Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3753885pxj; Tue, 11 May 2021 11:06:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzXEw3hkejiJczGIsVEtISkcnR0Xs0/XWgRyNVpKHn9azpwUcwTx4pjPqFgryA/XxCYaO0B X-Received: by 2002:a2e:b81a:: with SMTP id u26mr26310264ljo.50.1620756405819; Tue, 11 May 2021 11:06:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620756405; cv=none; d=google.com; s=arc-20160816; b=mg7bkmfRFnEWzJfw+Eje02XwwhZQKeA1Bs4OjHMsqTP/V7TSrbSwaEAaN6AtuPuCkc pET/Tr9xapTJGwqeU0pqTCNh1wY5mScUD+4K5pHccB3h8K1lLnALj5XXGtGxr37FjyUi d+NQwIZgRTfbvhPKPW/EaFPVsiS2Yq+Nh68HdYgReRzG5KmiMOSZT7rvJEA/d0p48xGY 4mc6xtROkQuCfk9HckYUXQJqM9l+Koxi3PXVWheyoj7jI7l7Adi8BGzkPgyqseR2ViQQ SnYr0IIeEO1qqAs+02Q43zq4tXnMylHgDMRBuEnwRzMyEnCTLVumyTrhhetiOuaxxWLx jbsg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=7y5Xshp298dUdj1nvW8TIORJ+e5hrP7ehUxNrjaxgto=; b=VQ7ER6Oyk/WfYotzeAxCvIROXDpJ2zRt+oS5J+FTbLgNTL0M3vhArQu03zPTvZSXZI vE7NOgpalEeLcKWJbILvQXI0KP6HZpAh4Nr8lxnB24LCEQNcgq94ulT2yRkiQMOk6/38 ZqkiBaf4IG3KbJMIwDbIoMsWF3hdBK7VLO1kaZlsiPbrK7FjDG8MJuBfD+msiyjBLFNP lxisqBFbsk60LuE1PImpq2h4/3Icf8/mwd5wq5ItqJG3IvJjyaF46gvGyWyPHHzDwYch OzRgefZUifbYo+ZNPOJkL9KrNKlRWLFuzovT09PM5XuffjbSGN3BM7J4qMLWl5VjepQS 385A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l22si21394613ljg.575.2021.05.11.11.06.16; Tue, 11 May 2021 11:06:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232008AbhEKSEf (ORCPT + 99 others); Tue, 11 May 2021 14:04:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41180 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231851AbhEKSEX (ORCPT ); Tue, 11 May 2021 14:04:23 -0400 Received: from sipsolutions.net (s3.sipsolutions.net [IPv6:2a01:4f8:191:4433::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 05507C06138D; Tue, 11 May 2021 11:03:12 -0700 (PDT) Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.94.2) (envelope-from ) id 1lgWit-007aAS-9Z; Tue, 11 May 2021 20:03:11 +0200 From: Johannes Berg To: linux-wireless@vger.kernel.org Cc: Wen Gong , stable@vger.kernel.org Subject: [PATCH 10/18] mac80211: extend protection against mixed key and fragment cache attacks Date: Tue, 11 May 2021 20:02:51 +0200 Message-Id: <20210511200110.037aa5ca0390.I7bb888e2965a0db02a67075fcb5deb50eb7408aa@changeid> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210511180259.159598-1-johannes@sipsolutions.net> References: <20210511180259.159598-1-johannes@sipsolutions.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: Wen Gong For some chips/drivers, e.g., QCA6174 with ath10k, the decryption is done by the hardware, and the Protected bit in the Frame Control field is cleared in the lower level driver before the frame is passed to mac80211. In such cases, the condition for ieee80211_has_protected() is not met in ieee80211_rx_h_defragment() of mac80211 and the new security validation steps are not executed. Extend mac80211 to cover the case where the Protected bit has been cleared, but the frame is indicated as having been decrypted by the hardware. This extends protection against mixed key and fragment cache attack for additional drivers/chips. This fixes CVE-2020-24586 and CVE-2020-24587 for such cases. Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1 Cc: stable@vger.kernel.org Signed-off-by: Wen Gong Signed-off-by: Jouni Malinen Signed-off-by: Johannes Berg --- net/mac80211/rx.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index 22a925899a9e..1bb43edd47b6 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -2229,6 +2229,7 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) unsigned int frag, seq; struct ieee80211_fragment_entry *entry; struct sk_buff *skb; + struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); hdr = (struct ieee80211_hdr *)rx->skb->data; fc = hdr->frame_control; @@ -2287,7 +2288,9 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) sizeof(rx->key->u.gcmp.rx_pn[queue])); BUILD_BUG_ON(IEEE80211_CCMP_PN_LEN != IEEE80211_GCMP_PN_LEN); - } else if (rx->key && ieee80211_has_protected(fc)) { + } else if (rx->key && + (ieee80211_has_protected(fc) || + (status->flag & RX_FLAG_DECRYPTED))) { entry->is_protected = true; entry->key_color = rx->key->color; } @@ -2332,13 +2335,19 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) return RX_DROP_UNUSABLE; memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN); } else if (entry->is_protected && - (!rx->key || !ieee80211_has_protected(fc) || + (!rx->key || + (!ieee80211_has_protected(fc) && + !(status->flag & RX_FLAG_DECRYPTED)) || rx->key->color != entry->key_color)) { /* Drop this as a mixed key or fragment cache attack, even * if for TKIP Michael MIC should protect us, and WEP is a * lost cause anyway. */ return RX_DROP_UNUSABLE; + } else if (entry->is_protected && rx->key && + entry->key_color != rx->key->color && + (status->flag & RX_FLAG_DECRYPTED)) { + return RX_DROP_UNUSABLE; } skb_pull(rx->skb, ieee80211_hdrlen(fc)); -- 2.30.2