Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2719313pxj; Mon, 31 May 2021 09:03:02 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwv7Ci4uBxt3lVszAKb14Pl8l2H5ZZEBarhOTBGJO27ILOVWqArIQ8aI40Xotets3mSRit6 X-Received: by 2002:a17:906:6ada:: with SMTP id q26mr24499758ejs.237.1622476981119; Mon, 31 May 2021 09:03:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622476981; cv=none; d=google.com; s=arc-20160816; b=HrwiRVTuhm0aRtN66N32kZSpniffo4Dt4+JjmUgJudkgkMVzy//FBciWyix4ChMv36 CjfttVuMm/Qq2r24dhaOGFcYG/RO6wA6i5uv4GmHnRJNa/TBClPslXkh45gT/0Bfj7ta C7hoeJ0Xq2MGfYVI48fLEIe3+Akl4tnd3Wd7rA4V6j47i4FmthNZ9sXhv8YfVXSmaRCz 4Al70xBOQz+PfUvm/0H2lq/IQQEQyyKhm0PwY20NqTMlSnZLp/6hs2/O3nB11JYKD5we 7DPyhuklDdzJaWM/wzwiigpiTyZ9dRDzH9TTkQ2N5HfV0slCw8Xl8kT9DlalTD1VOgoy F0GA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=iRqTtJ5qibZ+Ek1zxjSQas6/e/Dr3zao/V4YeD2pLg4=; b=zqoz+YrhX3ZyIXvEQfvAOrTM4748X4kzu0nCpVdXqCVWUhzN7fJeJ7ZvXm1nb8KKoz YvdhfyijJvu2oROLQlJ98HsZwbyHZlqcyy+xJZmwdPKZQKUW0tWWvyV+Whx6RsmFZSab RUDlifSxUvxGtIjt7ZSjUuZWjwIf8znQ+pmpnXqV/smnsA1FLG7q+nINcdTMlGOzenLB EQzMcq0UfWLUdqRUpvUmX9GExOx4wTRHxPkEVYjagb7OmjsK9W/VQOww7fEd4tHgwYkM kqRsyXK4mbb3PXQIj4gUO+Em1xpVV/hg7P9T7R0Z5b4H+ii3hMLEFBTvkRvn5apWY8Gh mtAQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=AM04EUMx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v7si16328682edj.328.2021.05.31.09.02.38; Mon, 31 May 2021 09:03:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=AM04EUMx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233845AbhEaQDZ (ORCPT + 99 others); Mon, 31 May 2021 12:03:25 -0400 Received: from mail.kernel.org ([198.145.29.99]:33234 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233820AbhEaOdg (ORCPT ); Mon, 31 May 2021 10:33:36 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 78968613B6; Mon, 31 May 2021 13:50:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1622469018; bh=xeakNeHo+vWY6mJu9AUXZCwYLaHsdw4m/zc8lvHTY5M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AM04EUMxy+g5UVwNEaSLm9cbb8yFIorfaqZExkQhv6RC6tY/sFDOr2svkwiUMUlnD G6Va1eGHkrHopZuVJdfQYe+lSIPKfuHeu0NH9/VPV+WfHhod4pIbEGlSSpc20UtJd6 w9HJ2asvnG7taTnfLpWLi4oy/FGTHOweqi8HAOe4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Mathy Vanhoef , Johannes Berg Subject: [PATCH 5.12 038/296] cfg80211: mitigate A-MSDU aggregation attacks Date: Mon, 31 May 2021 15:11:33 +0200 Message-Id: <20210531130705.103550458@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210531130703.762129381@linuxfoundation.org> References: <20210531130703.762129381@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Mathy Vanhoef commit 2b8a1fee3488c602aca8bea004a087e60806a5cf upstream. Mitigate A-MSDU injection attacks (CVE-2020-24588) by detecting if the destination address of a subframe equals an RFC1042 (i.e., LLC/SNAP) header, and if so dropping the complete A-MSDU frame. This mitigates known attacks, although new (unknown) aggregation-based attacks may remain possible. This defense works because in A-MSDU aggregation injection attacks, a normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042 header. In other words, the destination MAC address of the first A-MSDU subframe contains the start of an RFC1042 header during an aggregation attack. We can detect this and thereby prevent this specific attack. For details, see Section 7.2 of "Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation". Note that for kernel 4.9 and above this patch depends on "mac80211: properly handle A-MSDUs that start with a rfc1042 header". Otherwise this patch has no impact and attacks will remain possible. Cc: stable@vger.kernel.org Signed-off-by: Mathy Vanhoef Link: https://lore.kernel.org/r/20210511200110.25d93176ddaf.I9e265b597f2cd23eb44573f35b625947b386a9de@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/wireless/util.c | 3 +++ 1 file changed, 3 insertions(+) --- a/net/wireless/util.c +++ b/net/wireless/util.c @@ -771,6 +771,9 @@ void ieee80211_amsdu_to_8023s(struct sk_ remaining = skb->len - offset; if (subframe_len > remaining) goto purge; + /* mitigate A-MSDU aggregation injection attacks */ + if (ether_addr_equal(eth.h_dest, rfc1042_header)) + goto purge; offset += sizeof(struct ethhdr); last = remaining <= subframe_len + padding;