From patchwork Fri Aug 28 21:54:58 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hauke Mehrtens X-Patchwork-Id: 1353546 X-Patchwork-Delegate: hauke@hauke-m.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=hauke-m.de Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=2gS8rFZD; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BdYNC2zRtz9sTC for ; Sat, 29 Aug 2020 07:56:59 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=5INzT5Nyhl7QJUXr5NdGS6Xjw6RVbzLEPB/oleo2s6U=; b=2gS8rFZDyGWe+TOlRPoMSl8UQm takPhU6iwp/vf5MpINeQu40LK++wbfYgJPkio5SguuYpqyDPDi0axHd9zg2OrMyvxVn5l0GLDZD6s khwwXmjUdzeNStWkpxjqIxk4cW0oo6NXnRHvcKUCNrpPH5uNw4K5jc8gWSu4+2KK5PFcPBoyWGUSC tWWjNaj1BqHA+x6JdrjF3C6iPKgCuNwLOLRrbvNPccGEunHzIsnWXS+Sutj+DUFbQBaYplsAE6S0p PWLi0Dkqz2eDsuok9K0JayWvB5SC05+Qtdgciams+xVGmoikQsxJxmbJjgg1o6l6sgqlBKeafyEKy Izaef4Jw==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kBmLD-0004xo-Dv; Fri, 28 Aug 2020 21:55:23 +0000 Received: from mout-p-101.mailbox.org ([2001:67c:2050::465:101]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kBmLA-0004vT-EY for openwrt-devel@lists.openwrt.org; Fri, 28 Aug 2020 21:55:21 +0000 Received: from smtp1.mailbox.org (smtp1.mailbox.org [80.241.60.240]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4BdYLG4b2FzKmZ2; Fri, 28 Aug 2020 23:55:18 +0200 (CEST) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp1.mailbox.org ([80.241.60.240]) by spamfilter06.heinlein-hosting.de (spamfilter06.heinlein-hosting.de [80.241.56.125]) (amavisd-new, port 10030) with ESMTP id ReGYN9wsc91E; Fri, 28 Aug 2020 23:55:14 +0200 (CEST) From: Hauke Mehrtens To: openwrt-devel@lists.openwrt.org Subject: [PATCH 18.06] mac80211: Backport fixes for Kr00k vulnerabilities Date: Fri, 28 Aug 2020 23:54:58 +0200 Message-Id: <20200828215458.28928-1-hauke@hauke-m.de> MIME-Version: 1.0 X-MBO-SPAM-Probability: X-Rspamd-Score: -2.10 / 15.00 / 15.00 X-Rspamd-Queue-Id: 3A160CC9 X-Rspamd-UID: 5b2a92 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200828_175520_642940_1E10EE3D X-CRM114-Status: GOOD ( 27.34 ) X-Spam-Score: 0.0 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (0.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2001:67c:2050:0:0:0:465:101 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Hauke Mehrtens , baptiste@bitsofnetworks.org Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org This backports some fixes from kernel 5.6 and 4.14.175. Signed-off-by: Hauke Mehrtens Tested-By: Baptiste Jonglez --- ...ation-unauthorized-before-key-remova.patch | 42 +++++++++++++++ ...ort-authorization-in-the-ieee80211_t.patch | 54 +++++++++++++++++++ ...-fix-authentication-with-iwlwifi-mvm.patch | 34 ++++++++++++ 3 files changed, 130 insertions(+) create mode 100644 package/kernel/mac80211/patches/480-mac80211-mark-station-unauthorized-before-key-remova.patch create mode 100644 package/kernel/mac80211/patches/481-mac80211-Check-port-authorization-in-the-ieee80211_t.patch create mode 100644 package/kernel/mac80211/patches/482-mac80211-fix-authentication-with-iwlwifi-mvm.patch diff --git a/package/kernel/mac80211/patches/480-mac80211-mark-station-unauthorized-before-key-remova.patch b/package/kernel/mac80211/patches/480-mac80211-mark-station-unauthorized-before-key-remova.patch new file mode 100644 index 0000000000..012b6cae15 --- /dev/null +++ b/package/kernel/mac80211/patches/480-mac80211-mark-station-unauthorized-before-key-remova.patch @@ -0,0 +1,42 @@ +From 1ec47ff0525c4a530dc7783cb28044179334a4cc Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Thu, 26 Mar 2020 15:51:35 +0100 +Subject: [PATCH] mac80211: mark station unauthorized before key removal + +commit b16798f5b907733966fd1a558fca823b3c67e4a1 upstream. + +If a station is still marked as authorized, mark it as no longer +so before removing its keys. This allows frames transmitted to it +to be rejected, providing additional protection against leaking +plain text data during the disconnection flow. + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200326155133.ccb4fb0bb356.If48f0f0504efdcf16b8921f48c6d3bb2cb763c99@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/sta_info.