Message ID | 20200828215458.28928-1-hauke@hauke-m.de |
---|---|
State | Accepted |
Delegated to: | Hauke Mehrtens |
Headers | show |
Series | [18.06] mac80211: Backport fixes for Kr00k vulnerabilities | expand |
On 28-08-20, Hauke Mehrtens wrote: > This backports some fixes from kernel 5.6 and 4.14.175. Thanks, I will give this a try. It's missing two fixes though: 5981fe5b0529 ("mac80211: fix misplaced while instead of if") a0761a301746 ("mac80211: drop data frames without key on encrypted links") The second one has strangely not been backported to stable kernels, even though it says "Cc: stable@vger.kernel.org". I'm not sure what we should do with it. Baptiste > Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> > --- > ...ation-unauthorized-before-key-remova.patch | 42 +++++++++++++++ > ...ort-authorization-in-the-ieee80211_t.patch | 54 +++++++++++++++++++ > ...-fix-authentication-with-iwlwifi-mvm.patch | 34 ++++++++++++ > 3 files changed, 130 insertions(+) > create mode 100644 package/kernel/mac80211/patches/480-mac80211-mark-station-unauthorized-before-key-remova.patch > create mode 100644 package/kernel/mac80211/patches/481-mac80211-Check-port-authorization-in-the-ieee80211_t.patch > create mode 100644 package/kernel/mac80211/patches/482-mac80211-fix-authentication-with-iwlwifi-mvm.patch > > diff --git a/package/kernel/mac80211/patches/480-mac80211-mark-station-unauthorized-before-key-remova.patch b/package/kernel/mac80211/patches/480-mac80211-mark-station-unauthorized-before-key-remova.patch > new file mode 100644 > index 0000000000..012b6cae15 > --- /dev/null > +++ b/package/kernel/mac80211/patches/480-mac80211-mark-station-unauthorized-before-key-remova.patch > @@ -0,0 +1,42 @@ > +From 1ec47ff0525c4a530dc7783cb28044179334a4cc Mon Sep 17 00:00:00 2001 > +From: Johannes Berg <johannes.berg@intel.com> > +Date: Thu, 26 Mar 2020 15:51:35 +0100 > +Subject: [PATCH] mac80211: mark station unauthorized before key removal > + > +commit b16798f5b907733966fd1a558fca823b3c67e4a1 upstream. > + > +If a station is still marked as authorized, mark it as no longer > +so before removing its keys. This allows frames transmitted to it > +to be rejected, providing additional protection against leaking > +plain text data during the disconnection flow. > + > +Cc: stable@vger.kernel.org > +Link: https://lore.kernel.org/r/20200326155133.ccb4fb0bb356.If48f0f0504efdcf16b8921f48c6d3bb2cb763c99@changeid > +Signed-off-by: Johannes Berg <johannes.berg@intel.com> > +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > +--- > + net/mac80211/sta_info.c | 6 ++++++ > + 1 file changed, 6 insertions(+) > + > +--- a/net/mac80211/sta_info.c > ++++ b/net/mac80211/sta_info.c > +@@ -3,6 +3,7 @@ > + * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> > + * Copyright 2013-2014 Intel Mobile Communications GmbH > + * Copyright (C) 2015 - 2017 Intel Deutschland GmbH > ++ * Copyright (C) 2018-2020 Intel Corporation > + * > + * This program is free software; you can redistribute it and/or modify > + * it under the terms of the GNU General Public License version 2 as > +@@ -976,6 +977,11 @@ static void __sta_info_destroy_part2(str > + might_sleep(); > + lockdep_assert_held(&local->sta_mtx); > + > ++ while (sta->sta_state == IEEE80211_STA_AUTHORIZED) { > ++ ret = sta_info_move_state(sta, IEEE80211_STA_ASSOC); > ++ WARN_ON_ONCE(ret); > ++ } > ++ > + /* now keys can no longer be reached */ > + ieee80211_free_sta_keys(local, sta); > + > diff --git a/package/kernel/mac80211/patches/481-mac80211-Check-port-authorization-in-the-ieee80211_t.patch b/package/kernel/mac80211/patches/481-mac80211-Check-port-authorization-in-the-ieee80211_t.patch > new file mode 100644 > index 0000000000..1867e809be > --- /dev/null > +++ b/package/kernel/mac80211/patches/481-mac80211-Check-port-authorization-in-the-ieee80211_t.patch > @@ -0,0 +1,54 @@ > +From 07dc42ff9b9c38eae221b36acda7134ab8670af8 Mon Sep 17 00:00:00 2001 > +From: Jouni Malinen <jouni@codeaurora.org> > +Date: Thu, 26 Mar 2020 15:51:34 +0100 > +Subject: [PATCH] mac80211: Check port authorization