Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2883236pxj;
        Mon, 31 May 2021 13:34:52 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyRdsYraWnTQAotWSS4w7Q96+l2DYFo/zkmdZV0B9RnQrgBEEMMDF+yqegs4sZIa3XsnqNX
X-Received: by 2002:aa7:cb19:: with SMTP id s25mr27604483edt.194.1622493292002;
        Mon, 31 May 2021 13:34:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1622493291; cv=none;
        d=google.com; s=arc-20160816;
        b=07cG9jBFP/29QgzsH2sxlM3ntzwBz1udEDu/o6NXEYYS5vvJMeeOmgBqSx4Pobghi8
         H3widsDe1OW0Fifs5lX72F4bLZcTcj8+B4cZZ0rdhBiFjz5JqDv2114JPP71V0hHmskR
         SDHkmQkB8FbnOjFwwX+MyGKv0gx4xwrbLQqc+xOzR2thMIJ+daFI2m+SAcaQeecwWK2N
         E/S2aTHaWU/wg6JO2PuszJDORZcsiPZ+ro0ip6UqA6EftipdUHPF8z38sF6+Il7ugvAf
         2qcyTF2AOpRfva4tVOSWsD47pvl414jr7W3GXZ/6HJHAvM568IvSPBaPmbSgK9jgF1bO
         AytA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from;
        bh=Ax/5yrUnQod+oL/xXblmP1Iz2gm7PMSpiPrU//BLwWc=;
        b=zbeTSmkTC2Jvjr6UT+CnHk+wfMPkwE3/c53O0+bQFf2XtgqUfOUDsVWHNSkTJj21Vr
         ZSvAsM3TvuCobXlRVHZpJZB2xgV6ytjSQV8JWsOdy/IgBztlFBUw9xVGNYPWABfF5max
         pmUlSRyUXlIWxTiWl1vORCQqnvfpQrj81x8/F+J+2TZUGmPKOprSyKobly2qP9TestlZ
         Hu7vCRUWx8WOG/Z/Sjl7mpaqc2Hyg9JI53E4SkCsCs4X7bOCxhiIz1p8dy0cWkH8VzRW
         7VjKjYhztO3UYoaBEddgaoBfxxNDYWwxeqwz93uNfkqK947Eu4iaRleTmn86VjxIw71E
         d0KQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id rh9si15381512ejb.139.2021.05.31.13.34.23;
        Mon, 31 May 2021 13:34:51 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232282AbhEaUdp (ORCPT <rfc822;reach.praptipandit@gmail.com>
        + 99 others); Mon, 31 May 2021 16:33:45 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39088 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232421AbhEaUdV (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Mon, 31 May 2021 16:33:21 -0400
Received: from sipsolutions.net (s3.sipsolutions.net [IPv6:2a01:4f8:191:4433::2])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2997FC061761;
        Mon, 31 May 2021 13:31:41 -0700 (PDT)
Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
        (Exim 4.94.2)
        (envelope-from <johannes@sipsolutions.net>)
        id 1lnoZX-000FBv-B6; Mon, 31 May 2021 22:31:39 +0200
From:   Johannes Berg <johannes@sipsolutions.net>
To:     linux-wireless@vger.kernel.org
Cc:     stable@vger.kernel.org, Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
Subject: [PATCH v4.14 04/10] cfg80211: mitigate A-MSDU aggregation attacks
Date:   Mon, 31 May 2021 22:31:29 +0200
Message-Id: <20210531203135.180427-5-johannes@sipsolutions.net>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210531203135.180427-1-johannes@sipsolutions.net>
References: <20210531203135.180427-1-johannes@sipsolutions.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>

commit 2b8a1fee3488c602aca8bea004a087e60806a5cf upstream.

Mitigate A-MSDU injection attacks (CVE-2020-24588) by detecting if the
destination address of a subframe equals an RFC1042 (i.e., LLC/SNAP)
header, and if so dropping the complete A-MSDU frame. This mitigates
known attacks, although new (unknown) aggregation-based attacks may
remain possible.

This defense works because in A-MSDU aggregation injection attacks, a
normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means
the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042
header. In other words, the destination MAC address of the first A-MSDU
subframe contains the start of an RFC1042 header during an aggregation
attack. We can detect this and thereby prevent this specific attack.
For details, see Section 7.2 of "Fragment and Forge: Breaking Wi-Fi
Through Frame Aggregation and Fragmentation".

Note that for kernel 4.9 and above this patch depends on "mac80211:
properly handle A-MSDUs that start with a rfc1042 header". Otherwise
this patch has no impact and attacks will remain possible.

Cc: stable@vger.kernel.org
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
Link: https://lore.kernel.org/r/20210511200110.25d93176ddaf.I9e265b597f2cd23eb44573f35b625947b386a9de@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
 net/wireless/util.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/wireless/util.c b/net/wireless/util.c
index 2aef1c487be6..b3895a8a48ab 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -768,6 +768,9 @@ void ieee80211_amsdu_to_8023s(struct sk_buff *skb, struct sk_buff_head *list,
 		remaining = skb->len - offset;
 		if (subframe_len > remaining)
 			goto purge;
+		/* mitigate A-MSDU aggregation injection attacks */
+		if (ether_addr_equal(eth.h_dest, rfc1042_header))
+			goto purge;
 
 		offset += sizeof(struct ethhdr);
 		last = remaining <= subframe_len + padding;
-- 
2.31.1