From 14485dcf2b8a79f46f7c6271eb8e7320db8dc98c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 29 May 2021 16:44:44 +0200 Subject: [PATCH] 4.9-stable patches added patches: mac80211-assure-all-fragments-are-encrypted.patch mac80211-prevent-mixed-key-and-fragment-cache-attacks.patch net-hso-fix-control-request-directions.patch proc-check-proc-pid-attr-writes-against-file-opener.patch --- ...1-assure-all-fragments-are-encrypted.patch | 78 +++++++++++++++ ...mixed-key-and-fragment-cache-attacks.patch | 99 +++++++++++++++++++ ...t-hso-fix-control-request-directions.patch | 45 +++++++++ ...-pid-attr-writes-against-file-opener.patch | 40 ++++++++ queue-4.9/series | 4 + 5 files changed, 266 insertions(+) create mode 100644 queue-4.9/mac80211-assure-all-fragments-are-encrypted.patch create mode 100644 queue-4.9/mac80211-prevent-mixed-key-and-fragment-cache-attacks.patch create mode 100644 queue-4.9/net-hso-fix-control-request-directions.patch create mode 100644 queue-4.9/proc-check-proc-pid-attr-writes-against-file-opener.patch diff --git a/queue-4.9/mac80211-assure-all-fragments-are-encrypted.patch b/queue-4.9/mac80211-assure-all-fragments-are-encrypted.patch new file mode 100644 index 00000000000..5d9f49e8f82 --- /dev/null +++ b/queue-4.9/mac80211-assure-all-fragments-are-encrypted.patch @@ -0,0 +1,78 @@ +From 965a7d72e798eb7af0aa67210e37cf7ecd1c9cad Mon Sep 17 00:00:00 2001 +From: Mathy Vanhoef +Date: Tue, 11 May 2021 20:02:42 +0200 +Subject: mac80211: assure all fragments are encrypted + +From: Mathy Vanhoef + +commit 965a7d72e798eb7af0aa67210e37cf7ecd1c9cad upstream. + +Do not mix plaintext and encrypted fragments in protected Wi-Fi +networks. This fixes CVE-2020-26147. + +Previously, an attacker was able to first forward a legitimate encrypted +fragment towards a victim, followed by a plaintext fragment. The +encrypted and plaintext fragment would then be reassembled. For further +details see Section 6.3 and Appendix D in the paper "Fragment and Forge: +Breaking Wi-Fi Through Frame Aggregation and Fragmentation". + +Because of this change there are now two equivalent conditions in the +code to determine if a received fragment requires sequential PNs, so we +also move this test to a separate function to make the code easier to +maintain. + +Cc: stable@vger.kernel.org +Signed-off-by: Mathy Vanhoef +Link: https://lore.kernel.org/r/20210511200110.30c4394bb835.I5acfdb552cc1d20c339c262315950b3eac491397@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/rx.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -1942,6 +1942,16 @@ ieee80211_reassemble_find(struct ieee802 + return NULL; + } + ++static bool requires_sequential_pn(struct ieee80211_rx_data *rx, __le16 fc) ++{ ++ return rx->key && ++ (rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP || ++ rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP_256 || ++ rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP || ++ rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP_256) && ++ ieee80211_has_protected(fc); ++} ++ + static ieee80211_rx_result debug_noinline + ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) + { +@@ -1987,12 +1997,7 @@ ieee80211_rx_h_defragment(struct ieee802 + /* This is the first fragment of a new frame. */ + entry = ieee80211_reassemble_add(rx->sdata, frag, seq, + rx->seqno_idx, &(rx->skb)); +- if (rx->key && +- (rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP || +- rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP_256 || +- rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP || +- rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP_256) && +- ieee80211_has_protected(fc)) { ++ if (requires_sequential_pn(rx, fc)) { + int queue = rx->security_idx; + + /* Store CCMP/GCMP PN so that we can verify that the +@@ -2034,11 +2039,7 @@ ieee80211_rx_h_defragment(struct ieee802 + u8 pn[IEEE80211_CCMP_PN_LEN], *rpn; + int queue; + +- if (!rx->key || +- (rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP && +- rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP_256 && +- rx->key->conf.cipher != WLAN_CIPHER_SUITE_GCMP && +- rx->key->conf.cipher != WLAN_CIPHER_SUITE_GCMP_256)) ++ if (!requires_sequential_pn(rx, fc)) + return RX_DROP_UNUSABLE; + memcpy(pn, entry->last_pn, IEEE80211_CCMP_PN_LEN); + for (i = IEEE80211_CCMP_PN_LEN - 1; i >= 0; i--) { diff --git a/queue-4.9/mac80211-prevent-mixed-key-and-fragment-cache-attacks.patch b/queue-4.9/mac80211-prevent-mixed-key-and-fragment-cache-attacks.patch new file mode 100644 index 00000000000..53b7a881aae --- /dev/null +++ b/queue-4.9/mac80211-prevent-mixed-key-and-fragment-cache-attacks.patch @@ -0,0 +1,99 @@ +From 94034c40ab4a3fcf581fbc7f8fdf4e29943c4a24 Mon Sep 17 00:00:00 2001 +From: Mathy Vanhoef +Date: Tue, 11 May 2021 20:02:43 +0200 +Subject: mac80211: prevent mixed key and fragment cache attacks + +From: Mathy Vanhoef + +commit 94034c40ab4a3fcf581fbc7f8fdf4e29943c4a24 upstream. + +Simultaneously prevent mixed key attacks (CVE-2020-24587) and fragment +cache attacks (CVE-2020-24586). This is accomplished by assigning a +unique color to every key (per interface) and using this to track which +key was used to decrypt a fragment. When reassembling frames, it is +now checked whether all fragments were decrypted using the same key. + +To assure that fragment cache attacks are also prevented, the ID that is +assigned to keys is unique even over (re)associations and (re)connects. +This means fragments separated by a (re)association or (re)connect will +not be reassembled. Because mac80211 now also prevents the reassembly of +mixed encrypted and plaintext fragments, all cache attacks are prevented. + +Cc: stable@vger.kernel.org +Signed-off-by: Mathy Vanhoef +Link: https://lore.kernel.org/r/20210511200110.3f8290e59823.I622a67769ed39257327a362cfc09c812320eb979@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/ieee80211_i.h | 1 + + net/mac80211/key.c | 7 +++++++ + net/mac80211/key.h | 2 ++ + net/mac80211/rx.c | 6 ++++++ + 4 files changed, 16 insertions(+) + +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -97,6 +97,7 @@ struct ieee80211_fragment_entry { + u8 rx_queue; + bool check_sequential_pn; /* needed for CCMP/GCMP */ + u8 last_pn[6]; /* PN of the last fragment if CCMP was used */ ++ unsigned int key_color; + }; + + +--- a/net/mac80211/key.c ++++ b/net/mac80211/key.c +@@ -646,6 +646,7 @@ int ieee80211_key_link(struct ieee80211_ + struct ieee80211_sub_if_data *sdata, + struct sta_info *sta) + { ++ static atomic_t key_color = ATOMIC_INIT(0); + struct ieee80211_local *local = sdata->local; + struct ieee80211_key *old_key; + int idx = key->conf.keyidx; +@@ -681,6 +682,12 @@ int ieee80211_key_link(struct ieee80211_ + key->sdata = sdata; + key->sta = sta; + ++ /* ++ * Assign a unique ID to every key so we can easily prevent mixed ++ * key and fragment cache attacks. ++ */ ++ key->color = atomic_inc_return(&key_color); ++ + increment_tailroom_need_count(sdata); + + ieee80211_key_replace(sdata, sta, pairwise, old_key, key); +--- a/net/mac80211/key.h ++++ b/net/mac80211/key.h +@@ -127,6 +127,8 @@ struct ieee80211_key { + } debugfs; + #endif + ++ unsigned int color; ++ + /* + * key config, must be last because it contains key + * material as variable length member +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -2004,6 +2004,7 @@ ieee80211_rx_h_defragment(struct ieee802 + * next fragment has a sequential PN value. + */ + entry->check_sequential_pn = true; ++ entry->key_color = rx->key->color; + memcpy(entry->last_pn, + rx->key->u.ccmp.rx_pn[queue], + IEEE80211_CCMP_PN_LEN); +@@ -2041,6 +2042,11 @@ ieee80211_rx_h_defragment(struct ieee802 + + if (!requires_sequential_pn(rx, fc)) + return RX_DROP_UNUSABLE; ++ ++ /* Prevent mixed key and fragment cache attacks */ ++ if (entry->key_color != rx->key->color) ++ return RX_DROP_UNUSABLE; ++ + memcpy(pn, entry->last_pn, IEEE80211_CCMP_PN_LEN); + for (i = IEEE80211_CCMP_PN_LEN - 1; i >= 0; i--) { + pn[i]++; diff --git a/queue-4.9/net-hso-fix-control-request-directions.patch b/queue-4.9/net-hso-fix-control-request-directions.patch new file mode 100644 index 00000000000..b6d694367ef --- /dev/null +++ b/queue-4.9/net-hso-fix-control-request-directions.patch @@ -0,0 +1,45 @@ +From 1a6e9a9c68c1f183872e4bcc947382111c2e04eb Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 24 May 2021 11:25:11 +0200 +Subject: net: hso: fix control-request directions + +From: Johan Hovold + +commit 1a6e9a9c68c1f183872e4bcc947382111c2e04eb upstream. + +The direction of the pipe argument must match the request-type direction +bit or control requests may fail depending on the host-controller-driver +implementation. + +Fix the tiocmset and rfkill requests which erroneously used +usb_rcvctrlpipe(). + +Fixes: 72dc1c096c70 ("HSO: add option hso driver") +Cc: stable@vger.kernel.org # 2.6.27 +Signed-off-by: Johan Hovold +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/hso.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/usb/hso.c ++++ b/drivers/net/usb/hso.c +@@ -1703,7 +1703,7 @@ static int hso_serial_tiocmset(struct tt + spin_unlock_irqrestore(&serial->serial_lock, flags); + + return usb_control_msg(serial->parent->usb, +- usb_rcvctrlpipe(serial->parent->usb, 0), 0x22, ++ usb_sndctrlpipe(serial->parent->usb, 0), 0x22, + 0x21, val, if_num, NULL, 0, + USB_CTRL_SET_TIMEOUT); + } +@@ -2451,7 +2451,7 @@ static int hso_rfkill_set_block(void *da + if (hso_dev->usb_gone) + rv = 0; + else +- rv = usb_control_msg(hso_dev->usb, usb_rcvctrlpipe(hso_dev->usb, 0), ++ rv = usb_control_msg(hso_dev->usb, usb_sndctrlpipe(hso_dev->usb, 0), + enabled ? 0x82 : 0x81, 0x40, 0, 0, NULL, 0, + USB_CTRL_SET_TIMEOUT); + mutex_unlock(&hso_dev->mutex); diff --git a/queue-4.9/proc-check-proc-pid-attr-writes-against-file-opener.patch b/queue-4.9/proc-check-proc-pid-attr-writes-against-file-opener.patch new file mode 100644 index 00000000000..19647a15f2e --- /dev/null +++ b/queue-4.9/proc-check-proc-pid-attr-writes-against-file-opener.patch @@ -0,0 +1,40 @@ +From bfb819ea20ce8bbeeba17e1a6418bf8bda91fc28 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Tue, 25 May 2021 12:37:35 -0700 +Subject: proc: Check /proc/$pid/attr/ writes against file opener + +From: Kees Cook + +commit bfb819ea20ce8bbeeba17e1a6418bf8bda91fc28 upstream. + +Fix another "confused deputy" weakness[1]. Writes to /proc/$pid/attr/ +files need to check the opener credentials, since these fds do not +transition state across execve(). Without this, it is possible to +trick another process (which may have different credentials) to write +to its own /proc/$pid/attr/ files, leading to unexpected and possibly +exploitable behaviors. + +[1] https://www.kernel.org/doc/html/latest/security/credentials.html?highlight=confused#open-file-credentials + +Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/base.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -2522,6 +2522,10 @@ static ssize_t proc_pid_attr_write(struc + ssize_t length; + struct task_struct *task = get_proc_task(inode); + ++ /* A task may only write when it was the opener. */ ++ if (file->f_cred != current_real_cred()) ++ return -EPERM; ++ + length = -ESRCH; + if (!task) + goto out_no_task; diff --git a/queue-4.9/series b/queue-4.9/series index 5f3d9506a5d..f432aa46ee6 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -4,3 +4,7 @@ scripts-switch-explicitly-to-python-3.patch netfilter-x_tables-use-correct-memory-barriers.patch nfc-nci-fix-memory-leak-in-nci_allocate_device.patch nfsv4-fix-a-null-pointer-dereference-in-pnfs_mark_matching_lsegs_return.patch +proc-check-proc-pid-attr-writes-against-file-opener.patch +net-hso-fix-control-request-directions.patch +mac80211-assure-all-fragments-are-encrypted.patch +mac80211-prevent-mixed-key-and-fragment-cache-attacks.patch -- 2.47.3