[PATCH 18.06] mac80211: Backport fixes for Kr00k vulnerabilities

Baptiste Jonglez baptiste at bitsofnetworks.org
Sat Aug 29 08:02:58 EDT 2020


On 28-08-20, Hauke Mehrtens wrote:
> This backports some fixes from kernel 5.6 and 4.14.175.

Thanks, I will give this a try.

It's missing two fixes though:

5981fe5b0529 ("mac80211: fix misplaced while instead of if")
a0761a301746 ("mac80211: drop data frames without key on encrypted links")

The second one has strangely not been backported to stable kernels, even
though it says "Cc: stable at vger.kernel.org".  I'm not sure what we should
do with it.

Baptiste

> Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
> ---
>  ...ation-unauthorized-before-key-remova.patch | 42 +++++++++++++++
>  ...ort-authorization-in-the-ieee80211_t.patch | 54 +++++++++++++++++++
>  ...-fix-authentication-with-iwlwifi-mvm.patch | 34 ++++++++++++
>  3 files changed, 130 insertions(+)
>  create mode 100644 package/kernel/mac80211/patches/480-mac80211-mark-station-unauthorized-before-key-remova.patch
>  create mode 100644 package/kernel/mac80211/patches/481-mac80211-Check-port-authorization-in-the-ieee80211_t.patch
>  create mode 100644 package/kernel/mac80211/patches/482-mac80211-fix-authentication-with-iwlwifi-mvm.patch
> 
> diff --git a/package/kernel/mac80211/patches/480-mac80211-mark-station-unauthorized-before-key-remova.patch b/package/kernel/mac80211/patches/480-mac80211-mark-station-unauthorized-before-key-remova.patch
> new file mode 100644
> index 0000000000..012b6cae15
> --- /dev/null
> +++ b/package/kernel/mac80211/patches/480-mac80211-mark-station-unauthorized-before-key-remova.patch
> @@ -0,0 +1,42 @@
> +From 1ec47ff0525c4a530dc7783cb28044179334a4cc Mon Sep 17 00:00:00 2001
> +From: Johannes Berg <johannes.berg at intel.com>
> +Date: Thu, 26 Mar 2020 15:51:35 +0100
> +Subject: [PATCH] mac80211: mark station unauthorized before key removal
> +
> +commit b16798f5b907733966fd1a558fca823b3c67e4a1 upstream.
> +
> +If a station is still marked as authorized, mark it as no longer
> +so before removing its keys. This allows frames transmitted to it
> +to be rejected, providing additional protection against leaking
> +plain text data during the disconnection flow.
> +
> +Cc: stable at vger.kernel.org
> +Link: https://lore.kernel.org/r/20200326155133.ccb4fb0bb356.If48f0f0504efdcf16b8921f48c6d3bb2cb763c99@changeid
> +Signed-off-by: Johannes Berg <johannes.berg at intel.com>
> +Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
> +---
> + net/mac80211/sta_info.c | 6 ++++++
> + 1 file changed, 6 insertions(+)
> +
> +--- a/net/mac80211/sta_info.c
> ++++ b/net/mac80211/sta_info.c
> +@@ -3,6 +3,7 @@
> +  * Copyright 2006-2007	Jiri Benc <jbenc at suse.cz>
> +  * Copyright 2013-2014  Intel Mobile Communications GmbH
> +  * Copyright (C) 2015 - 2017 Intel Deutschland GmbH
> ++ * Copyright (C) 2018-2020 Intel Corporation
> +  *
> +  * This program is free software; you can redistribute it and/or modify
> +  * it under the terms of the GNU General Public License version 2 as
> +@@ -976,6 +977,11 @@ static void __sta_info_destroy_part2(str
> + 	might_sleep();
> + 	lockdep_assert_held(&local->sta_mtx);
> + 
> ++	while (sta->sta_state == IEEE80211_STA_AUTHORIZED) {
> ++		ret = sta_info_move_state(sta, IEEE80211_STA_ASSOC);
> ++		WARN_ON_ONCE(ret);
> ++	}
> ++
> + 	/* now keys can no longer be reached */
> + 	ieee80211_free_sta_keys(local, sta);
> + 
> diff --git a/package/kernel/mac80211/patches/481-mac80211-Check-port-authorization-in-the-ieee80211_t.patch b/package/kernel/mac80211/patches/481-mac80211-Check-port-authorization-in-the-ieee80211_t.patch
> new file mode 100644
> index 0000000000..1867e809be
> --- /dev/null
> +++ b/package/kernel/mac80211/patches/481-mac80211-Check-port-authorization-in-the-ieee80211_t.patch
> @@ -0,0 +1,54 @@
> +From 07dc42ff9b9c38eae221b36acda7134ab8670af8 Mon Sep 17 00:00:00 2001
> +From: Jouni Malinen <jouni at codeaurora.org>
> +Date: Thu, 26 Mar 2020 15:51:34 +0100
> +Subject: [PATCH] mac80211: Check port authorization in the
> + ieee80211_tx_dequeue() case
