Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2723197pxj; Mon, 31 May 2021 09:07:38 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwW7aTiry0c5TFsS2jySd0KhiGyOgFKfiSfJRffBZHTiAY+TL78Fx+uJhenc0i+ISt3ozk5 X-Received: by 2002:a50:ff0a:: with SMTP id a10mr26423605edu.273.1622477258395; Mon, 31 May 2021 09:07:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622477258; cv=none; d=google.com; s=arc-20160816; b=mCoQWVWs5lgWl5lmHqI80qbp2aRlfdtncBU3l0d87tCsLdk9Td1aYAYPUSVYaQypna mBY1mPcHF+pkKYPyE6uFTQW1LPcgMWL9WFvdhkhpZQ1gcVu4TL/gVBazANf6i8TXizap cwpwU7Exnha2+86TU8bXu2zI1LUP0Mj1U+NLa3LY1S8nmvIkc/qM8xDN5Lh5g2msdCTJ ARrYtpPyepnEFe8zQXjiaP2twz4EAyujcfnRPLBDW5RizY6CsSVGKW1WMEodenN6t8Np Hlam0USE7k2ZxHcE5zfS6D8sWPWfZUDW0y/n9ySpSjdCzSiapD6mxiDevIYhdJD7jmTv r5Lw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=8m8KcD7HQaLmRpr8lUP4o8Qd1eiG2awnHBGvyEOYumQ=; b=nDTLdizgA6iL9XfK+7bE+LKZtKXn9KH98eQrLvRIGX9awnCLiWZvVEDzorZr91EM2Z IT8FE5/ckvfiNkNQIm+SRLk/EB3Yufi9vDksuN1oRVE1KLtWIxA3BhMPuma0czAyuarl 5CdJnzDBO8j5uE3OMxaTNBsHta5NABftLr/e3b7r+bKHhjWxVjaH4Zo3qba4tvvSht9/ GNeXqFsgVmPA5knv8YX2QkkgFVoniLjkfx+Uov0nbmzbc6tTRh6xrYMf2cUa/PvGhBTu T7y5utbAUG3ZyZLVsiTzbObjWTU1W2A7yn5NIac97sD5Y7zl6XbnAhrazIQhkYAZmZRB yf/A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=irLOgl5E; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id rh9si14400590ejb.589.2021.05.31.09.07.14; Mon, 31 May 2021 09:07:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=irLOgl5E; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232666AbhEaQHv (ORCPT + 99 others); Mon, 31 May 2021 12:07:51 -0400 Received: from mail.kernel.org ([198.145.29.99]:60892 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232805AbhEaOfE (ORCPT ); Mon, 31 May 2021 10:35:04 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 10D4A61C45; Mon, 31 May 2021 13:50:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1622469034; bh=+Vew00TwKdnBs4KG7Dn3xgJ9DPFcgb+2J0V4jN5AE2s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=irLOgl5EVut3YEvB+NAFaZ6NTxVh7WYi5r6zZVpnbACqWn2EuzQqL0Q2VKpYIekN4 uiFgHy61nS1NSqKoK3bP45ALDSgJnM5PJEn7MGGhXT+lo52sKsK89C2iqgcFnQAxUA 5M06JV96bRNXtPWNAuPwvgOUGJlA3coOsKjR6MUw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Wen Gong , Jouni Malinen , Johannes Berg Subject: [PATCH 5.12 044/296] mac80211: extend protection against mixed key and fragment cache attacks Date: Mon, 31 May 2021 15:11:39 +0200 Message-Id: <20210531130705.314716022@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210531130703.762129381@linuxfoundation.org> References: <20210531130703.762129381@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Wen Gong commit 3edc6b0d6c061a70d8ca3c3c72eb1f58ce29bfb1 upstream. For some chips/drivers, e.g., QCA6174 with ath10k, the decryption is done by the hardware, and the Protected bit in the Frame Control field is cleared in the lower level driver before the frame is passed to mac80211. In such cases, the condition for ieee80211_has_protected() is not met in ieee80211_rx_h_defragment() of mac80211 and the new security validation steps are not executed. Extend mac80211 to cover the case where the Protected bit has been cleared, but the frame is indicated as having been decrypted by the hardware. This extends protection against mixed key and fragment cache attack for additional drivers/chips. This fixes CVE-2020-24586 and CVE-2020-24587 for such cases. Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1 Cc: stable@vger.kernel.org Signed-off-by: Wen Gong Signed-off-by: Jouni Malinen Link: https://lore.kernel.org/r/20210511200110.037aa5ca0390.I7bb888e2965a0db02a67075fcb5deb50eb7408aa@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/mac80211/rx.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -2228,6 +2228,7 @@ ieee80211_rx_h_defragment(struct ieee802 unsigned int frag, seq; struct ieee80211_fragment_entry *entry; struct sk_buff *skb; + struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); hdr = (struct ieee80211_hdr *)rx->skb->data; fc = hdr->frame_control; @@ -2286,7 +2287,9 @@ ieee80211_rx_h_defragment(struct ieee802 sizeof(rx->key->u.gcmp.rx_pn[queue])); BUILD_BUG_ON(IEEE80211_CCMP_PN_LEN != IEEE80211_GCMP_PN_LEN); - } else if (rx->key && ieee80211_has_protected(fc)) { + } else if (rx->key && + (ieee80211_has_protected(fc) || + (status->flag & RX_FLAG_DECRYPTED))) { entry->is_protected = true; entry->key_color = rx->key->color; } @@ -2331,13 +2334,19 @@ ieee80211_rx_h_defragment(struct ieee802 return RX_DROP_UNUSABLE; memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN); } else if (entry->is_protected && - (!rx->key || !ieee80211_has_protected(fc) || + (!rx->key || + (!ieee80211_has_protected(fc) && + !(status->flag & RX_FLAG_DECRYPTED)) || rx->key->color != entry->key_color)) { /* Drop this as a mixed key or fragment cache attack, even * if for TKIP Michael MIC should protect us, and WEP is a * lost cause anyway. */ return RX_DROP_UNUSABLE; + } else if (entry->is_protected && rx->key && + entry->key_color != rx->key->color && + (status->flag & RX_FLAG_DECRYPTED)) { + return RX_DROP_UNUSABLE; } skb_pull(rx->skb, ieee80211_hdrlen(fc));