package/kernel/mac80211/patches/subsys/389-mac80211-extend-protection-against-mixed-key-and-fra.patch

   1 From: Wen Gong <wgong@codeaurora.org>
   2 Date: Tue, 11 May 2021 20:02:51 +0200
   3 Subject: [PATCH] mac80211: extend protection against mixed key and
   4  fragment cache attacks
   5
   6 For some chips/drivers, e.g., QCA6174 with ath10k, the decryption is
   7 done by the hardware, and the Protected bit in the Frame Control field
   8 is cleared in the lower level driver before the frame is passed to
   9 mac80211. In such cases, the condition for ieee80211_has_protected() is
  10 not met in ieee80211_rx_h_defragment() of mac80211 and the new security
  11 validation steps are not executed.
  12
  13 Extend mac80211 to cover the case where the Protected bit has been
  14 cleared, but the frame is indicated as having been decrypted by the
  15 hardware. This extends protection against mixed key and fragment cache
  16 attack for additional drivers/chips. This fixes CVE-2020-24586 and
  17 CVE-2020-24587 for such cases.
  18
  19 Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1
  20
  21 Cc: stable@vger.kernel.org
  22 Signed-off-by: Wen Gong <wgong@codeaurora.org>
  23 Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
  24 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
  25 ---
  26
  27 --- a/net/mac80211/rx.c
  28 +++ b/net/mac80211/rx.c
  29 @@ -2239,6 +2239,7 @@ ieee80211_rx_h_defragment(struct ieee802
  30         unsigned int frag, seq;
  31         struct ieee80211_fragment_entry *entry;
  32         struct sk_buff *skb;
  33 +       struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
  34
  35         hdr = (struct ieee80211_hdr *)rx->skb->data;
  36         fc = hdr->frame_control;
  37 @@ -2297,7 +2298,9 @@ ieee80211_rx_h_defragment(struct ieee802
  38                                      sizeof(rx->key->u.gcmp.rx_pn[queue]));
  39                         BUILD_BUG_ON(IEEE80211_CCMP_PN_LEN !=
  40                                      IEEE80211_GCMP_PN_LEN);
  41 -               } else if (rx->key && ieee80211_has_protected(fc)) {
  42 +               } else if (rx->key &&
  43 +                          (ieee80211_has_protected(fc) ||
  44 +                           (status->flag & RX_FLAG_DECRYPTED))) {
  45                         entry->is_protected = true;
  46                         entry->key_color = rx->key->color;
  47                 }
  48 @@ -2342,13 +2345,19 @@ ieee80211_rx_h_defragment(struct ieee802
  49                         return RX_DROP_UNUSABLE;
  50                 memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN);
  51         } else if (entry->is_protected &&
  52 -                  (!rx->key || !ieee80211_has_protected(fc) ||
  53 +                  (!rx->key ||
  54 +                   (!ieee80211_has_protected(fc) &&
  55 +                    !(status->flag & RX_FLAG_DECRYPTED)) ||
  56                     rx->key->color != entry->key_color)) {
  57                 /* Drop this as a mixed key or fragment cache attack, even
  58                  * if for TKIP Michael MIC should protect us, and WEP is a
  59                  * lost cause anyway.
  60                  */
  61                 return RX_DROP_UNUSABLE;
  62 +       } else if (entry->is_protected && rx->key &&
  63 +                  entry->key_color != rx->key->color &&
  64 +                  (status->flag & RX_FLAG_DECRYPTED)) {
  65 +               return RX_DROP_UNUSABLE;
  66         }
  67
  68         skb_pull(rx->skb, ieee80211_hdrlen(fc));