Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2883151pxj; Mon, 31 May 2021 13:34:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzIh73lGwUd+btGCwCBrQd6V/hoSSGINrRZFnD9AFzv52Q/JRyPU/vrnxZq4sKC27Ax8+0h X-Received: by 2002:a50:d54c:: with SMTP id f12mr27036106edj.301.1622493285618; Mon, 31 May 2021 13:34:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622493285; cv=none; d=google.com; s=arc-20160816; b=vQLJcLyax4WQySNs4Ccm6jYIzIMuNEPmecDGDSHquFzrkA9Q1Dt3jTLBUiYP+70x1d pzyswNFCFrpbF1arhPy3GFrIYQ5oNsbd5QNmiLk20sVNyf2vyjbErjpDO2KlRKg6Kt4s ZDIUhSi0VSG2UGHuhnSlIPn2Mq3/gohhIvPgv6D8kdAWtlpDb8etB72z1KsGnGiv6gzx 2LBbdSjCdSUA6LT1iKTPw8ICJGdFD7FKP724I+9O8+PmbqaA2u2LzMWDP13ITbviQ8ri 8LU+NsnyQPd5vC1oOjAdzjzfrkdMhZoLXdZYXua0tIBg2Mj5wxltZ2aK8nDMiNozbQpk l2tQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=WlFTWFqZtZc9FUmLkCl41Cpz9u2QGQQqcfnXUo9scK4=; b=THEJpWEr6teIh8wMvFDUEe3miCHmPc2LAkGHECmAimbUF2dXhjH0tWdPWImOZ5yKUi XJG/vN2yvM7ksvT/C7BhXz0UmFaJ9ZLOEehVt8e3OlsxxYoLuFUpS/KkEG13ShvP8LDm BrsLaLmstVTPfLKfxePESaiX4g7hOIh1s3veqVmI0lqUViMS7R9VFCHMWqj+j+JACqiL dOS2fFUp8WtfIFYYFmf/jWIMjkxuoZueBUH/lAZaWVUjsRe08UUI/FzkU9/iDTryMOFQ 3JpGJO1pHxOQXHP1oQM0DPMYEJgN1iiCgc8fgGnQcFmcXWAFs+rM0JGTQ7oyxz/yK8m5 y2Tg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id au24si1850287ejc.482.2021.05.31.13.34.12; Mon, 31 May 2021 13:34:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232470AbhEaUdY (ORCPT + 99 others); Mon, 31 May 2021 16:33:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38998 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232340AbhEaUdA (ORCPT ); Mon, 31 May 2021 16:33:00 -0400 Received: from sipsolutions.net (s3.sipsolutions.net [IPv6:2a01:4f8:191:4433::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 737DBC06138C; Mon, 31 May 2021 13:30:33 -0700 (PDT) Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.94.2) (envelope-from ) id 1lnoYR-000F87-IW; Mon, 31 May 2021 22:30:31 +0200 From: Johannes Berg To: linux-wireless@vger.kernel.org Cc: stable@vger.kernel.org, Wen Gong Subject: [PATCH v4.9 10/10] mac80211: extend protection against mixed key and fragment cache attacks Date: Mon, 31 May 2021 22:30:21 +0200 Message-Id: <20210531203021.180010-11-johannes@sipsolutions.net> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210531203021.180010-1-johannes@sipsolutions.net> References: <20210531203021.180010-1-johannes@sipsolutions.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: Wen Gong commit 3edc6b0d6c061a70d8ca3c3c72eb1f58ce29bfb1 upstream. For some chips/drivers, e.g., QCA6174 with ath10k, the decryption is done by the hardware, and the Protected bit in the Frame Control field is cleared in the lower level driver before the frame is passed to mac80211. In such cases, the condition for ieee80211_has_protected() is not met in ieee80211_rx_h_defragment() of mac80211 and the new security validation steps are not executed. Extend mac80211 to cover the case where the Protected bit has been cleared, but the frame is indicated as having been decrypted by the hardware. This extends protection against mixed key and fragment cache attack for additional drivers/chips. This fixes CVE-2020-24586 and CVE-2020-24587 for such cases. Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1 Cc: stable@vger.kernel.org Signed-off-by: Wen Gong Signed-off-by: Jouni Malinen Link: https://lore.kernel.org/r/20210511200110.037aa5ca0390.I7bb888e2965a0db02a67075fcb5deb50eb7408aa@changeid Signed-off-by: Johannes Berg --- net/mac80211/rx.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index 21d44829a645..721caa5a5430 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -1977,7 +1977,7 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) unsigned int frag, seq; struct ieee80211_fragment_entry *entry; struct sk_buff *skb; - struct ieee80211_rx_status *status; + struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); hdr = (struct ieee80211_hdr *)rx->skb->data; fc = hdr->frame_control; @@ -2036,7 +2036,9 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) sizeof(rx->key->u.gcmp.rx_pn[queue])); BUILD_BUG_ON(IEEE80211_CCMP_PN_LEN != IEEE80211_GCMP_PN_LEN); - } else if (rx->key && ieee80211_has_protected(fc)) { + } else if (rx->key && + (ieee80211_has_protected(fc) || + (status->flag & RX_FLAG_DECRYPTED))) { entry->is_protected = true; entry->key_color = rx->key->color; } @@ -2081,13 +2083,19 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) return RX_DROP_UNUSABLE; memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN); } else if (entry->is_protected && - (!rx->key || !ieee80211_has_protected(fc) || + (!rx->key || + (!ieee80211_has_protected(fc) && + !(status->flag & RX_FLAG_DECRYPTED)) || rx->key->color != entry->key_color)) { /* Drop this as a mixed key or fragment cache attack, even * if for TKIP Michael MIC should protect us, and WEP is a * lost cause anyway. */ return RX_DROP_UNUSABLE; + } else if (entry->is_protected && rx->key && + entry->key_color != rx->key->color && + (status->flag & RX_FLAG_DECRYPTED)) { + return RX_DROP_UNUSABLE; } skb_pull(rx->skb, ieee80211_hdrlen(fc)); -- 2.31.1