in the > + ieee80211_tx_dequeue() case > + > +commit ce2e1ca703071723ca2dd94d492a5ab6d15050da upstream. > + > +mac80211 used to check port authorization in the Data frame enqueue case > +when going through start_xmit(). However, that authorization status may > +change while the frame is waiting in a queue. Add a similar check in the > +dequeue case to avoid sending previously accepted frames after > +authorization change. This provides additional protection against > +potential leaking of frames after a station has been disconnected and > +the keys for it are being removed. > + > +Cc: stable@vger.kernel.org > +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> > +Link: https://lore.kernel.org/r/20200326155133.ced84317ea29.I34d4c47cd8cc8a4042b38a76f16a601fbcbfd9b3@changeid > +Signed-off-by: Johannes Berg <johannes.berg@intel.com> > +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > +--- > + net/mac80211/tx.c | 19 ++++++++++++++++++- > + 1 file changed, 18 insertions(+), 1 deletion(-) > + > +--- a/net/mac80211/tx.c > ++++ b/net/mac80211/tx.c > +@@ -3496,8 +3496,25 @@ begin: > + tx.sdata = vif_to_sdata(info->control.vif); > + tx.hdrlen = ieee80211_padded_hdrlen(hw, hdr->frame_control); > + > +- if (txq->sta) > ++ if (txq->sta) { > + tx.sta = container_of(txq->sta, struct sta_info, sta); > ++ /* > ++ * Drop unicast frames to unauthorised stations unless they are > ++ * EAPOL frames from the local station. > ++ */ > ++ if (unlikely(!ieee80211_vif_is_mesh(&tx.sdata->vif) && > ++ tx.sdata->vif.type != NL80211_IFTYPE_OCB && > ++ !is_multicast_ether_addr(hdr->addr1) && > ++ !test_sta_flag(tx.sta, WLAN_STA_AUTHORIZED) && > ++ (!(info->control.flags & > ++ IEEE80211_TX_CTRL_PORT_CTRL_PROTO) || > ++ !ether_addr_equal(tx.sdata->vif.addr, > ++ hdr->addr2)))) { > ++ I802_DEBUG_INC(local->tx_handlers_drop_unauth_port); > ++ ieee80211_free_txskb(&local->hw, skb); > ++ goto begin; > ++ } > ++ } > + > + /* > + * The key can be removed while the packet was queued, so need to call > diff --git a/package/kernel/mac80211/patches/482-mac80211-fix-authentication-with-iwlwifi-mvm.patch b/package/kernel/mac80211/patches/482-mac80211-fix-authentication-with-iwlwifi-mvm.patch > new file mode 100644 > index 0000000000..777e122da0 > --- /dev/null > +++ b/package/kernel/mac80211/patches/482-mac80211-fix-authentication-with-iwlwifi-mvm.patch > @@ -0,0 +1,34 @@ > +From 8ad73f9e86bdb079043868e3543d302b57068b80 Mon Sep 17 00:00:00 2001 > +From: Johannes Berg <johannes.berg@intel.com> > +Date: Sun, 29 Mar 2020 22:50:06 +0200 > +Subject: [PATCH] mac80211: fix authentication with iwlwifi/mvm > + > +commit be8c827f50a0bcd56361b31ada11dc0a3c2fd240 upstream. > + > +The original patch didn't copy the ieee80211_is_data() condition > +because on most drivers the management frames don't go through > +this path. However, they do on iwlwifi/mvm, so we do need to keep > +the condition here. > + > +Cc: stable@vger.kernel.org > +Fixes: ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211_tx_dequeue() case") > +Signed-off-by: Johannes Berg <johannes.berg@intel.com> > +Signed-off-by: David S. Miller <davem@davemloft.net> > +Cc: Woody Suwalski <terraluna977@gmail.com> > +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > +--- > + net/mac80211/tx.c | 3 ++- > + 1 file changed, 2 insertions(+), 1 deletion(-) > + > +--- a/net/mac80211/tx.c > ++++ b/net/mac80211/tx.c > +@@ -3502,7 +3502,8 @@ begin: > + * Drop unicast frames to unauthorised stations unless they are > + * EAPOL frames from the local station. > + */ > +- if (unlikely(!ieee80211_vif_is_mesh(&tx.sdata->vif) && > ++ if (unlikely(ieee80211_is_data(hdr->frame_control) && > ++ !ieee80211_vif_is_mesh(&tx.sdata->vif) && > + tx.sdata->vif.type != NL80211_IFTYPE_OCB && > + !is_multicast_ether_addr(hdr->addr1) && > + !test_sta_flag(tx.sta, WLAN_STA_AUTHORIZED) &&
