From patchwork Fri Jan 24 19:14:23 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Connor Kuehl X-Patchwork-Id: 1229017 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4848325VhTz9sPJ; Sat, 25 Jan 2020 06:14:37 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1iv4Pa-0004sM-6A; Fri, 24 Jan 2020 19:14:34 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iv4PY-0004qy-41 for kernel-team@lists.ubuntu.com; Fri, 24 Jan 2020 19:14:32 +0000 Received: from mail-pf1-f199.google.com ([209.85.210.199]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iv4PX-0004nu-Mr for kernel-team@lists.ubuntu.com; Fri, 24 Jan 2020 19:14:31 +0000 Received: by mail-pf1-f199.google.com with SMTP id 6so1816220pfv.3 for ; Fri, 24 Jan 2020 11:14:31 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=VigylsTiBgmN9fe9f8CPFyI3TOgSivrzvdL0jo6Yj6Q=; b=J+A5aaDHEDGyK8h2coAu2Pm41vZkBDkt+SqT0B4+NzjFQNbTbiImjIdTxPP2hLjY56 r0A3TWs3aAvsRqQLraiWhD/qgR3ixmwxAECb1I16VGkUi222H6ytJhmWewjKpzrItqyZ h3ALLisTrwDpIDeEc506UkbCKKSXzvFI+Hga24gg/TL4sLMztFgCjXeKwZfI5N/hiW1x hrz3s/4A1MEJq469gJm3xi8yjKRJeFHdUmxPWKIQok8klrUsTIecplg808WZvTze03If t9P/uQoesg9EHbqSIOT7RrhrGOwOTXYWrEuvf1xmcHwHS3f1XI/mHHWybeNugbdOZ3pP A4hw== X-Gm-Message-State: APjAAAVW1XzZHkgzYya1z/zGUb6KhrD6SdQ7t0+/QQLoOD8jvSh7ynk3 sngt/GedJAn4WeThyJT90Av7UyZicIU276gfwTL5AsavlI8fIjuxbTcyDr27kKRjl8IixGR/3eN JYk2TyY9qeH4zWu4tASobRb8GGZ+zHLOxG4Z88J2OPA== X-Received: by 2002:a63:234f:: with SMTP id u15mr5712098pgm.88.1579893269797; Fri, 24 Jan 2020 11:14:29 -0800 (PST) X-Google-Smtp-Source: APXvYqwf8K4WIJSwgyEBbAZ6SwHUIO1h6J9BGBW26zQILSpdzPhWZ85cPVhDzkl2x66r1geMCV36Vg== X-Received: by 2002:a63:234f:: with SMTP id u15mr5712076pgm.88.1579893269503; Fri, 24 Jan 2020 11:14:29 -0800 (PST) Received: from localhost.localdomain (c-71-63-171-240.hsd1.or.comcast.net. [71.63.171.240]) by smtp.gmail.com with ESMTPSA id z16sm7038622pff.125.2020.01.24.11.14.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 24 Jan 2020 11:14:28 -0800 (PST) From: Connor Kuehl To: kernel-team@lists.ubuntu.com Subject: [Bionic][SRU][PATCH 2/2] mac80211: Do not send Layer 2 Update frame before authorization Date: Fri, 24 Jan 2020 11:14:23 -0800 Message-Id: <20200124191424.24035-3-connor.kuehl@canonical.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200124191424.24035-1-connor.kuehl@canonical.com> References: <20200124191424.24035-1-connor.kuehl@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Jouni Malinen CVE-2019-5108 The Layer 2 Update frame is used to update bridges when a station roams to another AP even if that STA does not transmit any frames after the reassociation. This behavior was described in IEEE Std 802.11F-2003 as something that would happen based on MLME-ASSOCIATE.indication, i.e., before completing 4-way handshake. However, this IEEE trial-use recommended practice document was published before RSN (IEEE Std 802.11i-2004) and as such, did not consider RSN use cases. Furthermore, IEEE Std 802.11F-2003 was withdrawn in 2006 and as such, has not been maintained amd should not be used anymore. Sending out the Layer 2 Update frame immediately after association is fine for open networks (and also when using SAE, FT protocol, or FILS authentication when the station is actually authenticated by the time association completes). However, it is not appropriate for cases where RSN is used with PSK or EAP authentication since the station is actually fully authenticated only once the 4-way handshake completes after authentication and attackers might be able to use the unauthenticated triggering of Layer 2 Update frame transmission to disrupt bridge behavior. Fix this by postponing transmission of the Layer 2 Update frame from station entry addition to the point when the station entry is marked authorized. Similarly, send out the VLAN binding update only if the STA entry has already been authorized. Signed-off-by: Jouni Malinen Reviewed-by: Johannes Berg Signed-off-by: David S. Miller (cherry picked from commit 3e493173b7841259a08c5c8e5cbe90adb349da7e) Signed-off-by: Connor Kuehl --- net/mac80211/cfg.c | 14 ++++---------- net/mac80211/sta_info.c | 4 ++++ 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index f236a990638f..d437007b15bb 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c @@ -1398,7 +1398,6 @@ static int ieee80211_add_station(struct wiphy *wiphy, struct net_device *dev, struct sta_info *sta; struct ieee80211_sub_if_data *sdata; int err; - int layer2_update; if (params->vlan) { sdata = IEEE80211_DEV_TO_SUB_IF(params->vlan); @@ -1442,18 +1441,12 @@ static int ieee80211_add_station(struct wiphy *wiphy, struct net_device *dev, test_sta_flag(sta, WLAN_STA_ASSOC)) rate_control_rate_init(sta); - layer2_update = sdata->vif.type == NL80211_IFTYPE_AP_VLAN || - sdata->vif.type == NL80211_IFTYPE_AP; - err = sta_info_insert_rcu(sta); if (err) { rcu_read_unlock(); return err; } - if (layer2_update) - cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr); - rcu_read_unlock(); return 0; @@ -1551,10 +1544,11 @@ static int ieee80211_change_station(struct wiphy *wiphy, sta->sdata = vlansdata; ieee80211_check_fast_xmit(sta); - if (test_sta_flag(sta, WLAN_STA_AUTHORIZED)) + if (test_sta_flag(sta, WLAN_STA_AUTHORIZED)) { ieee80211_vif_inc_num_mcast(sta->sdata); - - cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr); + cfg80211_send_layer2_update(sta->sdata->dev, + sta->sta.addr); + } } err = sta_apply_parameters(local, sta, params); diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c index 844c024f1cbe..3bce168a2d21 100644 --- a/net/mac80211/sta_info.c +++ b/net/mac80211/sta_info.c @@ -1899,6 +1899,10 @@ int sta_info_move_state(struct sta_info *sta, ieee80211_check_fast_xmit(sta); ieee80211_check_fast_rx(sta); } + if (sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN || + sta->sdata->vif.type == NL80211_IFTYPE_AP) + cfg80211_send_layer2_update(sta->sdata->dev, + sta->sta.addr); break; default: break;