Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3752135pxj; Tue, 11 May 2021 11:04:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxz9ikqRrUkFrIfZh0CFgSFPioulstKIjyjeKvUcZNjPMSTcvTwyGwpKk7Rt7QCtKI8ogFP X-Received: by 2002:a05:6512:2116:: with SMTP id q22mr21083043lfr.654.1620756284906; Tue, 11 May 2021 11:04:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620756284; cv=none; d=google.com; s=arc-20160816; b=YO/+oNJIE0kxQzfAVfSE3wpLizJinSuMo9uoo5BgG2hJUM1eHcXuLSWxyvT+BMH9uU bgzUccG5ZCHS91Vu+8aOl8wsg3aua2xEhE4gcNQerWiITNsLrrzvtIg58FkIpyHbUTOI DDGezU0aql0MWZ8fFwdJvwB1wPhYRcjGS94b0wh9t6uO1EXGwVJUoh6DXkVZB+T50VXp CgVsWwVNiIV1397dgEx/SSCtBficw8F0+LezWMGkLUmYdA5W3zUXY0jsaFax1Ceezbxh k6aE34cZNEt8LTkJ1m8kdwPj/EFAM77L3o9dXfP+7tdWtZz89/M0i8ghOg2olDvtvmpN YR+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=tiYHObSDxeOd2s1gAOODspLwitIO5iLjD5DpsbnyPBI=; b=f2tetuhivhNCiQmUwIl+PTeUYKi60Z3anLYZOq1v7UGdxoC99sJ3GCdwN3CXZAl1La vU2VhS4gmM7f/iwCw9HSOcnArLysvjd2K+VI1ct8j5PWVbfB92SjHnkvyLiiqne6sGjy n8HuyrXirC45ysYkngNIkw65HA5c2yri9h2HIT18OyqFitbJKnQw/IxIT+5Fdcvi7hVB OSYFzW/qP/Pab6h8kQRyJJbgLox9ni84aChGsyh+2B4MMoK98zYfs+FwOquwDnQjEZ5o 4XSe0TVwRXgbHkGV/q3ta3RSakfqYz1ZIdMGcSfwq6OdmM8XNJ/CLQU2hCZ97OU4M2cY XDBg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v3si21864595lfe.553.2021.05.11.11.04.15; Tue, 11 May 2021 11:04:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232040AbhEKSEs (ORCPT + 99 others); Tue, 11 May 2021 14:04:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41174 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231896AbhEKSEY (ORCPT ); Tue, 11 May 2021 14:04:24 -0400 Received: from sipsolutions.net (s3.sipsolutions.net [IPv6:2a01:4f8:191:4433::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3CCE8C061347; Tue, 11 May 2021 11:03:14 -0700 (PDT) Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.94.2) (envelope-from ) id 1lgWiv-007aAS-6u; Tue, 11 May 2021 20:03:13 +0200 From: Johannes Berg To: linux-wireless@vger.kernel.org Cc: Sriram R , stable@vger.kernel.org Subject: [PATCH 17/18] ath11k: Clear the fragment cache during key install Date: Tue, 11 May 2021 20:02:58 +0200 Message-Id: <20210511200110.218dc777836f.I9af6fc76215a35936c4152552018afb5079c5d8c@changeid> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210511180259.159598-1-johannes@sipsolutions.net> References: <20210511180259.159598-1-johannes@sipsolutions.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: Sriram R Currently the fragment cache setup during peer assoc is cleared only during peer delete. In case a key reinstallation happens with the same peer, the same fragment cache with old fragments added before key installation could be clubbed with fragments received after. This might be exploited to mix fragments of different data resulting in a proper unintended reassembled packet to be passed up the stack. Hence flush the fragment cache on every key installation to prevent potential attacks (CVE-2020-24587). Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.4.0.1-01734-QCAHKSWPL_SILICONZ-1 v2 Cc: stable@vger.kernel.org Signed-off-by: Sriram R Signed-off-by: Jouni Malinen Signed-off-by: Johannes Berg --- drivers/net/wireless/ath/ath11k/dp_rx.c | 18 ++++++++++++++++++ drivers/net/wireless/ath/ath11k/dp_rx.h | 1 + drivers/net/wireless/ath/ath11k/mac.c | 6 ++++++ 3 files changed, 25 insertions(+) diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c index 1d9aa1bb6b6e..3382f8bfcb48 100644 --- a/drivers/net/wireless/ath/ath11k/dp_rx.c +++ b/drivers/net/wireless/ath/ath11k/dp_rx.c @@ -852,6 +852,24 @@ static void ath11k_dp_rx_frags_cleanup(struct dp_rx_tid *rx_tid, bool rel_link_d __skb_queue_purge(&rx_tid->rx_frags); } +void ath11k_peer_frags_flush(struct ath11k *ar, struct ath11k_peer *peer) +{ + struct dp_rx_tid *rx_tid; + int i; + + lockdep_assert_held(&ar->ab->base_lock); + + for (i = 0; i <= IEEE80211_NUM_TIDS; i++) { + rx_tid = &peer->rx_tid[i]; + + spin_unlock_bh(&ar->ab->base_lock); + del_timer_sync(&rx_tid->frag_timer); + spin_lock_bh(&ar->ab->base_lock); + + ath11k_dp_rx_frags_cleanup(rx_tid, true); + } +} + void ath11k_peer_rx_tid_cleanup(struct ath11k *ar, struct ath11k_peer *peer) { struct dp_rx_tid *rx_tid; diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.h b/drivers/net/wireless/ath/ath11k/dp_rx.h index bf399312b5ff..623da3bf9dc8 100644 --- a/drivers/net/wireless/ath/ath11k/dp_rx.h +++ b/drivers/net/wireless/ath/ath11k/dp_rx.h @@ -49,6 +49,7 @@ int ath11k_dp_peer_rx_pn_replay_config(struct ath11k_vif *arvif, const u8 *peer_addr, enum set_key_cmd key_cmd, struct ieee80211_key_conf *key); +void ath11k_peer_frags_flush(struct ath11k *ar, struct ath11k_peer *peer); void ath11k_peer_rx_tid_cleanup(struct ath11k *ar, struct ath11k_peer *peer); void ath11k_peer_rx_tid_delete(struct ath11k *ar, struct ath11k_peer *peer, u8 tid); diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c index 4df425dd31a2..9d0ff150ec30 100644 --- a/drivers/net/wireless/ath/ath11k/mac.c +++ b/drivers/net/wireless/ath/ath11k/mac.c @@ -2779,6 +2779,12 @@ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd, */ spin_lock_bh(&ab->base_lock); peer = ath11k_peer_find(ab, arvif->vdev_id, peer_addr); + + /* flush the fragments cache during key (re)install to + * ensure all frags in the new frag list belong to the same key. + */ + if (peer && cmd == SET_KEY) + ath11k_peer_frags_flush(ar, peer); spin_unlock_bh(&ab->base_lock); if (!peer) { -- 2.30.2