mac80211: backport upstream fixes for FragAttacks
[openwrt/openwrt.git] / package / kernel / mac80211 / patches / ath / 304-ath10k-Fix-TKIP-Michael-MIC-verification-for-PCIe.patch
1 From: Wen Gong <wgong@codeaurora.org>
2 Date: Tue, 11 May 2021 20:02:56 +0200
3 Subject: [PATCH] ath10k: Fix TKIP Michael MIC verification for PCIe
4
5 TKIP Michael MIC was not verified properly for PCIe cases since the
6 validation steps in ieee80211_rx_h_michael_mic_verify() in mac80211 did
7 not get fully executed due to unexpected flag values in
8 ieee80211_rx_status.
9
10 Fix this by setting the flags property to meet mac80211 expectations for
11 performing Michael MIC validation there. This fixes CVE-2020-26141. It
12 does the same as ath10k_htt_rx_proc_rx_ind_hl() for SDIO which passed
13 MIC verification case. This applies only to QCA6174/QCA9377 PCIe.
14
15 Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1
16
17 Cc: stable@vger.kernel.org
18 Signed-off-by: Wen Gong <wgong@codeaurora.org>
19 Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
20 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
21 ---
22
23 --- a/drivers/net/wireless/ath/ath10k/htt_rx.c
24 +++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
25 @@ -1974,6 +1974,11 @@ static void ath10k_htt_rx_h_mpdu(struct
26 }
27
28 ath10k_htt_rx_h_csum_offload(msdu);
29 +
30 + if (frag && !fill_crypt_header &&
31 + enctype == HTT_RX_MPDU_ENCRYPT_TKIP_WPA)
32 + status->flag &= ~RX_FLAG_MMIC_STRIPPED;
33 +
34 ath10k_htt_rx_h_undecap(ar, msdu, status, first_hdr, enctype,
35 is_decrypted);
36
37 @@ -1991,6 +1996,11 @@ static void ath10k_htt_rx_h_mpdu(struct
38
39 hdr = (void *)msdu->data;
40 hdr->frame_control &= ~__cpu_to_le16(IEEE80211_FCTL_PROTECTED);
41 +
42 + if (frag && !fill_crypt_header &&
43 + enctype == HTT_RX_MPDU_ENCRYPT_TKIP_WPA)
44 + status->flag &= ~RX_FLAG_IV_STRIPPED &
45 + ~RX_FLAG_MMIC_STRIPPED;
46 }
47 }
48