Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2880480pxj; Mon, 31 May 2021 13:30:23 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwXJeYN3UO4cawDXmNa0DjKAaevRsaLmiRWxZU9WGbF/F0nHdw5vEYxsiBm4gSKQYh7MLoe X-Received: by 2002:a17:906:6a93:: with SMTP id p19mr24871380ejr.319.1622493023424; Mon, 31 May 2021 13:30:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622493023; cv=none; d=google.com; s=arc-20160816; b=kfEsDqFujRw6SbgxgoHekMYuL4QVybTVHNyiIbqjZIuffdOuX5fKKDErG8OnQBdTlK IfNtBu9WC8UX2EEmO7tNSvdIAP/m4yBdmYhL1Ck1AeRdiNbdvVAtISCn9mM7l5J+eFD+ Ff/2vZqHU1y6c/SFUf2HsCRPRwHZ11fnVAaZoXzJSlJn3bcSF9vKwdEp+HTz+Z6FsCls t8LAneTGOf+i75BrU5so2W4XCTHDVifNPCOKM6n1tG9AMeo8VqgcRuwgmRadk6JHjFOR e5USL17fK28VN7+QxS7PJSV97YyPRMM8S0IRVrxWgzCaxgafzXmXvcqbpGHTiyMbLXSm ElWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=i8qFOgKR6rn49DryWk0ltHFJlSv88/rL378uZlCLGp0=; b=y1MCKrHepcxbYJMZ128jqpTyuj0KMj6iTS/NNLvAJyADDL+vXKj5WNUQNdyo5Ac5Jq 7skYH9DoE9LM+0nm3NPU3Mw2/MamS7IxxMVMjJ/t53Q3lfLG5uwOXQYUD57evS5JmlHZ 68IHg7XcYIiZYPb6RNMKFXGdQGfGF3b7kAF21O7ruf6iXWjUzBauP1lCTlHgrIdgQNNH h0Y64iRjrFDuKWf6b9dhchLE7C4O6hjMCn020YQmQpq9vBaH88ZU0ThYmEA3LbeL59zh vfRdQ2eMoy+2A/dMGrSp9LGGmj21aKyfO/enfl+smYIi+WbbUxnlgYYxPkdm9iRrE7vj V9sA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j12si5449434ejy.26.2021.05.31.13.30.00; Mon, 31 May 2021 13:30:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232269AbhEaUag (ORCPT + 99 others); Mon, 31 May 2021 16:30:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38402 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232117AbhEaUaV (ORCPT ); Mon, 31 May 2021 16:30:21 -0400 Received: from sipsolutions.net (s3.sipsolutions.net [IPv6:2a01:4f8:191:4433::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AE99EC061574; Mon, 31 May 2021 13:28:41 -0700 (PDT) Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.94.2) (envelope-from ) id 1lnoWd-000F0y-CW; Mon, 31 May 2021 22:28:39 +0200 From: Johannes Berg To: linux-wireless@vger.kernel.org Cc: stable@vger.kernel.org, Mathy Vanhoef Subject: [PATCH v4.4 04/10] cfg80211: mitigate A-MSDU aggregation attacks Date: Mon, 31 May 2021 22:28:28 +0200 Message-Id: <20210531202834.179810-5-johannes@sipsolutions.net> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210531202834.179810-1-johannes@sipsolutions.net> References: <20210531202834.179810-1-johannes@sipsolutions.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: Mathy Vanhoef commit 2b8a1fee3488c602aca8bea004a087e60806a5cf upstream. Mitigate A-MSDU injection attacks (CVE-2020-24588) by detecting if the destination address of a subframe equals an RFC1042 (i.e., LLC/SNAP) header, and if so dropping the complete A-MSDU frame. This mitigates known attacks, although new (unknown) aggregation-based attacks may remain possible. This defense works because in A-MSDU aggregation injection attacks, a normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042 header. In other words, the destination MAC address of the first A-MSDU subframe contains the start of an RFC1042 header during an aggregation attack. We can detect this and thereby prevent this specific attack. For details, see Section 7.2 of "Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation". Note that for kernel 4.9 and above this patch depends on "mac80211: properly handle A-MSDUs that start with a rfc1042 header". Otherwise this patch has no impact and attacks will remain possible. Cc: stable@vger.kernel.org Signed-off-by: Mathy Vanhoef Link: https://lore.kernel.org/r/20210511200110.25d93176ddaf.I9e265b597f2cd23eb44573f35b625947b386a9de@changeid Signed-off-by: Johannes Berg --- net/wireless/util.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/wireless/util.c b/net/wireless/util.c index 0c7b9de1e7f1..915f1fa881e4 100644 --- a/net/wireless/util.c +++ b/net/wireless/util.c @@ -689,6 +689,9 @@ void ieee80211_amsdu_to_8023s(struct sk_buff *skb, struct sk_buff_head *list, /* the last MSDU has no padding */ if (subframe_len > remaining) goto purge; + /* mitigate A-MSDU aggregation injection attacks */ + if (ether_addr_equal(eth->h_dest, rfc1042_header)) + goto purge; skb_pull(skb, sizeof(struct ethhdr)); /* reuse skb for the last subframe */ -- 2.31.1