--- /dev/null
+From 965a7d72e798eb7af0aa67210e37cf7ecd1c9cad Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
+Date: Tue, 11 May 2021 20:02:42 +0200
+Subject: mac80211: assure all fragments are encrypted
+
+From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
+
+commit 965a7d72e798eb7af0aa67210e37cf7ecd1c9cad upstream.
+
+Do not mix plaintext and encrypted fragments in protected Wi-Fi
+networks. This fixes CVE-2020-26147.
+
+Previously, an attacker was able to first forward a legitimate encrypted
+fragment towards a victim, followed by a plaintext fragment. The
+encrypted and plaintext fragment would then be reassembled. For further
+details see Section 6.3 and Appendix D in the paper "Fragment and Forge:
+Breaking Wi-Fi Through Frame Aggregation and Fragmentation".
+
+Because of this change there are now two equivalent conditions in the
+code to determine if a received fragment requires sequential PNs, so we
+also move this test to a separate function to make the code easier to
+maintain.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
+Link: https://lore.kernel.org/r/20210511200110.30c4394bb835.I5acfdb552cc1d20c339c262315950b3eac491397@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/rx.c | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -1942,6 +1942,16 @@ ieee80211_reassemble_find(struct ieee802
+ return NULL;
+ }
+
++static bool requires_sequential_pn(struct ieee80211_rx_data *rx, __le16 fc)
++{
++ return rx->key &&
++ (rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP ||
++ rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP_256 ||
++ rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP ||
++ rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP_256) &&
++ ieee80211_has_protected(fc);
++}
++
+ static ieee80211_rx_result debug_noinline
+ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
+ {
+@@ -1987,12 +1997,7 @@ ieee80211_rx_h_defragment(struct ieee802
+ /* This is the first fragment of a new frame. */
+ entry = ieee80211_reassemble_add(rx->sdata, frag, seq,
+ rx->seqno_idx, &(rx->skb));
+- if (rx->key &&
+- (rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP ||
+- rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP_256 ||
+- rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP ||
+- rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP_256) &&
+- ieee80211_has_protected(fc)) {
++ if (requires_sequential_pn(rx, fc)) {
+ int queue = rx->security_idx;
+
+ /* Store CCMP/GCMP PN so that we can verify that the
+@@ -2034,11 +2039,7 @@ ieee80211_rx_h_defragment(struct ieee802
+ u8 pn[IEEE80211_CCMP_PN_LEN], *rpn;
+ int queue;
+
+- if (!rx->key ||
+- (rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP &&
+- rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP_256 &&
+- rx->key->conf.cipher != WLAN_CIPHER_SUITE_GCMP &&
+- rx->key->conf.cipher != WLAN_CIPHER_SUITE_GCMP_256))
++ if (!requires_sequential_pn(rx, fc))
+ return RX_DROP_UNUSABLE;
+ memcpy(pn, entry->last_pn, IEEE80211_CCMP_PN_LEN);
+ for (i = IEEE80211_CCMP_PN_LEN - 1; i >= 0; i--) {
--- /dev/null
+From 94034c40ab4a3fcf581fbc7f8fdf4e29943c4a24 Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
+Date: Tue, 11 May 2021 20:02:43 +0200
+Subject: mac80211: prevent mixed key and fragment cache attacks
+
+From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
+
+commit 94034c40ab4a3fcf581fbc7f8fdf4e29943c4a24 upstream.
+
+Simultaneously prevent mixed key attacks (CVE-2020-24587) and fragment
+cache attacks (CVE-2020-24586). This is accomplished by assigning a
+unique color to every key (per interface) and using this to track which
+key was used to decrypt a fragment. When reassembling frames, it is
+now checked whether all fragments were decrypted using the same key.
+
+To assure that fragment cache attacks are also prevented, the ID that is
+assigned to keys is unique even over (re)associations and (re)connects.
+This means fragments separated by a (re)association or (re)connect will
+not be reassembled. Because mac80211 now also prevents the reassembly of
+mixed encrypted and plaintext fragments, all cache attacks are prevented.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
+Link: https://lore.kernel.org/r/20210511200110.3f8290e59823.I622a67769ed39257327a362cfc09c812320eb979@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/ieee80211_i.h | 1 +
+ net/mac80211/key.c | 7 +++++++
+ net/mac80211/key.h | 2 ++
+ net/mac80211/rx.c | 6 ++++++
+ 4 files changed, 16 insertions(+)
+
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -97,6 +97,7 @@ struct ieee80211_fragment_entry {
+ u8 rx_queue;
+ bool check_sequential_pn; /* needed for CCMP/GCMP */
+ u8 last_pn[6]; /* PN of the last fragment if CCMP was used */
++ unsigned int key_color;
+ };
+
+
+--- a/net/mac80211/key.c
++++ b/net/mac80211/key.c
+@@ -646,6 +646,7 @@ int ieee80211_key_link(struct ieee80211_
+ struct ieee80211_sub_if_data *sdata,
+ struct sta_info *sta)
+ {
++ static atomic_t key_color = ATOMIC_INIT(0);
+ struct ieee80211_local *local = sdata->local;
+ struct ieee80211_key *old_key;
+ int idx = key->conf.keyidx;
+@@ -681,6 +682,12 @@ int ieee80211_key_link(struct ieee80211_
+ key->sdata = sdata;
+ key->sta = sta;
+
++ /*
++ * Assign a unique ID to every key so we can easily prevent mixed
++ * key and fragment cache attacks.
