--- /dev/null
+From 2b8a1fee3488c602aca8bea004a087e60806a5cf Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
+Date: Tue, 11 May 2021 20:02:45 +0200
+Subject: cfg80211: mitigate A-MSDU aggregation attacks
+
+From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
+
+commit 2b8a1fee3488c602aca8bea004a087e60806a5cf upstream.
+
+Mitigate A-MSDU injection attacks (CVE-2020-24588) by detecting if the
+destination address of a subframe equals an RFC1042 (i.e., LLC/SNAP)
+header, and if so dropping the complete A-MSDU frame. This mitigates
+known attacks, although new (unknown) aggregation-based attacks may
+remain possible.
+
+This defense works because in A-MSDU aggregation injection attacks, a
+normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means
+the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042
+header. In other words, the destination MAC address of the first A-MSDU
+subframe contains the start of an RFC1042 header during an aggregation
+attack. We can detect this and thereby prevent this specific attack.
+For details, see Section 7.2 of "Fragment and Forge: Breaking Wi-Fi
+Through Frame Aggregation and Fragmentation".
+
+Note that for kernel 4.9 and above this patch depends on "mac80211:
+properly handle A-MSDUs that start with a rfc1042 header". Otherwise
+this patch has no impact and attacks will remain possible.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
+Link: https://lore.kernel.org/r/20210511200110.25d93176ddaf.I9e265b597f2cd23eb44573f35b625947b386a9de@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/util.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -767,6 +767,9 @@ void ieee80211_amsdu_to_8023s(struct sk_
+ remaining = skb->len - offset;
+ if (subframe_len > remaining)
+ goto purge;
++ /* mitigate A-MSDU aggregation injection attacks */
++ if (ether_addr_equal(eth.h_dest, rfc1042_header))
++ goto purge;
+
+ offset += sizeof(struct ethhdr);
+ last = remaining <= subframe_len + padding;
--- /dev/null
+From bf30ca922a0c0176007e074b0acc77ed345e9990 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 11 May 2021 20:02:48 +0200
+Subject: mac80211: check defrag PN against current frame
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit bf30ca922a0c0176007e074b0acc77ed345e9990 upstream.
+
+As pointed out by Mathy Vanhoef, we implement the RX PN check
+on fragmented frames incorrectly - we check against the last
+received PN prior to the new frame, rather than to the one in
+this frame itself.
+
+Prior patches addressed the security issue here, but in order
+to be able to reason better about the code, fix it to really
+compare against the current frame's PN, not the last stored
+one.
+
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20210511200110.bfbc340ff071.Id0b690e581da7d03d76df90bb0e3fd55930bc8a0@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/ieee80211_i.h | 11 +++++++++--
+ net/mac80211/rx.c | 5 ++---
+ net/mac80211/wpa.c | 13 +++++++++----
+ 3 files changed, 20 insertions(+), 9 deletions(-)
+
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -242,8 +242,15 @@ struct ieee80211_rx_data {
+ */
+ int security_idx;
+
+- u32 tkip_iv32;
+- u16 tkip_iv16;
++ union {
++ struct {
++ u32 iv32;
++ u16 iv16;
++ } tkip;
++ struct {
++ u8 pn[IEEE80211_CCMP_PN_LEN];
++ } ccm_gcm;
++ };
+ };
+
+ struct ieee80211_csa_settings {
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -2063,7 +2063,6 @@ ieee80211_rx_h_defragment(struct ieee802
+ if (entry->check_sequential_pn) {
+ int i;
+ u8 pn[IEEE80211_CCMP_PN_LEN], *rpn;
+- int queue;
+
+ if (!requires_sequential_pn(rx, fc))
+ return RX_DROP_UNUSABLE;
+@@ -2078,8 +2077,8 @@ ieee80211_rx_h_defragment(struct ieee802
+ if (pn[i])
+ break;
+ }
+- queue = rx->security_idx;
+- rpn = rx->key->u.ccmp.rx_pn[queue];
++
++ rpn = rx->ccm_gcm.pn;
+ if (memcmp(pn, rpn, IEEE80211_CCMP_PN_LEN))
+ return RX_DROP_UNUSABLE;
+ memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN);
+--- a/net/mac80211/wpa.c
++++ b/net/mac80211/wpa.c
+@@ -2,6 +2,7 @@
+ * Copyright 2002-2004, Instant802 Networks, Inc.
+ * Copyright 2008, Jouni Malinen <j@w1.fi>
+ * Copyright (C) 2016 Intel Deutschland GmbH
++ * Copyright (C) 2020-2021 Intel Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+@@ -162,8 +163,8 @@ ieee80211_rx_h_michael_mic_verify(struct
+
+ update_iv:
+ /* update IV in key information to be able to detect replays */
+- rx->key->u.tkip.rx[rx->security_idx].iv32 = rx->tkip_iv32;
+- rx->key->u.tkip.rx[rx->security_idx].iv16 = rx->tkip_iv16;
++ rx->key->u.tkip.rx[rx->security_idx].iv32 = rx->tkip.iv32;
++ rx->key->u.tkip.rx[rx->security_idx].iv16 = rx->tkip.iv16;
+
+ return RX_CONTINUE;
+
+@@ -289,8 +290,8 @@ ieee80211_crypto_tkip_decrypt(struct iee
+ key, skb->data + hdrlen,
+ skb->len - hdrlen, rx->sta->sta.addr,
+ hdr->addr1, hwaccel, rx->security_idx,
+- &rx->tkip_iv32,
+- &rx->tkip_iv16);
++ &rx->tkip.iv32,
++ &rx->tkip.iv16);
+ if (res != TKIP_DECRYPT_OK)
+ return RX_DROP_UNUSABLE;
+
+@@ -548,6 +549,8 @@ ieee80211_crypto_ccmp_decrypt(struct iee
+ }
+
+ memcpy(key->u.ccmp.rx_pn[queue], pn, IEEE80211_CCMP_PN_LEN);
++ if (unlikely(ieee80211_is_frag(hdr)))
++ memcpy(rx->ccm_gcm.pn, pn, IEEE80211_CCMP_PN_LEN);
+ }
+
+ /* Remove CCMP header and MIC */
+@@ -777,6 +780,8 @@ ieee80211_crypto_gcmp_decrypt(struct iee
+ }
+
+ memcpy(key->u.gcmp.rx_pn[queue], pn, IEEE80211_GCMP_PN_LEN);
++ if (unlikely(ieee80211_is_frag(hdr)))
++ memcpy(rx->ccm_gcm.pn, pn, IEEE80211_CCMP_PN_LEN);
+ }
+
+ /* Remove GCMP header and MIC */
projects / thirdparty / kernel / stable-queue.git / commitdiff
