Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2702280pxj;
        Mon, 31 May 2021 08:36:42 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJz26O5jkxm9DkpQ5XtCRgOcU7miZCmz+IBSjCjcJj4LrzcWp0bkhq1mGBcVaXTyUC7n6Ane
X-Received: by 2002:a17:906:9713:: with SMTP id k19mr2682190ejx.516.1622475402206;
        Mon, 31 May 2021 08:36:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1622475402; cv=none;
        d=google.com; s=arc-20160816;
        b=h2oiAoJA5l/bXV4LD7r2RZsrQMuJL8bP5GvNXY/VG6m9ygNak2DLd6cNYHpSZ3AXtV
         PY0SaiAgIxZ7YQL9/mshT83pwzmiAPlrJEGtWiencXNHbq21S4ulda7lKbLBpYCxFIXj
         QIqY686cGIqU6LFoqe9YxjOQPEQwiy74MgG7qJxVdojvtNFakZAwQ0UQxC9K7P+X5/Gk
         JBuKdFB/3pfCDCcr7rCXlygq30H59vZiZITmS+bzzTDyka0M0O2fq6cM+VmG0M/D6JGH
         igVjSCfZGELrDTX0AQr+ASf5BsHE82zZQiCDsP7DMOr0hbdmEVMXVawOKzYexVgnFXZY
         4dew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=D77naSGNkHNMgcVfC2L6rss5s+ueBr7dY3OhjktCXyo=;
        b=YWldHkk5PY1X5IBSvhcDF8Z6tllJWhdC0yWmrfIZRabCyFwO8x6e5QuF3Rsw5UHFfz
         vONDsMctXkku/IG0Qg+M+9U+Dg7HlxF4qWbY6Y+HNPH5Hoapgwlyf3bVTJz3MyyKCZ5l
         rB4rSqgl0bqeDPHiclXcavTF3V7Q5oAV7LZWz2Ye9wdLY++HEJdla2oldDO97Vuw8ea4
         SzbWD4FaV6xV9LUX3vzKn7jz+6eFfycaAfzF2Kxeom1luSV4JkKo9OMY4iCUDiaWlUKW
         BfB6cj5nf8QKkwsHwuZiklKTq3Dd7ADRZnBHPRpLTW8cClxsnnU5WyF6CPEIkk24WiKW
         NVpg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=NAFlXU9A;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id au2si13693232ejc.88.2021.05.31.08.36.19;
        Mon, 31 May 2021 08:36:42 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=NAFlXU9A;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234728AbhEaPfI (ORCPT <rfc822;luke.ovalle@gmail.com>
        + 99 others); Mon, 31 May 2021 11:35:08 -0400
Received: from mail.kernel.org ([198.145.29.99]:43708 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S231903AbhEaOQE (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 31 May 2021 10:16:04 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 065CA619A7;
        Mon, 31 May 2021 13:43:12 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1622468593;
        bh=EHDb9gPlkI6LqYuMtqOTIsmKfRvF+vWiHATpbWMKdLg=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=NAFlXU9ASJOKk3wyFurottVOMAERnqff8eoxtmnFp+rd0Rdom3CXTiTKsfnAMR9Dg
         2VIvA+V5jlvg6gPkX8cHldCAkdxYqJQg8m8rmb056tXBLKqCFgDVLwfulvUticakvz
         P3f4UPV342YfByYNwaR7l3KByYWiAb/qFHDpNvK4=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>,
        Johannes Berg <johannes.berg@intel.com>
Subject: [PATCH 5.4 015/177] mac80211: prevent mixed key and fragment cache attacks
Date:   Mon, 31 May 2021 15:12:52 +0200
Message-Id: <20210531130648.432825907@linuxfoundation.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210531130647.887605866@linuxfoundation.org>
References: <20210531130647.887605866@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>

commit 94034c40ab4a3fcf581fbc7f8fdf4e29943c4a24 upstream.

Simultaneously prevent mixed key attacks (CVE-2020-24587) and fragment
cache attacks (CVE-2020-24586). This is accomplished by assigning a
unique color to every key (per interface) and using this to track which
key was used to decrypt a fragment. When reassembling frames, it is
now checked whether all fragments were decrypted using the same key.

To assure that fragment cache attacks are also prevented, the ID that is
assigned to keys is unique even over (re)associations and (re)connects.
This means fragments separated by a (re)association or (re)connect will
not be reassembled. Because mac80211 now also prevents the reassembly of
mixed encrypted and plaintext fragments, all cache attacks are prevented.

Cc: stable@vger.kernel.org
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
Link: https://lore.kernel.org/r/20210511200110.3f8290e59823.I622a67769ed39257327a362cfc09c812320eb979@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/mac80211/ieee80211_i.h |    1 +
 net/mac80211/key.c         |    7 +++++++
 net/mac80211/key.h         |    2 ++
 net/mac80211/rx.c          |    6 ++++++
 4 files changed, 16 insertions(+)

--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -97,6 +97,7 @@ struct ieee80211_fragment_entry {
 	u8 rx_queue;
 	bool check_sequential_pn; /* needed for CCMP/GCMP */
 	u8 last_pn[6]; /* PN of the last fragment if CCMP was used */
+	unsigned int key_color;
 };
 
 
--- a/net/mac80211/key.c
+++ b/net/mac80211/key.c
@@ -764,6 +764,7 @@ int ieee80211_key_link(struct ieee80211_
 		       struct ieee80211_sub_if_data *sdata,
 		       struct sta_info *sta)
 {
+	static atomic_t key_color = ATOMIC_INIT(0);
 	struct ieee80211_key *old_key;
 	int idx = key->conf.keyidx;
 	bool pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE;
@@ -815,6 +816,12 @@ int ieee80211_key_link(struct ieee80211_
 	key->sdata = sdata;
 	key->sta = sta;
 
+	/*
+	 * Assign a unique ID to every key so we can easily prevent mixed
+	 * key and fragment cache attacks.
+	 */
+	key->color = atomic_inc_return(&key_color);
+
 	increment_tailroom_need_count(sdata);
 
 	ret = ieee80211_key_replace(sdata, sta, pairwise, old_key, key);
--- a/net/mac80211/key.h
+++ b/net/mac80211/key.h
@@ -127,6 +127,8 @@ struct ieee80211_key {
 	} debugfs;
 #endif
 
+	unsigned int color;
+
 	/*
 	 * key config, must be last because it contains key
 	 * material as variable length member
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -2215,6 +2215,7 @@ ieee80211_rx_h_defragment(struct ieee802
 			 * next fragment has a sequential PN value.
 			 */
 			entry->check_sequential_pn = true;
+			entry->key_color = rx->key->color;
 			memcpy(entry->last_pn,
 			       rx->key->u.ccmp.rx_pn[queue],
 			       IEEE80211_CCMP_PN_LEN);
@@ -2252,6 +2253,11 @@ ieee80211_rx_h_defragment(struct ieee802
 
 		if (!requires_sequential_pn(rx, fc))
 			return RX_DROP_UNUSABLE;
+
+		/* Prevent mixed key and fragment cache attacks */
+		if (entry->key_color != rx->key->color)
+			return RX_DROP_UNUSABLE;
+
 		memcpy(pn, entry->last_pn, IEEE80211_CCMP_PN_LEN);
 		for (i = IEEE80211_CCMP_PN_LEN - 1; i >= 0; i--) {
 			pn[i]++;