macsec: fix replay protection at XPN lower-PN wrap

In macsec_post_decrypt(), when pn is U32_MAX, pn + 1 overflows u32 to 0
and the first branch never fires. If next_pn_halves.lower is also in the
upper half, pn_same_half(pn, lower) is true and the XPN else-if does not
fire either, leaving next_pn_halves unchanged. An attacker that captures
the legitimate frame carrying pn == 0xFFFFFFFF on an XPN association
can then replay it indefinitely, since lowest_pn never rises above
the captured pn and macsec_decrypt() reconstructs the same IV.

Extend the XPN else-if to also fire when pn + 1 wraps to 0, so receipt
of pn == U32_MAX advances next_pn_halves to (upper + 1, 0).

Fixes: a21ecf0e0338 ("macsec: Support XPN frame handling - IEEE 802.1AEbw")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB78813FD49E58F253B989F197AF012@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
index f904f4d16b45fd4d8dbcb610de0814e55567b4af..fb009120a92415cf51f12eab15b4c7925a25704d 100644 (file)
--- a/drivers/net/macsec.c
+++ b/drivers/net/macsec.c
@@ -808,7 +808,8 @@ static bool macsec_post_decrypt(struct sk_buff *skb, struct macsec_secy *secy, u
                if (pn + 1 > rx_sa->next_pn_halves.lower) {
                        rx_sa->next_pn_halves.lower = pn + 1;
                } else if (secy->xpn &&
-                          !pn_same_half(pn, rx_sa->next_pn_halves.lower)) {
+                          (pn + 1 == 0 ||
+                           !pn_same_half(pn, rx_sa->next_pn_halves.lower))) {
                        rx_sa->next_pn_halves.upper++;
                        rx_sa->next_pn_halves.lower = pn + 1;
                }