Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3751737pxj; Tue, 11 May 2021 11:04:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy3eZof9u0Lj9PXXLLBkTWiENT5zMmOzQR8MoazdZIMsIsVKZRa/jF0ntuUOZRuJqMTVd9q X-Received: by 2002:aa7:c84a:: with SMTP id g10mr21888957edt.326.1620756260464; Tue, 11 May 2021 11:04:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620756260; cv=none; d=google.com; s=arc-20160816; b=1HC4IoxT2vFQeFdigUN/kTUn7f7ETtIyyVoJUf42VzgiyLBcmBrr9jJ729h2Cs+QWO vknpysrSYRyeljMkr2Nj0zAMBRKTWbbpsCpL1HnhpaCuE8NKQ0dSGdBcx57zEjOsgvf6 Lt+fYiUAqgXDcL7wp7WclNBI7LTvK/IyFYItk8Y2+0Y7Ad/EpAKvD+RssQplql9hlsGQ EaHFeA7Pn3QTQ5y8lXYfrrC5sYAfeZ7u38M+w4ngjA0jEyWPK9bijOz5j/tEH9SNe/4y KuVst0w+CUSLrMQz/PSPh4sGhc8CORLc1I5OWFqtc9zcvZyywNwqj/WNBh+q+l4zpM/k AxYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=shuUi1BzvuSahXkZA1TzvrUt8jsL+LacgLRrIDkIec0=; b=J61Ax6ZmGlJ40GZr82rForNeiFrWIniJN7xs0Lf7q4sBe/G2F9rormdkQ6H7lQgMvL ZEqJIas1DER4LQRjoBfvUuzTLqBDnv34NAbv/B813KY03I8E9xdJXayhhsxlodrqLe9W +Ejv6IgQDDtqOrypESvfgly4OVGTGoJqZqmwvwJ54UsUcDZPmtOd3hg+jJscq4efkj+M 8YPxA9raHC5T2/XX7gE62hFMq86FTLYGBn6ZMcwTymzwCSQOasoeES3iiBPKo2HKG4ZJ oPTZ7BuWBn+2+stN4hkHJADDmLHaCywkwZEib2JTXVAqU0MaPGozc4zHKjZn2dbRNFkj jvnQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h12si17306634ejl.147.2021.05.11.11.03.56; Tue, 11 May 2021 11:04:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231939AbhEKSE0 (ORCPT + 99 others); Tue, 11 May 2021 14:04:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41160 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231645AbhEKSEV (ORCPT ); Tue, 11 May 2021 14:04:21 -0400 Received: from sipsolutions.net (s3.sipsolutions.net [IPv6:2a01:4f8:191:4433::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DBA6EC061761; Tue, 11 May 2021 11:03:11 -0700 (PDT) Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.94.2) (envelope-from ) id 1lgWir-007aAS-I9; Tue, 11 May 2021 20:03:09 +0200 From: Johannes Berg To: linux-wireless@vger.kernel.org Cc: Mathy Vanhoef , stable@vger.kernel.org Subject: [PATCH 04/18] cfg80211: mitigate A-MSDU aggregation attacks Date: Tue, 11 May 2021 20:02:45 +0200 Message-Id: <20210511200110.25d93176ddaf.I9e265b597f2cd23eb44573f35b625947b386a9de@changeid> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210511180259.159598-1-johannes@sipsolutions.net> References: <20210511180259.159598-1-johannes@sipsolutions.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: Mathy Vanhoef Mitigate A-MSDU injection attacks (CVE-2020-24588) by detecting if the destination address of a subframe equals an RFC1042 (i.e., LLC/SNAP) header, and if so dropping the complete A-MSDU frame. This mitigates known attacks, although new (unknown) aggregation-based attacks may remain possible. This defense works because in A-MSDU aggregation injection attacks, a normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042 header. In other words, the destination MAC address of the first A-MSDU subframe contains the start of an RFC1042 header during an aggregation attack. We can detect this and thereby prevent this specific attack. For details, see Section 7.2 of "Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation". Note that for kernel 4.9 and above this patch depends on "mac80211: properly handle A-MSDUs that start with a rfc1042 header". Otherwise this patch has no impact and attacks will remain possible. Cc: stable@vger.kernel.org Signed-off-by: Mathy Vanhoef Signed-off-by: Johannes Berg --- net/wireless/util.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/wireless/util.c b/net/wireless/util.c index 39966a873e40..7ec021a610ae 100644 --- a/net/wireless/util.c +++ b/net/wireless/util.c @@ -771,6 +771,9 @@ void ieee80211_amsdu_to_8023s(struct sk_buff *skb, struct sk_buff_head *list, remaining = skb->len - offset; if (subframe_len > remaining) goto purge; + /* mitigate A-MSDU aggregation injection attacks */ + if (ether_addr_equal(eth.h_dest, rfc1042_header)) + goto purge; offset += sizeof(struct ethhdr); last = remaining <= subframe_len + padding; -- 2.30.2