Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2883460pxj; Mon, 31 May 2021 13:35:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzVXMx/Ucl1bDi37BfamLgCn22JqSpim8+SKBIxzoVu+9VEXaB0EqBz8YILfgEKLxVh8zD8 X-Received: by 2002:a05:6402:4256:: with SMTP id g22mr26995722edb.214.1622493315701; Mon, 31 May 2021 13:35:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622493315; cv=none; d=google.com; s=arc-20160816; b=ZDmS7IcLN4HrXfKIynfmk/WF4/z/be0/9q8mIPfeucQwe5/svIC4MkEQSGj1JEz9YR akgIbO/co/sZnSmeu0S1WAODT8p6xlDz6skv18dWj1owDVapy+rUoIlAklZUVqWh8nLt MT3dAdQ0Nkki5OuOsymZTTcFdg3hlrFePm91K0nOdHgJmQHkes3DA7mYS5WgFogPaJZ2 K6RD+w79WCHkDMcWtl3VJMupK+krGg/kVodFWi+L4yO5AfpE0eRLcSdMzzQzWIsaLfei brScZc9muNFrUoe7h86iIYLT+Rzn6+7UsCzLboJ4hMlTdYbh61ZJ7oYUXhcU8gxHwTOa ss9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=7D70Xso9sQT0K1UhC17sLi0Vqqtu2QBVvpI8lC+feN4=; b=j2yyXMUnXmT2qC0rQNJmgdt1VbPKyjOjpV5Etup0aPLJgGAGuTK65lNb2s6i1C7x2O sXYlNiHmyoFo5MgKfcDM9wz1yoQrCN3uVRGRHbnlC8Nf6CwazZxu0/LEKI4lTkIr/3Eb IHWSWQ3mc3WzggKPVDrxjEzRrRYhYfzqk0nS5VzSYxQYjyN1Vn9eWaGuq+3xv6BvNyFj JRk+TyU1bW/LR2eKggUBzEDspzYdb45xgo6lLavkWMlnoDW6iAv72vynGvjlTM6GTOPd TNFAmgduCBwecj2+bSs+3Om+pOI0t6cRMg59s/depwnrfKDdJuhcaZrMs6wh3jOA/KHW 5oKg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o15si12479038edc.604.2021.05.31.13.34.53; Mon, 31 May 2021 13:35:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232523AbhEaUdg (ORCPT + 99 others); Mon, 31 May 2021 16:33:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39090 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232437AbhEaUdV (ORCPT ); Mon, 31 May 2021 16:33:21 -0400 Received: from sipsolutions.net (s3.sipsolutions.net [IPv6:2a01:4f8:191:4433::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 671CAC06174A; Mon, 31 May 2021 13:31:41 -0700 (PDT) Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.94.2) (envelope-from ) id 1lnoZX-000FBv-Ka; Mon, 31 May 2021 22:31:39 +0200 From: Johannes Berg To: linux-wireless@vger.kernel.org Cc: stable@vger.kernel.org, Johannes Berg Subject: [PATCH v4.14 05/10] mac80211: drop A-MSDUs on old ciphers Date: Mon, 31 May 2021 22:31:30 +0200 Message-Id: <20210531203135.180427-6-johannes@sipsolutions.net> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210531203135.180427-1-johannes@sipsolutions.net> References: <20210531203135.180427-1-johannes@sipsolutions.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: Johannes Berg commit 270032a2a9c4535799736142e1e7c413ca7b836e upstream. With old ciphers (WEP and TKIP) we shouldn't be using A-MSDUs since A-MSDUs are only supported if we know that they are, and the only practical way for that is HT support which doesn't support old ciphers. However, we would normally accept them anyway. Since we check the MMIC before deaggregating A-MSDUs, and the A-MSDU bit in the QoS header is not protected in TKIP (or WEP), this enables attacks similar to CVE-2020-24588. To prevent that, drop A-MSDUs completely with old ciphers. Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210511200110.076543300172.I548e6e71f1ee9cad4b9a37bf212ae7db723587aa@changeid Signed-off-by: Johannes Berg --- net/mac80211/rx.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index be7e37edad12..d6cdd0c025ca 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -2455,6 +2455,23 @@ ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx) true)) return RX_DROP_UNUSABLE; + if (rx->key) { + /* + * We should not receive A-MSDUs on pre-HT connections, + * and HT connections cannot use old ciphers. Thus drop + * them, as in those cases we couldn't even have SPP + * A-MSDUs or such. + */ + switch (rx->key->conf.cipher) { + case WLAN_CIPHER_SUITE_WEP40: + case WLAN_CIPHER_SUITE_WEP104: + case WLAN_CIPHER_SUITE_TKIP: + return RX_DROP_UNUSABLE; + default: + break; + } + } + ieee80211_amsdu_to_8023s(skb, &frame_list, dev->dev_addr, rx->sdata->vif.type, rx->local->hw.extra_tx_headroom, -- 2.31.1