Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp308853pxa; Wed, 12 Aug 2020 02:33:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyKUv2Ml8X3zQLgb3qzRoEeL1wxS5AkLjmYEpDd55oXRkJ6w2qSkez9tc9pvbHHKZ7BqLKU X-Received: by 2002:a05:6402:1591:: with SMTP id c17mr30830971edv.240.1597224791425; Wed, 12 Aug 2020 02:33:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597224791; cv=none; d=google.com; s=arc-20160816; b=Ky1Xz/k28JHh3iRVf6afNEEuwH4Nq3MgcJxbTVRCo2nGVoR9/aQCZLwMQq/vp8od// i04hyVxIq1W1W35c3zUO1CrHjZnNNf312CWS1oGxf3wKGmq2rfmspg1ed4H0UAo5OH+2 gph66Jj7yXBNGh5lpzBBCLLp5ahq8H3g99GF8hGzSMIgxtGtdT5sIrUM4Xnb9aLYeFtM QVDir6bs+q69qO87eUw4z7A0plHXjPCqCwDmfdTCixvV8O7xdCleNK/ZJ5uH3Amb/dt/ EsVkLll0hXYIgjL8Uel+9ChsrtTRBk5yIC/kmJz+aC1M4T7mLk2Uq1WWT41oQCNqXyyU am/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=xj/ubkdJERhQPvDwlfvptcYbp5gMyLZDCpjDc4VbvFY=; b=KSglyyX1LwChmRIk0MQpWrqwO/MaoynuOJf7F3WXZPE6PSPppdD9JNoAxHbkQlXNGO 5bUThUOdpyMn0Up87daVm8S2vygEQNbEj22RXKPKKvb4hpd+cx/YHqBd6svduCTe88hU lqpxZbtLoLPkt5NtW4gU8iYJm26u72VDGM3s0zkD1YmumiJQ2/8596O/4Vzi5gvKL8qV ma1s/7T7h/QxICZ8CO72XchYp7icTXsWpd69vLuTjym+505bA560uuihbtgt69Q/lr2T KZcvViuqnxldrk65AbWfvyX+br6Z1v2blAQdTSOj6jOmuILeh0X8U/MfzIlTWSz6lIAT jMyQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=WCSwOJMX; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n9si907345edo.79.2020.08.12.02.32.47; Wed, 12 Aug 2020 02:33:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=WCSwOJMX; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727061AbgHLJc2 (ORCPT + 99 others); Wed, 12 Aug 2020 05:32:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57316 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726971AbgHLJc2 (ORCPT ); Wed, 12 Aug 2020 05:32:28 -0400 Received: from mail-il1-x143.google.com (mail-il1-x143.google.com [IPv6:2607:f8b0:4864:20::143]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5827EC06174A for ; Wed, 12 Aug 2020 02:32:28 -0700 (PDT) Received: by mail-il1-x143.google.com with SMTP id t13so1028211ile.9 for ; Wed, 12 Aug 2020 02:32:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=xj/ubkdJERhQPvDwlfvptcYbp5gMyLZDCpjDc4VbvFY=; b=WCSwOJMX6FOHgDkuvLbRuUheMGEKE9xROE6dE+dUHGVf9pyq6pY3Dl8A4e7Q2RTdbs e7YHBzIdzdIutyq3NVnOdZuJl1Yw3hNijaRD8rM0gFHZQa/XLy57bh+qM+El02uzWSdV R4IrdUOC0XTH+7+vTGU47eRGE/4zenvv4rmI80Ju1atxTvALbTLUIZsI2tEt2YEiPpwC 3nngrSfSqY72bCYXYNZkihWQ9aRqhQO02YpIOeVwBkaUkmfnYCvWAoEGhKaiOGABvMzB AU865AJthaqR80q160W91W7ME2XDAwfA+FI2a2ib78vJo7NURiwUzUvFvWI0yUwJRb2t C40A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=xj/ubkdJERhQPvDwlfvptcYbp5gMyLZDCpjDc4VbvFY=; b=Kp3KkMZAD1WCxGlvMwq5AyVrggSTuLwHmjZy9T7CUDxYJ76XhbrBm5XMOhr/ap9DXA ftOt5vc0pat2lK7irRzvxET8peD1RHYnMKJ8pih71+3tDCKQvzjqBLae9WxrA0iBB6Fz 9C/dV/Rw+AMy9h/MUTxqrQWskGOA9PSm2AgEd1jhrHXALAqGtuYjrXsXt3JakGIIuLhi 4GOzufOvrJw9uiIGpAYtAzYhPL19BHGG5ByJbD8x/b9CtO0peUa5pSbNT+FjdMdRkqzi r/1gB6otG8+AJ7yzLvrPIzWtGxZLpMqqf1Ibn1cEJEY1kGfNFnxROJ+gcnV+601abXbr 9D/w== X-Gm-Message-State: AOAM533OeYts1A7Ru5o3zHOEm5WokTLy1l/35rd9wKtz5oPviM3L7bbo y3Ps/TiWp1tf8/nqY38mTXnoty3N8oJl+H1Pf5M= X-Received: by 2002:a92:ba17:: with SMTP id o23mr27694871ili.198.1597224747521; Wed, 12 Aug 2020 02:32:27 -0700 (PDT) MIME-Version: 1.0 References: <20200810090126.mtu3uocpcjg5se5e@pali> <20200812083600.6zxdf5pfktdzggd6@pali> <87lfik1av8.fsf@toke.dk> <20200812092334.GA17878@w1.fi> In-Reply-To: <20200812092334.GA17878@w1.fi> From: =?UTF-8?Q?Micha=C5=82_Kazior?= Date: Wed, 12 Aug 2020 11:32:16 +0200 Message-ID: Subject: Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips To: Jouni Malinen Cc: =?UTF-8?B?VG9rZSBIw7hpbGFuZC1Kw7hyZ2Vuc2Vu?= , =?UTF-8?Q?Pali_Roh=C3=A1r?= , ath10k@lists.infradead.org, ath9k-devel@qca.qualcomm.com, linux-wireless , Kalle Valo Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On Wed, 12 Aug 2020 at 11:26, Jouni Malinen wrote: > > On Wed, Aug 12, 2020 at 11:17:47AM +0200, Toke H=C3=B8iland-J=C3=B8rgense= n wrote: > > Pali Roh=C3=A1r writes: > > > Could somebody react and provide some details when fixes would be > > > available for ath9k and ath10k Linux drivers? And what is current sta= te > > > of this issue for Linux? > > > > > > I'm looking at ath9k and ath10k git trees [1] [2] [3] and I do not se= e > > > there any change which could be related to CVE-2020-3702. > > > > How about these, from March: > > > > a0761a301746 ("mac80211: drop data frames without key on encrypted link= s") > > ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211_tx_d= equeue() case") > > b16798f5b907 ("mac80211: mark station unauthorized before key removal") > > Those cover most of the identified issues for drivers using mac80211 > (e.g., ath9k and ath10k; though, I don't remember whether I actually > ever managed to reproduce this with ath10k in practice). I have couple > of additional ath9k-specific patches that cover additional lower layer > paths for this. I hope to get those out after confirming they work with > the current kernel tree snapshot. As far as I understand the problem can manifest on partial in-hw ampdu retransmits if a key was removed in between. Not exactly an easy thing to reproduce. The actual drivers (ath9k, ath10k) or their microcodes may need to be fixed as well since mac80211 can only do so much. Michal