31 May 2021 08:15:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=oLRirgP2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231571AbhEaPP5 (ORCPT + 99 others); Mon, 31 May 2021 11:15:57 -0400 Received: from mail.kernel.org ([198.145.29.99]:43166 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232648AbhEaON3 (ORCPT ); Mon, 31 May 2021 10:13:29 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 30E5C619A5; Mon, 31 May 2021 13:41:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1622468517; bh=7iCJiHDNrA8MBJ+K6dL/sbizJIJktohVytlNUMosXPQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=oLRirgP2RfJkGPsSkjLDm8hnmLFl/oXkjueKGCu7Ca8JhvfizjhtoAOxCOlHmnAE4 OkqQfFNBO5bmQmu93hKNBJlDHLXR0fBb12MtM+wTm0Ockdz/xQSSAdg/NiOfpOzyBT jpxl5d5VYKF+INKR5zKM2qTB8iWfzk76rXS8yyYI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Johannes Berg Subject: [PATCH 5.4 020/177] mac80211: check defrag PN against current frame Date: Mon, 31 May 2021 15:12:57 +0200 Message-Id: <20210531130648.613512994@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210531130647.887605866@linuxfoundation.org> References: <20210531130647.887605866@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johannes Berg commit bf30ca922a0c0176007e074b0acc77ed345e9990 upstream. As pointed out by Mathy Vanhoef, we implement the RX PN check on fragmented frames incorrectly - we check against the last received PN prior to the new frame, rather than to the one in this frame itself. Prior patches addressed the security issue here, but in order to be able to reason better about the code, fix it to really compare against the current frame's PN, not the last stored one. Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210511200110.bfbc340ff071.Id0b690e581da7d03d76df90bb0e3fd55930bc8a0@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/mac80211/ieee80211_i.h | 11 +++++++++-- net/mac80211/rx.c | 5 ++--- net/mac80211/wpa.c | 13 +++++++++---- 3 files changed, 20 insertions(+), 9 deletions(-) --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h @@ -222,8 +222,15 @@ struct ieee80211_rx_data { */ int security_idx; - u32 tkip_iv32; - u16 tkip_iv16; + union { + struct { + u32 iv32; + u16 iv16; + } tkip; + struct { + u8 pn[IEEE80211_CCMP_PN_LEN]; + } ccm_gcm; + }; }; struct ieee80211_csa_settings { --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -2268,7 +2268,6 @@ ieee80211_rx_h_defragment(struct ieee802 if (entry->check_sequential_pn) { int i; u8 pn[IEEE80211_CCMP_PN_LEN], *rpn; - int queue; if (!requires_sequential_pn(rx, fc)) return RX_DROP_UNUSABLE; @@ -2283,8 +2282,8 @@ ieee80211_rx_h_defragment(struct ieee802 if (pn[i]) break; } - queue = rx->security_idx; - rpn = rx->key->u.ccmp.rx_pn[queue]; + + rpn = rx->ccm_gcm.pn; if (memcmp(pn, rpn, IEEE80211_CCMP_PN_LEN)) return RX_DROP_UNUSABLE; memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN); --- a/net/mac80211/wpa.c +++ b/net/mac80211/wpa.c @@ -3,6 +3,7 @@ * Copyright 2002-2004, Instant802 Networks, Inc. * Copyright 2008, Jouni Malinen * Copyright (C) 2016-2017 Intel Deutschland GmbH + * Copyright (C) 2020-2021 Intel Corporation */ #include @@ -167,8 +168,8 @@ ieee80211_rx_h_michael_mic_verify(struct update_iv: /* update IV in key information to be able to detect replays */ - rx->key->u.tkip.rx[rx->security_idx].iv32 = rx->tkip_iv32; - rx->key->u.tkip.rx[rx->security_idx].iv16 = rx->tkip_iv16; + rx->key->u.tkip.rx[rx->security_idx].iv32 = rx->tkip.iv32; + rx->key->u.tkip.rx[rx->security_idx].iv16 = rx->tkip.iv16; return RX_CONTINUE; @@ -294,8 +295,8 @@ ieee80211_crypto_tkip_decrypt(struct iee key, skb->data + hdrlen, skb->len - hdrlen, rx->sta->sta.addr, hdr->addr1, hwaccel, rx->security_idx, - &rx->tkip_iv32, - &rx->tkip_iv16); + &rx->tkip.iv32, + &rx->tkip.iv16); if (res != TKIP_DECRYPT_OK) return RX_DROP_UNUSABLE; @@ -553,6 +554,8 @@ ieee80211_crypto_ccmp_decrypt(struct iee } memcpy(key->u.ccmp.rx_pn[queue], pn, IEEE80211_CCMP_PN_LEN); + if (unlikely(ieee80211_is_frag(hdr))) + memcpy(rx->ccm_gcm.pn, pn, IEEE80211_CCMP_PN_LEN); } /* Remove CCMP header and MIC */ @@ -781,6 +784,8 @@ ieee80211_crypto_gcmp_decrypt(struct iee } memcpy(key->u.gcmp.rx_pn[queue], pn, IEEE80211_GCMP_PN_LEN); + if (unlikely(ieee80211_is_frag(hdr))) + memcpy(rx->ccm_gcm.pn, pn, IEEE80211_CCMP_PN_LEN); } /* Remove GCMP header and MIC */