Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3751966pxj; Tue, 11 May 2021 11:04:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy1aj7NToFLD0n7WAFAy9xOKXKdj2e3OHMQEcy4DX+J85DmE8mbhXuHSbinwTLfKZ4uBFKr X-Received: by 2002:ac2:53a1:: with SMTP id j1mr21167815lfh.337.1620756275304; Tue, 11 May 2021 11:04:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620756275; cv=none; d=google.com; s=arc-20160816; b=C8xjISHmYKHGkUmE+a6PENdZ91GSx1u9ywo9C1RAdByyULIN6mOxnpNEqI4JiQLz+0 2NK4GRFTIgS3wND2ENrI5vjC3vSLZDi0lJYD+9qj5DeA69hwHrE+iM0FdxegSBr5t6h6 uJUSPCk0SprfJ4JTnJr20Ces5u28VgE1xw+0LgHQrQGPqui83GA1+t8mlhKTrCq9tdYe qOCQHyxIRNPzC2m96roro7HenMB0gB2c3bZN3PZrLXRcYH+ctk6P1XApnCYwQjPp8jCq q8p/4t37YFANqa8F8I8zXnJoUsMqsRvETRo4+KPxodWwIdg4ZpFa2omCE9ahyaExvsRs iaUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=p0ibQybCxnwUj1XfhGU9XoQ3yQ+C0mdOIYrj19l9nqU=; b=ZAIWeYsCB5dHZ6cLp6CfSEQ7WLEY5ptIcqABKgSbx3htJrgLqyQFj9pvLno5rLujhD +67GTeLeW88s18ym6fAwitym1zJmec9HCImJOpH5FuCWDqcXVSHA2dJAs0Shq+0dOr9x tdyKrkoSOElFWUarQ1U68rO+zp1z1v4BohBPc8V1B6kJ8AGcGFjE9mu2ripXiDid2GLl 1CtfoG8tH+DQb60fnwYGoiwsu6fyNJOfIoHxFpHOHflHBHjuktULBBuDvdg8M/bCrwLU 3b+6UVtLYe8HWCmeQPrHutSoZNQATB8v/nnSPSXKiIMH//+gCdxRbck1nscLYAUtCqLa WWWA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u26si19792358lji.483.2021.05.11.11.04.05; Tue, 11 May 2021 11:04:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231991AbhEKSEk (ORCPT + 99 others); Tue, 11 May 2021 14:04:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41186 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231865AbhEKSEX (ORCPT ); Tue, 11 May 2021 14:04:23 -0400 Received: from sipsolutions.net (s3.sipsolutions.net [IPv6:2a01:4f8:191:4433::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3C96DC061343; Tue, 11 May 2021 11:03:13 -0700 (PDT) Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.94.2) (envelope-from ) id 1lgWiu-007aAS-3e; Tue, 11 May 2021 20:03:12 +0200 From: Johannes Berg To: linux-wireless@vger.kernel.org Cc: Wen Gong , stable@vger.kernel.org Subject: [PATCH 13/18] ath10k: drop fragments with multicast DA for SDIO Date: Tue, 11 May 2021 20:02:54 +0200 Message-Id: <20210511200110.9ca6ca7945a9.I1e18b514590af17c155bda86699bc3a971a8dcf4@changeid> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210511180259.159598-1-johannes@sipsolutions.net> References: <20210511180259.159598-1-johannes@sipsolutions.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: Wen Gong Fragmentation is not used with multicast frames. Discard unexpected fragments with multicast DA. This fixes CVE-2020-26145. Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00049 Cc: stable@vger.kernel.org Signed-off-by: Wen Gong Signed-off-by: Jouni Malinen Signed-off-by: Johannes Berg --- drivers/net/wireless/ath/ath10k/htt_rx.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c index cb04848ed5cb..b1d93ff5215a 100644 --- a/drivers/net/wireless/ath/ath10k/htt_rx.c +++ b/drivers/net/wireless/ath/ath10k/htt_rx.c @@ -2617,6 +2617,13 @@ static bool ath10k_htt_rx_proc_rx_frag_ind_hl(struct ath10k_htt *htt, rx_desc = (struct htt_hl_rx_desc *)(skb->data + tot_hdr_len); rx_desc_info = __le32_to_cpu(rx_desc->info); + hdr = (struct ieee80211_hdr *)((u8 *)rx_desc + rx_hl->fw_desc.len); + + if (is_multicast_ether_addr(hdr->addr1)) { + /* Discard the fragment with multicast DA */ + goto err; + } + if (!MS(rx_desc_info, HTT_RX_DESC_HL_INFO_ENCRYPTED)) { spin_unlock_bh(&ar->data_lock); return ath10k_htt_rx_proc_rx_ind_hl(htt, &resp->rx_ind_hl, skb, @@ -2624,8 +2631,6 @@ static bool ath10k_htt_rx_proc_rx_frag_ind_hl(struct ath10k_htt *htt, HTT_RX_NON_TKIP_MIC); } - hdr = (struct ieee80211_hdr *)((u8 *)rx_desc + rx_hl->fw_desc.len); - if (ieee80211_has_retry(hdr->frame_control)) goto err; -- 2.30.2