Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp2767353pxu; Mon, 14 Dec 2020 10:23:01 -0800 (PST) X-Google-Smtp-Source: ABdhPJyXoO4fFMDNaIuQF82WdxvNn38o5/bjVVjhmCcGMLPebMNSeJ/CVc1HssfXgssX/AbWFanK X-Received: by 2002:a17:906:1916:: with SMTP id a22mr23534510eje.536.1607970181624; Mon, 14 Dec 2020 10:23:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607970181; cv=none; d=google.com; s=arc-20160816; b=pJoj6aKuc2AbqjaLmdZrFVT8xLw86QtA5hYskT5j/MDFBUhWurOX5/OmAtaMbgLftn jNm6GAEVx3iRJRxpylBGGYIHMw/ENzJ7KGqAbhJBcHT+z1xrL1m1lyEQPTz0Pz9LM3W+ cd12tw8PRHxPlOXJJ0P9EISeQQBTbPv5CfQAJMpFKzEkqUJxMZs/ZAISYtvt8a4HKDpP YWre6jK62QX/By56yoLv/t8SnbVaJXFtwMHrLCSA53Vl/m8OpLpTfdBntr1pXunwOmnO me9OZPamAA5mraNEccOXk0o75zJR7Jvu3tV6TSvzU4oWIYUik2kw0hSSB1x/QnWRFtFf yv+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dmarc-filter:sender :dkim-signature; bh=PfZzYd5OxVNTd47txjIa81aRq7CRY9tpjogEf/fUdMs=; b=enmifegNfIlgvigCtMki9oxN6X8xWZ7J1BrVqB0WNHC9lUk3iXubCK1/LBCShIwZSb DG8KKqymix1sCDmEjxUkGicYeovRAZ7KAn2KgMSl3wNSYeqzKiRuBzeyrcoEiqjiDGxW uPlVLpBsW48jnNXbkkPeAJ/d9IWfNAD1PDASgIFe7rSxg93ZFNSOr4x1LmF+40sVI1sH mau2rsX2A35vHJqfJGGiyICW9vgttWotGnwfdhXsDH940fzvtA0fZgeSb356VOT345Ut RaeqfMR/WdJDgpEE9nwzUnEuI19OvywBtMOugHD/q2/95kTMpw2mMqTVxLyGyqc0s4Rz hcmQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mg.codeaurora.org header.s=smtp header.b=vLbgN+8v; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cb9si11059614edb.580.2020.12.14.10.22.37; Mon, 14 Dec 2020 10:23:01 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@mg.codeaurora.org header.s=smtp header.b=vLbgN+8v; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725822AbgLNRZu (ORCPT + 99 others); Mon, 14 Dec 2020 12:25:50 -0500 Received: from m43-15.mailgun.net ([69.72.43.15]:49782 "EHLO m43-15.mailgun.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2438728AbgLNRZQ (ORCPT ); Mon, 14 Dec 2020 12:25:16 -0500 DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mg.codeaurora.org; q=dns/txt; s=smtp; t=1607966689; h=Content-Transfer-Encoding: MIME-Version: Message-Id: Date: Subject: Cc: To: From: Sender; bh=PfZzYd5OxVNTd47txjIa81aRq7CRY9tpjogEf/fUdMs=; b=vLbgN+8vuXbGMvpThyFwV/6gYgYtFgLBpTEcoQMSIGR/779EgEr2/plvkvXjgDb75ih3FwiI tmHgGKXnbW1Z7GtTrOlMToEGz7YIyi4CDK6ZTozb8uNnBKMdV3w/aZcZIDG0NEmk+DgDD7cj Uz4vk0c7agXjpOf2ikJz1+f/rms= X-Mailgun-Sending-Ip: 69.72.43.15 X-Mailgun-Sid: WyI3YTAwOSIsICJsaW51eC13aXJlbGVzc0B2Z2VyLmtlcm5lbC5vcmciLCAiYmU5ZTRhIl0= Received: from smtp.codeaurora.org (ec2-35-166-182-171.us-west-2.compute.amazonaws.com [35.166.182.171]) by smtp-out-n02.prod.us-west-2.postgun.com with SMTP id 5fd79fe07e6bd85d22a13d2e (version=TLS1.2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Mon, 14 Dec 2020 17:24:48 GMT Sender: jouni=codeaurora.org@mg.codeaurora.org Received: by smtp.codeaurora.org (Postfix, from userid 1001) id 63F14C43461; Mon, 14 Dec 2020 17:24:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-caf-mail-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=ALL_TRUSTED,BAYES_00,SPF_FAIL autolearn=no autolearn_force=no version=3.4.0 Received: from jouni.codeaurora.org (85-76-35-200-nat.elisa-mobile.fi [85.76.35.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: jouni) by smtp.codeaurora.org (Postfix) with ESMTPSA id A620AC433CA; Mon, 14 Dec 2020 17:24:46 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org A620AC433CA Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; spf=fail smtp.mailfrom=jouni@codeaurora.org From: Jouni Malinen To: ath9k-devel@qca.qualcomm.com, kvalo@codeaurora.org Cc: linux-wireless@vger.kernel.org, Jouni Malinen Subject: [PATCH 0/5] ath9k: Safer key deletion to avoid unexpected behavior Date: Mon, 14 Dec 2020 19:21:13 +0200 Message-Id: <20201214172118.18100-1-jouni@codeaurora.org> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org While earlier mac80211 commits like a0761a301746 ("mac80211: drop data frames without key on encrypted links"), ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211_tx_dequeue() case"), and b16798f5b907 ("mac80211: mark station unauthorized before key removal") addressed the most visible and easiest to trigger cases where pending frames from TX queues could potentially end up getting transmitted without proper encryption, some similar cases could still remain in the hardware TX queue. In such cases, clearing of the hardware key cache entry could happen while there were remaining frames in the TX queues with reference to the deleted key. That could end up transmitting such frames without encryption. These issues are related to CVE-2020-3702. It is not clear whether this can be triggered in the station mode after the mac80211 changes, but it has been possible to come up with a test setup where this could be triggered in the AP mode where the TX queue is shared with multiple destinations and cannot be flushed when a single station disconnects. Address such cases by not clearing the hardware key cache entry immediately, but instead, temporarily leaving the key in place and disabling RX processing for the key cache entry. Such a postponed key deletion is completed once there are no remaining frames referencing the particular key cache entry. This is done before handling the next key cache operation to avoid having to perform heavy operations during normal TX operations. Jouni Malinen (5): ath: Use safer key clearing with key cache entries ath9k: Clear key cache explicitly on disabling hardware ath: Export ath_hw_keysetmac() ath: Modify ath_key_delete() to not need full key entry ath9k: Postpone key cache entry deletion for TXQ frames reference it drivers/net/wireless/ath/ath.h | 3 +- drivers/net/wireless/ath/ath5k/mac80211-ops.c | 2 +- drivers/net/wireless/ath/ath9k/htc_drv_main.c | 2 +- drivers/net/wireless/ath/ath9k/hw.h | 1 + drivers/net/wireless/ath/ath9k/main.c | 95 ++++++++++++++++++- drivers/net/wireless/ath/key.c | 41 ++++---- 6 files changed, 122 insertions(+), 22 deletions(-) -- 2.20.1