On 8/29/20 2:02 PM, Baptiste Jonglez wrote: > On 28-08-20, Hauke Mehrtens wrote: >> This backports some fixes from kernel 5.6 and 4.14.175. > > Thanks, I will give this a try. > > It's missing two fixes though: > > 5981fe5b0529 ("mac80211: fix misplaced while instead of if") I will add this one to 18.06 and 19.07. The others should be in 19.07 already. > a0761a301746 ("mac80211: drop data frames without key on encrypted links") This does not apply to kernel < 5.4, see here: https://lore.kernel.org/linux-wireless/20200327150342.252AF20748@mail.kernel.org/ We could try to make it apply somehow. > The second one has strangely not been backported to stable kernels, even > though it says "Cc: stable@vger.kernel.org". I'm not sure what we should > do with it. > > Baptiste >
On 29-08-20, Hauke Mehrtens wrote: > On 8/29/20 2:02 PM, Baptiste Jonglez wrote: > > On 28-08-20, Hauke Mehrtens wrote: > >> This backports some fixes from kernel 5.6 and 4.14.175. > > > > Thanks, I will give this a try. > > > > It's missing two fixes though: > > > > 5981fe5b0529 ("mac80211: fix misplaced while instead of if") I tested 18.06 with your 3 patches + 4cf1d191f77f8 (the 4.19 backport of 5981fe5b0529). Everything worked normally on a RB941-2nD with ath9k. Tested-By: Baptiste Jonglez <git@bitsofnetworks.org> > I will add this one to 18.06 and 19.07. The others should be in 19.07 > already. > > > a0761a301746 ("mac80211: drop data frames without key on encrypted links") > > This does not apply to kernel < 5.4, see here: > https://lore.kernel.org/linux-wireless/20200327150342.252AF20748@mail.kernel.org/ Ah, thanks, that explains it. In that case it makes sense to wait for this patch to be backported properly, if it's needed at all. FYI, I tried to trigger the vulnerability on 18.06.7 with ath9k, which should be vulnerable, but it did not trigger. Either I'm doing it wrong, or it's hard/impossible to trigger. Baptiste
diff --git a/package/kernel/mac80211/patches/480-mac80211-mark-station-unauthorized-before-key-remova.patch b/package/kernel/mac80211/patches/480-mac80211-mark-station-unauthorized-before-key-remova.patch new file mode 100644 index 0000000000..012b6cae15 --- /dev/null +++ b/package/kernel/mac80211/patches/480-mac80211-mark-station-unauthorized-before-key-remova.patch @@ -0,0 +1,42 @@ +From 1ec47ff0525c4a530dc7783cb28044179334a4cc Mon Sep 17 00:00:00 2001 +From: Johannes Berg <johannes.berg@intel.com> +Date: Thu, 26 Mar 2020 15:51:35 +0100 +Subject: [PATCH] mac80211: mark station unauthorized before key removal + +commit b16798f5b907733966fd1a558fca823b3c67e4a1 upstream. + +If a station is still marked as authorized, mark it as no longer +so before removing its keys. This allows frames transmitted to it +to be rejected, providing additional protection against leaking +plain text data during the disconnection flow. + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200326155133.ccb4fb0bb356.If48f0f0504efdcf16b8921f48c6d3bb2cb763c99@changeid +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/mac80211/sta_info.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -3,6 +3,7 @@ + * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> + * Copyright 2013-2014 Intel Mobile Communications GmbH + * Copyright (C) 2015 - 2017 Intel Deutschland GmbH ++ * Copyright (C) 2018-2020 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +@@ -976,6 +977,11 @@ static void __sta_info_destroy_part2(str + might_sleep(); + lockdep_assert_held(&local->sta_mtx); + ++ while (sta->sta_state == IEEE80211_STA_AUTHORIZED) { ++ ret = sta_info_move_state(sta, IEEE80211_STA_ASSOC); ++ WARN_ON_ONCE(ret); ++ } ++ + /* now keys can no longer be reached */ + ieee80211_free_sta_keys(local, sta); + diff --git a/package/kernel/mac80211/patches/481-mac80211-Check-port-authorization-in-the-ieee80211_t.patch b/package/kernel/mac80211/patches/481-mac80211-Check-port-authorization-in-the-ieee80211_t.patch new file mode 100644 index 0000000000..1867e809be --- /dev/null +++ b/package/kernel/mac80211/patches/481-mac80211-Check-port-authorization-in-the-ieee80211_t.patch @@ -0,0 +1,54 @@ +From 07dc42ff9b9c38eae221b36acda7134ab8670af8 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@codeaurora.org> +Date: Thu, 26 Mar 2020 15:51:34 +0100 +Subject: [PATCH] mac80211: Check port