> +
> +commit ce2e1ca703071723ca2dd94d492a5ab6d15050da upstream.
> +
> +mac80211 used to check port authorization in the Data frame enqueue case
> +when going through start_xmit(). However, that authorization status may
> +change while the frame is waiting in a queue. Add a similar check in the
> +dequeue case to avoid sending previously accepted frames after
> +authorization change. This provides additional protection against
> +potential leaking of frames after a station has been disconnected and
> +the keys for it are being removed.
> +
> +Cc: stable at vger.kernel.org
> +Signed-off-by: Jouni Malinen <jouni at codeaurora.org>
> +Link: https://lore.kernel.org/r/20200326155133.ced84317ea29.I34d4c47cd8cc8a4042b38a76f16a601fbcbfd9b3@changeid
> +Signed-off-by: Johannes Berg <johannes.berg at intel.com>
> +Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
> +---
> + net/mac80211/tx.c | 19 ++++++++++++++++++-
> + 1 file changed, 18 insertions(+), 1 deletion(-)
> +
> +--- a/net/mac80211/tx.c
> ++++ b/net/mac80211/tx.c
> +@@ -3496,8 +3496,25 @@ begin:
> + 	tx.sdata = vif_to_sdata(info->control.vif);
> + 	tx.hdrlen = ieee80211_padded_hdrlen(hw, hdr->frame_control);
> + 
> +-	if (txq->sta)
> ++	if (txq->sta) {
> + 		tx.sta = container_of(txq->sta, struct sta_info, sta);
> ++		/*
> ++		 * Drop unicast frames to unauthorised stations unless they are
> ++		 * EAPOL frames from the local station.
> ++		 */
> ++		if (unlikely(!ieee80211_vif_is_mesh(&tx.sdata->vif) &&
> ++			     tx.sdata->vif.type != NL80211_IFTYPE_OCB &&
> ++			     !is_multicast_ether_addr(hdr->addr1) &&
> ++			     !test_sta_flag(tx.sta, WLAN_STA_AUTHORIZED) &&
> ++			     (!(info->control.flags &
> ++				IEEE80211_TX_CTRL_PORT_CTRL_PROTO) ||
> ++			      !ether_addr_equal(tx.sdata->vif.addr,
> ++						hdr->addr2)))) {
> ++			I802_DEBUG_INC(local->tx_handlers_drop_unauth_port);
> ++			ieee80211_free_txskb(&local->hw, skb);
> ++			goto begin;
> ++		}
> ++	}
> + 
> + 	/*
> + 	 * The key can be removed while the packet was queued, so need to call
> diff --git a/package/kernel/mac80211/patches/482-mac80211-fix-authentication-with-iwlwifi-mvm.patch b/package/kernel/mac80211/patches/482-mac80211-fix-authentication-with-iwlwifi-mvm.patch
> new file mode 100644
> index 0000000000..777e122da0
> --- /dev/null
> +++ b/package/kernel/mac80211/patches/482-mac80211-fix-authentication-with-iwlwifi-mvm.patch
> @@ -0,0 +1,34 @@
> +From 8ad73f9e86bdb079043868e3543d302b57068b80 Mon Sep 17 00:00:00 2001
> +From: Johannes Berg <johannes.berg at intel.com>
> +Date: Sun, 29 Mar 2020 22:50:06 +0200
> +Subject: [PATCH] mac80211: fix authentication with iwlwifi/mvm
> +
> +commit be8c827f50a0bcd56361b31ada11dc0a3c2fd240 upstream.
> +
> +The original patch didn't copy the ieee80211_is_data() condition
> +because on most drivers the management frames don't go through
> +this path. However, they do on iwlwifi/mvm, so we do need to keep
> +the condition here.
> +
> +Cc: stable at vger.kernel.org
> +Fixes: ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211_tx_dequeue() case")
> +Signed-off-by: Johannes Berg <johannes.berg at intel.com>
> +Signed-off-by: David S. Miller <davem at davemloft.net>
> +Cc: Woody Suwalski <terraluna977 at gmail.com>
> +Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
> +---
> + net/mac80211/tx.c | 3 ++-
> + 1 file changed, 2 insertions(+), 1 deletion(-)
> +
> +--- a/net/mac80211/tx.c
> ++++ b/net/mac80211/tx.c
> +@@ -3502,7 +3502,8 @@ begin:
> + 		 * Drop unicast frames to unauthorised stations unless they are
> + 		 * EAPOL frames from the local station.
> + 		 */
> +-		if (unlikely(!ieee80211_vif_is_mesh(&tx.sdata->vif) &&
> ++		if (unlikely(ieee80211_is_data(hdr->frame_control) &&
> ++			     !ieee80211_vif_is_mesh(&tx.sdata->vif) &&
> + 			     tx.sdata->vif.type != NL80211_IFTYPE_OCB &&
> + 			     !is_multicast_ether_addr(hdr->addr1) &&
> + 			     !test_sta_flag(tx.sta, WLAN_STA_AUTHORIZED) &&
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20200829/bdcd466f/attachment-0001.sig>


More information about the openwrt-devel mailing list