++ */
++ key->color = atomic_inc_return(&key_color);
++
+ increment_tailroom_need_count(sdata);
+
+ ieee80211_key_replace(sdata, sta, pairwise, old_key, key);
+--- a/net/mac80211/key.h
++++ b/net/mac80211/key.h
+@@ -127,6 +127,8 @@ struct ieee80211_key {
+ } debugfs;
+ #endif
+
++ unsigned int color;
++
+ /*
+ * key config, must be last because it contains key
+ * material as variable length member
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -2004,6 +2004,7 @@ ieee80211_rx_h_defragment(struct ieee802
+ * next fragment has a sequential PN value.
+ */
+ entry->check_sequential_pn = true;
++ entry->key_color = rx->key->color;
+ memcpy(entry->last_pn,
+ rx->key->u.ccmp.rx_pn[queue],
+ IEEE80211_CCMP_PN_LEN);
+@@ -2041,6 +2042,11 @@ ieee80211_rx_h_defragment(struct ieee802
+
+ if (!requires_sequential_pn(rx, fc))
+ return RX_DROP_UNUSABLE;
++
++ /* Prevent mixed key and fragment cache attacks */
++ if (entry->key_color != rx->key->color)
++ return RX_DROP_UNUSABLE;
++
+ memcpy(pn, entry->last_pn, IEEE80211_CCMP_PN_LEN);
+ for (i = IEEE80211_CCMP_PN_LEN - 1; i >= 0; i--) {
+ pn[i]++;
--- /dev/null
+From 1a6e9a9c68c1f183872e4bcc947382111c2e04eb Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 24 May 2021 11:25:11 +0200
+Subject: net: hso: fix control-request directions
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 1a6e9a9c68c1f183872e4bcc947382111c2e04eb upstream.
+
+The direction of the pipe argument must match the request-type direction
+bit or control requests may fail depending on the host-controller-driver
+implementation.
+
+Fix the tiocmset and rfkill requests which erroneously used
+usb_rcvctrlpipe().
+
+Fixes: 72dc1c096c70 ("HSO: add option hso driver")
+Cc: stable@vger.kernel.org # 2.6.27
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/hso.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/usb/hso.c
++++ b/drivers/net/usb/hso.c
+@@ -1703,7 +1703,7 @@ static int hso_serial_tiocmset(struct tt
+ spin_unlock_irqrestore(&serial->serial_lock, flags);
+
+ return usb_control_msg(serial->parent->usb,
+- usb_rcvctrlpipe(serial->parent->usb, 0), 0x22,
++ usb_sndctrlpipe(serial->parent->usb, 0), 0x22,
+ 0x21, val, if_num, NULL, 0,
+ USB_CTRL_SET_TIMEOUT);
+ }
+@@ -2451,7 +2451,7 @@ static int hso_rfkill_set_block(void *da
+ if (hso_dev->usb_gone)
+ rv = 0;
+ else
+- rv = usb_control_msg(hso_dev->usb, usb_rcvctrlpipe(hso_dev->usb, 0),
++ rv = usb_control_msg(hso_dev->usb, usb_sndctrlpipe(hso_dev->usb, 0),
+ enabled ? 0x82 : 0x81, 0x40, 0, 0, NULL, 0,
+ USB_CTRL_SET_TIMEOUT);
+ mutex_unlock(&hso_dev->mutex);
--- /dev/null
+From bfb819ea20ce8bbeeba17e1a6418bf8bda91fc28 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Tue, 25 May 2021 12:37:35 -0700
+Subject: proc: Check /proc/$pid/attr/ writes against file opener
+
+From: Kees Cook <keescook@chromium.org>
+
+commit bfb819ea20ce8bbeeba17e1a6418bf8bda91fc28 upstream.
+
+Fix another "confused deputy" weakness[1]. Writes to /proc/$pid/attr/
+files need to check the opener credentials, since these fds do not
+transition state across execve(). Without this, it is possible to
+trick another process (which may have different credentials) to write
+to its own /proc/$pid/attr/ files, leading to unexpected and possibly
+exploitable behaviors.
+
+[1] https://www.kernel.org/doc/html/latest/security/credentials.html?highlight=confused#open-file-credentials
+
+Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/base.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -2522,6 +2522,10 @@ static ssize_t proc_pid_attr_write(struc
+ ssize_t length;
+ struct task_struct *task = get_proc_task(inode);
+
++ /* A task may only write when it was the opener. */
++ if (file->f_cred != current_real_cred())
++ return -EPERM;
++
+ length = -ESRCH;
+ if (!task)
+ goto out_no_task;
netfilter-x_tables-use-correct-memory-barriers.patch
nfc-nci-fix-memory-leak-in-nci_allocate_device.patch
nfsv4-fix-a-null-pointer-dereference-in-pnfs_mark_matching_lsegs_return.patch
+proc-check-proc-pid-attr-writes-against-file-opener.patch
+net-hso-fix-control-request-directions.patch
+mac80211-assure-all-fragments-are-encrypted.patch
+mac80211-prevent-mixed-key-and-fragment-cache-attacks.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
