From 46d9bf5eabab14651bff701ba49d847c96ecf328 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 4 Aug 2023 12:28:27 +0200 Subject: [PATCH] 4.19-stable patches added patches: ath10k-fix-tkip-michael-mic-verification-for-pcie.patch --- ...ip-michael-mic-verification-for-pcie.patch | 58 +++++++++++++++++++ queue-4.19/series | 1 + 2 files changed, 59 insertions(+) create mode 100644 queue-4.19/ath10k-fix-tkip-michael-mic-verification-for-pcie.patch diff --git a/queue-4.19/ath10k-fix-tkip-michael-mic-verification-for-pcie.patch b/queue-4.19/ath10k-fix-tkip-michael-mic-verification-for-pcie.patch new file mode 100644 index 00000000000..5ba325ba398 --- /dev/null +++ b/queue-4.19/ath10k-fix-tkip-michael-mic-verification-for-pcie.patch @@ -0,0 +1,58 @@ +From 0dc267b13f3a7e8424a898815dd357211b737330 Mon Sep 17 00:00:00 2001 +From: Wen Gong +Date: Tue, 11 May 2021 20:02:56 +0200 +Subject: ath10k: Fix TKIP Michael MIC verification for PCIe + +From: Wen Gong + +commit 0dc267b13f3a7e8424a898815dd357211b737330 upstream. + +TKIP Michael MIC was not verified properly for PCIe cases since the +validation steps in ieee80211_rx_h_michael_mic_verify() in mac80211 did +not get fully executed due to unexpected flag values in +ieee80211_rx_status. + +Fix this by setting the flags property to meet mac80211 expectations for +performing Michael MIC validation there. This fixes CVE-2020-26141. It +does the same as ath10k_htt_rx_proc_rx_ind_hl() for SDIO which passed +MIC verification case. This applies only to QCA6174/QCA9377 PCIe. + +Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1 + +Cc: stable@vger.kernel.org +Signed-off-by: Wen Gong +Signed-off-by: Jouni Malinen +Link: https://lore.kernel.org/r/20210511200110.c3f1d42c6746.I795593fcaae941c471425b8c7d5f7bb185d29142@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Ashwin Dayanand Kamat +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/htt_rx.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/net/wireless/ath/ath10k/htt_rx.c ++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c +@@ -1645,6 +1645,11 @@ static void ath10k_htt_rx_h_mpdu(struct + + skb_queue_walk(amsdu, msdu) { + ath10k_htt_rx_h_csum_offload(msdu); ++ ++ if (frag && !fill_crypt_header && ++ enctype == HTT_RX_MPDU_ENCRYPT_TKIP_WPA) ++ status->flag &= ~RX_FLAG_MMIC_STRIPPED; ++ + ath10k_htt_rx_h_undecap(ar, msdu, status, first_hdr, enctype, + is_decrypted); + +@@ -1662,6 +1667,11 @@ static void ath10k_htt_rx_h_mpdu(struct + + hdr = (void *)msdu->data; + hdr->frame_control &= ~__cpu_to_le16(IEEE80211_FCTL_PROTECTED); ++ ++ if (frag && !fill_crypt_header && ++ enctype == HTT_RX_MPDU_ENCRYPT_TKIP_WPA) ++ status->flag &= ~RX_FLAG_IV_STRIPPED & ++ ~RX_FLAG_MMIC_STRIPPED; + } + } + diff --git a/queue-4.19/series b/queue-4.19/series index dfcda3fe436..61f3bd15d5a 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -285,3 +285,4 @@ net-sched-sch_qfq-account-for-stab-overhead-in-qfq_enqueue.patch asoc-cs42l51-fix-driver-to-properly-autoload-with-automatic-module-loading.patch net-sched-cls_u32-fix-reference-counter-leak-leading-to-overflow.patch drivers-core-use-sysfs_emit-and-sysfs_emit_at-for-show-device-...-functions.patch +ath10k-fix-tkip-michael-mic-verification-for-pcie.patch -- 2.47.3