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -3,6 +3,7 @@ + * Copyright 2006-2007 Jiri Benc + * Copyright 2013-2014 Intel Mobile Communications GmbH + * Copyright (C) 2015 - 2017 Intel Deutschland GmbH ++ * Copyright (C) 2018-2020 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +@@ -976,6 +977,11 @@ static void __sta_info_destroy_part2(str + might_sleep(); + lockdep_assert_held(&local->sta_mtx); + ++ while (sta->sta_state == IEEE80211_STA_AUTHORIZED) { ++ ret = sta_info_move_state(sta, IEEE80211_STA_ASSOC); ++ WARN_ON_ONCE(ret); ++ } ++ + /* now keys can no longer be reached */ + ieee80211_free_sta_keys(local, sta); + diff --git a/package/kernel/mac80211/patches/481-mac80211-Check-port-authorization-in-the-ieee80211_t.patch b/package/kernel/mac80211/patches/481-mac80211-Check-port-authorization-in-the-ieee80211_t.patch new file mode 100644 index 0000000000..1867e809be --- /dev/null +++ b/package/kernel/mac80211/patches/481-mac80211-Check-port-authorization-in-the-ieee80211_t.patch @@ -0,0 +1,54 @@ +From 07dc42ff9b9c38eae221b36acda7134ab8670af8 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Thu, 26 Mar 2020 15:51:34 +0100 +Subject: [PATCH] mac80211: Check port authorization in the + ieee80211_tx_dequeue() case + +commit ce2e1ca703071723ca2dd94d492a5ab6d15050da upstream. + +mac80211 used to check port authorization in the Data frame enqueue case +when going through start_xmit(). However, that authorization status may +change while the frame is waiting in a queue. Add a similar check in the +dequeue case to avoid sending previously accepted frames after +authorization change. This provides additional protection against +potential leaking of frames after a station has been disconnected and +the keys for it are being removed. + +Cc: stable@vger.kernel.org +Signed-off-by: Jouni Malinen +Link: https://lore.kernel.org/r/20200326155133.ced84317ea29.I34d4c47cd8cc8a4042b38a76f16a601fbcbfd9b3@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/tx.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -3496,8 +3496,25 @@ begin: + tx.sdata = vif_to_sdata(info->control.vif); + tx.hdrlen = ieee80211_padded_hdrlen(hw, hdr->frame_control); + +- if (txq->sta) ++ if (txq->sta) { + tx.sta = container_of(txq->sta, struct sta_info, sta); ++ /* ++ * Drop unicast frames to unauthorised stations unless they are ++ * EAPOL frames from the local station. ++ */ ++ if (unlikely(!ieee80211_vif_is_mesh(&tx.sdata->vif) && ++ tx.sdata->vif.type != NL80211_IFTYPE_OCB && ++ !is_multicast_ether_addr(hdr->addr1) && ++ !test_sta_flag(tx.sta, WLAN_STA_AUTHORIZED) && ++ (!(info->control.flags & ++ IEEE80211_TX_CTRL_PORT_CTRL_PROTO) || ++ !ether_addr_equal(tx.sdata->vif.addr, ++ hdr->addr2)))) { ++ I802_DEBUG_INC(local->tx_handlers_drop_unauth_port); ++ ieee80211_free_txskb(&local->hw, skb); ++ goto begin; ++ } ++ } + + /* + * The key can be removed while the packet was queued, so need to call diff --git a/package/kernel/mac80211/patches/482-mac80211-fix-authentication-with-iwlwifi-mvm.patch b/package/kernel/mac80211/patches/482-mac80211-fix-authentication-with-iwlwifi-mvm.patch new file mode 100644 index 0000000000..777e122da0 --- /dev/null +++ b/package/kernel/mac80211/patches/482-mac80211-fix-authentication-with-iwlwifi-mvm.patch @@ -0,0 +1,34 @@ +From 8ad73f9e86bdb079043868e3543d302b57068b80 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Sun, 29 Mar 2020 22:50:06 +0200 +Subject: [PATCH] mac80211: fix authentication with iwlwifi/mvm + +commit be8c827f50a0bcd56361b31ada11dc0a3c2fd240 upstream. + +The original patch didn't copy the ieee80211_is_data() condition +because on most drivers the management frames don't go through +this path. However, they do on iwlwifi/mvm, so we do need to keep +the condition here. + +Cc: stable@vger.kernel.org +Fixes: ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211_tx_dequeue() case") +Signed-off-by: Johannes Berg +Signed-off-by: David S. Miller +Cc: Woody Suwalski +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/tx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -3502,7 +3502,8 @@ begin: + * Drop unicast frames to unauthorised stations unless they are + * EAPOL frames from the local station. + */ +- if (unlikely(!ieee80211_vif_is_mesh(&tx.sdata->vif) && ++ if (unlikely(ieee80211_is_data(hdr->frame_control) && ++ !ieee80211_vif_is_mesh(&tx.sdata->vif) && + tx.sdata->vif.type != NL80211_IFTYPE_OCB && + !is_multicast_ether_addr(hdr->addr1) && + !test_sta_flag(tx.sta, WLAN_STA_AUTHORIZED) &&