authorization in the + ieee80211_tx_dequeue() case + +commit ce2e1ca703071723ca2dd94d492a5ab6d15050da upstream. + +mac80211 used to check port authorization in the Data frame enqueue case +when going through start_xmit(). However, that authorization status may +change while the frame is waiting in a queue. Add a similar check in the +dequeue case to avoid sending previously accepted frames after +authorization change. This provides additional protection against +potential leaking of frames after a station has been disconnected and +the keys for it are being removed. + +Cc: stable@vger.kernel.org +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> +Link: https://lore.kernel.org/r/20200326155133.ced84317ea29.I34d4c47cd8cc8a4042b38a76f16a601fbcbfd9b3@changeid +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/mac80211/tx.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -3496,8 +3496,25 @@ begin: + tx.sdata = vif_to_sdata(info->control.vif); + tx.hdrlen = ieee80211_padded_hdrlen(hw, hdr->frame_control); + +- if (txq->sta) ++ if (txq->sta) { + tx.sta = container_of(txq->sta, struct sta_info, sta); ++ /* ++ * Drop unicast frames to unauthorised stations unless they are ++ * EAPOL frames from the local station. ++ */ ++ if (unlikely(!ieee80211_vif_is_mesh(&tx.sdata->vif) && ++ tx.sdata->vif.type != NL80211_IFTYPE_OCB && ++ !is_multicast_ether_addr(hdr->addr1) && ++ !test_sta_flag(tx.sta, WLAN_STA_AUTHORIZED) && ++ (!(info->control.flags & ++ IEEE80211_TX_CTRL_PORT_CTRL_PROTO) || ++ !ether_addr_equal(tx.sdata->vif.addr, ++ hdr->addr2)))) { ++ I802_DEBUG_INC(local->tx_handlers_drop_unauth_port); ++ ieee80211_free_txskb(&local->hw, skb); ++ goto begin; ++ } ++ } + + /* + * The key can be removed while the packet was queued, so need to call diff --git a/package/kernel/mac80211/patches/482-mac80211-fix-authentication-with-iwlwifi-mvm.patch b/package/kernel/mac80211/patches/482-mac80211-fix-authentication-with-iwlwifi-mvm.patch new file mode 100644 index 0000000000..777e122da0 --- /dev/null +++ b/package/kernel/mac80211/patches/482-mac80211-fix-authentication-with-iwlwifi-mvm.patch @@ -0,0 +1,34 @@ +From 8ad73f9e86bdb079043868e3543d302b57068b80 Mon Sep 17 00:00:00 2001 +From: Johannes Berg <johannes.berg@intel.com> +Date: Sun, 29 Mar 2020 22:50:06 +0200 +Subject: [PATCH] mac80211: fix authentication with iwlwifi/mvm + +commit be8c827f50a0bcd56361b31ada11dc0a3c2fd240 upstream. + +The original patch didn't copy the ieee80211_is_data() condition +because on most drivers the management frames don't go through +this path. However, they do on iwlwifi/mvm, so we do need to keep +the condition here. + +Cc: stable@vger.kernel.org +Fixes: ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211_tx_dequeue() case") +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Cc: Woody Suwalski <terraluna977@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/mac80211/tx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -3502,7 +3502,8 @@ begin: + * Drop unicast frames to unauthorised stations unless they are + * EAPOL frames from the local station. + */ +- if (unlikely(!ieee80211_vif_is_mesh(&tx.sdata->vif) && ++ if (unlikely(ieee80211_is_data(hdr->frame_control) && ++ !ieee80211_vif_is_mesh(&tx.sdata->vif) && + tx.sdata->vif.type != NL80211_IFTYPE_OCB && + !is_multicast_ether_addr(hdr->addr1) && + !test_sta_flag(tx.sta, WLAN_STA_AUTHORIZED) &&
This backports some fixes from kernel 5.6 and 4.14.175. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> --- ...ation-unauthorized-before-key-remova.patch | 42 +++++++++++++++ ...ort-authorization-in-the-ieee80211_t.patch | 54 +++++++++++++++++++ ...-fix-authentication-with-iwlwifi-mvm.patch | 34 ++++++++++++ 3 files changed, 130 insertions(+) create mode 100644 package/kernel/mac80211/patches/480-mac80211-mark-station-unauthorized-before-key-remova.patch create mode 100644 package/kernel/mac80211/patches/481-mac80211-Check-port-authorization-in-the-ieee80211_t.patch create mode 100644 package/kernel/mac80211/patches/482-mac80211-fix-authentication-with-iwlwifi-mvm.patch