1 From: Wen Gong <wgong@codeaurora.org>
2 Date: Tue, 11 May 2021 20:02:56 +0200
3 Subject: [PATCH] ath10k: Fix TKIP Michael MIC verification for PCIe
5 TKIP Michael MIC was not verified properly for PCIe cases since the
6 validation steps in ieee80211_rx_h_michael_mic_verify() in mac80211 did
7 not get fully executed due to unexpected flag values in
10 Fix this by setting the flags property to meet mac80211 expectations for
11 performing Michael MIC validation there. This fixes CVE-2020-26141. It
12 does the same as ath10k_htt_rx_proc_rx_ind_hl() for SDIO which passed
13 MIC verification case. This applies only to QCA6174/QCA9377 PCIe.
15 Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1
17 Cc: stable@vger.kernel.org
18 Signed-off-by: Wen Gong <wgong@codeaurora.org>
19 Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
20 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
23 --- a/drivers/net/wireless/ath/ath10k/htt_rx.c
24 +++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
25 @@ -1974,6 +1974,11 @@ static void ath10k_htt_rx_h_mpdu(struct
28 ath10k_htt_rx_h_csum_offload(msdu);
30 + if (frag && !fill_crypt_header &&
31 + enctype == HTT_RX_MPDU_ENCRYPT_TKIP_WPA)
32 + status->flag &= ~RX_FLAG_MMIC_STRIPPED;
34 ath10k_htt_rx_h_undecap(ar, msdu, status, first_hdr, enctype,
37 @@ -1991,6 +1996,11 @@ static void ath10k_htt_rx_h_mpdu(struct
39 hdr = (void *)msdu->data;
40 hdr->frame_control &= ~__cpu_to_le16(IEEE80211_FCTL_PROTECTED);
42 + if (frag && !fill_crypt_header &&
43 + enctype == HTT_RX_MPDU_ENCRYPT_TKIP_WPA)
44 + status->flag &= ~RX_FLAG_IV_STRIPPED &
45 + ~RX_FLAG_MMIC_STRIPPED;