Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2723197pxj;
        Mon, 31 May 2021 09:07:38 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwW7aTiry0c5TFsS2jySd0KhiGyOgFKfiSfJRffBZHTiAY+TL78Fx+uJhenc0i+ISt3ozk5
X-Received: by 2002:a50:ff0a:: with SMTP id a10mr26423605edu.273.1622477258395;
        Mon, 31 May 2021 09:07:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1622477258; cv=none;
        d=google.com; s=arc-20160816;
        b=mCoQWVWs5lgWl5lmHqI80qbp2aRlfdtncBU3l0d87tCsLdk9Td1aYAYPUSVYaQypna
         mBY1mPcHF+pkKYPyE6uFTQW1LPcgMWL9WFvdhkhpZQ1gcVu4TL/gVBazANf6i8TXizap
         cwpwU7Exnha2+86TU8bXu2zI1LUP0Mj1U+NLa3LY1S8nmvIkc/qM8xDN5Lh5g2msdCTJ
         ARrYtpPyepnEFe8zQXjiaP2twz4EAyujcfnRPLBDW5RizY6CsSVGKW1WMEodenN6t8Np
         Hlam0USE7k2ZxHcE5zfS6D8sWPWfZUDW0y/n9ySpSjdCzSiapD6mxiDevIYhdJD7jmTv
         r5Lw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=8m8KcD7HQaLmRpr8lUP4o8Qd1eiG2awnHBGvyEOYumQ=;
        b=nDTLdizgA6iL9XfK+7bE+LKZtKXn9KH98eQrLvRIGX9awnCLiWZvVEDzorZr91EM2Z
         IT8FE5/ckvfiNkNQIm+SRLk/EB3Yufi9vDksuN1oRVE1KLtWIxA3BhMPuma0czAyuarl
         5CdJnzDBO8j5uE3OMxaTNBsHta5NABftLr/e3b7r+bKHhjWxVjaH4Zo3qba4tvvSht9/
         GNeXqFsgVmPA5knv8YX2QkkgFVoniLjkfx+Uov0nbmzbc6tTRh6xrYMf2cUa/PvGhBTu
         T7y5utbAUG3ZyZLVsiTzbObjWTU1W2A7yn5NIac97sD5Y7zl6XbnAhrazIQhkYAZmZRB
         yf/A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=irLOgl5E;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id rh9si14400590ejb.589.2021.05.31.09.07.14;
        Mon, 31 May 2021 09:07:38 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=irLOgl5E;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232666AbhEaQHv (ORCPT <rfc822;lukasz.wituch.linux@gmail.com>
        + 99 others); Mon, 31 May 2021 12:07:51 -0400
Received: from mail.kernel.org ([198.145.29.99]:60892 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S232805AbhEaOfE (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 31 May 2021 10:35:04 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 10D4A61C45;
        Mon, 31 May 2021 13:50:33 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1622469034;
        bh=+Vew00TwKdnBs4KG7Dn3xgJ9DPFcgb+2J0V4jN5AE2s=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=irLOgl5EVut3YEvB+NAFaZ6NTxVh7WYi5r6zZVpnbACqWn2EuzQqL0Q2VKpYIekN4
         uiFgHy61nS1NSqKoK3bP45ALDSgJnM5PJEn7MGGhXT+lo52sKsK89C2iqgcFnQAxUA
         5M06JV96bRNXtPWNAuPwvgOUGJlA3coOsKjR6MUw=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Wen Gong <wgong@codeaurora.org>,
        Jouni Malinen <jouni@codeaurora.org>,
        Johannes Berg <johannes.berg@intel.com>
Subject: [PATCH 5.12 044/296] mac80211: extend protection against mixed key and fragment cache attacks
Date:   Mon, 31 May 2021 15:11:39 +0200
Message-Id: <20210531130705.314716022@linuxfoundation.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210531130703.762129381@linuxfoundation.org>
References: <20210531130703.762129381@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Wen Gong <wgong@codeaurora.org>

commit 3edc6b0d6c061a70d8ca3c3c72eb1f58ce29bfb1 upstream.

For some chips/drivers, e.g., QCA6174 with ath10k, the decryption is
done by the hardware, and the Protected bit in the Frame Control field
is cleared in the lower level driver before the frame is passed to
mac80211. In such cases, the condition for ieee80211_has_protected() is
not met in ieee80211_rx_h_defragment() of mac80211 and the new security
validation steps are not executed.

Extend mac80211 to cover the case where the Protected bit has been
cleared, but the frame is indicated as having been decrypted by the
hardware. This extends protection against mixed key and fragment cache
attack for additional drivers/chips. This fixes CVE-2020-24586 and
CVE-2020-24587 for such cases.

Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1

Cc: stable@vger.kernel.org
Signed-off-by: Wen Gong <wgong@codeaurora.org>
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Link: https://lore.kernel.org/r/20210511200110.037aa5ca0390.I7bb888e2965a0db02a67075fcb5deb50eb7408aa@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/mac80211/rx.c |   13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -2228,6 +2228,7 @@ ieee80211_rx_h_defragment(struct ieee802
 	unsigned int frag, seq;
 	struct ieee80211_fragment_entry *entry;
 	struct sk_buff *skb;
+	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
 
 	hdr = (struct ieee80211_hdr *)rx->skb->data;
 	fc = hdr->frame_control;
@@ -2286,7 +2287,9 @@ ieee80211_rx_h_defragment(struct ieee802
 				     sizeof(rx->key->u.gcmp.rx_pn[queue]));
 			BUILD_BUG_ON(IEEE80211_CCMP_PN_LEN !=
 				     IEEE80211_GCMP_PN_LEN);
-		} else if (rx->key && ieee80211_has_protected(fc)) {
+		} else if (rx->key &&
+			   (ieee80211_has_protected(fc) ||
+			    (status->flag & RX_FLAG_DECRYPTED))) {
 			entry->is_protected = true;
 			entry->key_color = rx->key->color;
 		}
@@ -2331,13 +2334,19 @@ ieee80211_rx_h_defragment(struct ieee802
 			return RX_DROP_UNUSABLE;
 		memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN);
 	} else if (entry->is_protected &&
-		   (!rx->key || !ieee80211_has_protected(fc) ||
+		   (!rx->key ||
+		    (!ieee80211_has_protected(fc) &&
+		     !(status->flag & RX_FLAG_DECRYPTED)) ||
 		    rx->key->color != entry->key_color)) {
 		/* Drop this as a mixed key or fragment cache attack, even
 		 * if for TKIP Michael MIC should protect us, and WEP is a
 		 * lost cause anyway.
 		 */
 		return RX_DROP_UNUSABLE;
+	} else if (entry->is_protected && rx->key &&
+		   entry->key_color != rx->key->color &&
+		   (status->flag & RX_FLAG_DECRYPTED)) {
+		return RX_DROP_UNUSABLE;
 	}
 
 	skb_pull(rx->skb, ieee80211_hdrlen(fc));