Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2719886pxj; Mon, 31 May 2021 09:03:38 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyMndX438g6xczUKAx7ZYJml/QanxU4mlMQbxWCxmP5cGDfvXxylukQF0LgQjy7S3z4uwmF X-Received: by 2002:aa7:c913:: with SMTP id b19mr56185edt.323.1622477018183; Mon, 31 May 2021 09:03:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622477018; cv=none; d=google.com; s=arc-20160816; b=Hjd/GHEo7drdCp/BX9EIHgei+8cF7xRhnLILMo4Sc0XkjTStjYdGMC7cJ2igsezIk/ GMCiFmYtbilMbG83y6HXnXzLC6HeeoiTN3h/v2ecq9czwv4bG2QgOHvYbweYOdvV1em9 8Mqf/29pV6J5twny92RBa5Lxt7pF9GX2T4HlM0AqjMfy2A1n6sm2kLMlScbVUGygbsIE rVy9bjbXEaMN+BLzmMLD4t5Bs2zaRL9vW0+QoXkA/LKh/Mfb3Su0NrnpLoeo92sOusJD /Is+S0D1sDle2fte7K6P7tJW6zwonPDfw3v+xlx0pMmgfCotYXWNRAiGcmCo7b09VAhZ TDNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=yTzMjQqtcEytMvo/xBHLUF3S117MHiNe/dJZOzFVMR4=; b=iGSbPIq3bVLc+nr0ur4MJy5LUbbRUAYSS1i+SbMfkvH58JXBELgw24PaBRn01UE7U3 oylUepBKj0zcKv6MDXFO7mA0q3y0NUeCj0MfbaBmZ7IJekTO+cOvZpM717D5LExD9k2K P1A6hS0LFI3t7mELs1CkL+uzBLealYPuMzXId93NUM8RiZTqnc99Fogr3YCRhHiwNMDT TpnVq27s6VvPml7C9n418ZirvaPXdIEVBrRcw7QjlExM2hFlzcaW8QJJwahkCaRGrcef bGdsCUuLTwPuJnTAYdmwbQomC51P+YW5cqb1yknAe7krBRftw4BPvXYCq/OBoIan309V Xdiw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="Xrp/vm+l"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r24si15615378ejy.134.2021.05.31.09.03.12; Mon, 31 May 2021 09:03:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="Xrp/vm+l"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234253AbhEaQDj (ORCPT + 99 others); Mon, 31 May 2021 12:03:39 -0400 Received: from mail.kernel.org ([198.145.29.99]:33236 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233827AbhEaOdg (ORCPT ); Mon, 31 May 2021 10:33:36 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 2D982613C8; Mon, 31 May 2021 13:50:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1622469021; bh=phC9YctQu0MNAz2TqWhiKe9UkFT8i+dJLpI22dBCNsM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Xrp/vm+lVwCQeMVBUu72IYKkaydC0ZIfbqDS5tHAaZOGxRiOPP1cwtGpnnj1tl4Vv Ud8ZE3jkQba6R4mjhcmD1UaIKkuWbF4gWNvnEjlUb5J/HlsqJEwNC/JXw2eGk/4Jls QZ+u4YzgVRVtaPGFTkURznVIFbE6Rv8/2eFCmp4E= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Johannes Berg Subject: [PATCH 5.12 039/296] mac80211: drop A-MSDUs on old ciphers Date: Mon, 31 May 2021 15:11:34 +0200 Message-Id: <20210531130705.139123583@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210531130703.762129381@linuxfoundation.org> References: <20210531130703.762129381@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johannes Berg commit 270032a2a9c4535799736142e1e7c413ca7b836e upstream. With old ciphers (WEP and TKIP) we shouldn't be using A-MSDUs since A-MSDUs are only supported if we know that they are, and the only practical way for that is HT support which doesn't support old ciphers. However, we would normally accept them anyway. Since we check the MMIC before deaggregating A-MSDUs, and the A-MSDU bit in the QoS header is not protected in TKIP (or WEP), this enables attacks similar to CVE-2020-24588. To prevent that, drop A-MSDUs completely with old ciphers. Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210511200110.076543300172.I548e6e71f1ee9cad4b9a37bf212ae7db723587aa@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/mac80211/rx.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -6,7 +6,7 @@ * Copyright 2007-2010 Johannes Berg * Copyright 2013-2014 Intel Mobile Communications GmbH * Copyright(c) 2015 - 2017 Intel Deutschland GmbH - * Copyright (C) 2018-2020 Intel Corporation + * Copyright (C) 2018-2021 Intel Corporation */ #include @@ -2738,6 +2738,23 @@ ieee80211_rx_h_amsdu(struct ieee80211_rx if (is_multicast_ether_addr(hdr->addr1)) return RX_DROP_UNUSABLE; + if (rx->key) { + /* + * We should not receive A-MSDUs on pre-HT connections, + * and HT connections cannot use old ciphers. Thus drop + * them, as in those cases we couldn't even have SPP + * A-MSDUs or such. + */ + switch (rx->key->conf.cipher) { + case WLAN_CIPHER_SUITE_WEP40: + case WLAN_CIPHER_SUITE_WEP104: + case WLAN_CIPHER_SUITE_TKIP: + return RX_DROP_UNUSABLE; + default: + break; + } + } + return __ieee80211_rx_h_amsdu(rx, 0); }