mirror of
https://github.com/openwrt/openwrt.git
synced 2025-01-22 12:28:23 +00:00
mac80211: Backport fixes for Kr00k vulnerabilities
This backports some fixes from kernel 5.6 and 4.14.175. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> Tested-By: Baptiste Jonglez <git@bitsofnetworks.org>
This commit is contained in:
parent
fec2888ae5
commit
8e89e1c337
@ -11,7 +11,7 @@ include $(INCLUDE_DIR)/kernel.mk
|
||||
PKG_NAME:=mac80211
|
||||
|
||||
PKG_VERSION:=2017-11-01
|
||||
PKG_RELEASE:=10
|
||||
PKG_RELEASE:=11
|
||||
PKG_SOURCE_URL:=http://mirror2.openwrt.org/sources
|
||||
PKG_HASH:=8437ab7886b988c8152e7a4db30b7f41009e49a3b2cb863edd05da1ecd7eb05a
|
||||
|
||||
|
@ -0,0 +1,42 @@
|
||||
From 1ec47ff0525c4a530dc7783cb28044179334a4cc Mon Sep 17 00:00:00 2001
|
||||
From: Johannes Berg <johannes.berg@intel.com>
|
||||
Date: Thu, 26 Mar 2020 15:51:35 +0100
|
||||
Subject: [PATCH] mac80211: mark station unauthorized before key removal
|
||||
|
||||
commit b16798f5b907733966fd1a558fca823b3c67e4a1 upstream.
|
||||
|
||||
If a station is still marked as authorized, mark it as no longer
|
||||
so before removing its keys. This allows frames transmitted to it
|
||||
to be rejected, providing additional protection against leaking
|
||||
plain text data during the disconnection flow.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Link: https://lore.kernel.org/r/20200326155133.ccb4fb0bb356.If48f0f0504efdcf16b8921f48c6d3bb2cb763c99@changeid
|
||||
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
net/mac80211/sta_info.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
--- a/net/mac80211/sta_info.c
|
||||
+++ b/net/mac80211/sta_info.c
|
||||
@@ -3,6 +3,7 @@
|
||||
* Copyright 2006-2007 Jiri Benc <jbenc@suse.cz>
|
||||
* Copyright 2013-2014 Intel Mobile Communications GmbH
|
||||
* Copyright (C) 2015 - 2017 Intel Deutschland GmbH
|
||||
+ * Copyright (C) 2018-2020 Intel Corporation
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 as
|
||||
@@ -976,6 +977,11 @@ static void __sta_info_destroy_part2(str
|
||||
might_sleep();
|
||||
lockdep_assert_held(&local->sta_mtx);
|
||||
|
||||
+ while (sta->sta_state == IEEE80211_STA_AUTHORIZED) {
|
||||
+ ret = sta_info_move_state(sta, IEEE80211_STA_ASSOC);
|
||||
+ WARN_ON_ONCE(ret);
|
||||
+ }
|
||||
+
|
||||
/* now keys can no longer be reached */
|
||||
ieee80211_free_sta_keys(local, sta);
|
||||
|
@ -0,0 +1,54 @@
|
||||
From 07dc42ff9b9c38eae221b36acda7134ab8670af8 Mon Sep 17 00:00:00 2001
|
||||
From: Jouni Malinen <jouni@codeaurora.org>
|
||||
Date: Thu, 26 Mar 2020 15:51:34 +0100
|
||||
Subject: [PATCH] mac80211: Check port authorization in the
|
||||
ieee80211_tx_dequeue() case
|
||||
|
||||
commit ce2e1ca703071723ca2dd94d492a5ab6d15050da upstream.
|
||||
|
||||
mac80211 used to check port authorization in the Data frame enqueue case
|
||||
when going through start_xmit(). However, that authorization status may
|
||||
change while the frame is waiting in a queue. Add a similar check in the
|
||||
dequeue case to avoid sending previously accepted frames after
|
||||
authorization change. This provides additional protection against
|
||||
potential leaking of frames after a station has been disconnected and
|
||||
the keys for it are being removed.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
|
||||
Link: https://lore.kernel.org/r/20200326155133.ced84317ea29.I34d4c47cd8cc8a4042b38a76f16a601fbcbfd9b3@changeid
|
||||
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
net/mac80211/tx.c | 19 ++++++++++++++++++-
|
||||
1 file changed, 18 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/net/mac80211/tx.c
|
||||
+++ b/net/mac80211/tx.c
|
||||
@@ -3496,8 +3496,25 @@ begin:
|
||||
tx.sdata = vif_to_sdata(info->control.vif);
|
||||
tx.hdrlen = ieee80211_padded_hdrlen(hw, hdr->frame_control);
|
||||
|
||||
- if (txq->sta)
|
||||
+ if (txq->sta) {
|
||||
tx.sta = container_of(txq->sta, struct sta_info, sta);
|
||||
+ /*
|
||||
+ * Drop unicast frames to unauthorised stations unless they are
|
||||
+ * EAPOL frames from the local station.
|
||||
+ */
|
||||
+ if (unlikely(!ieee80211_vif_is_mesh(&tx.sdata->vif) &&
|
||||
+ tx.sdata->vif.type != NL80211_IFTYPE_OCB &&
|
||||
+ !is_multicast_ether_addr(hdr->addr1) &&
|
||||
+ !test_sta_flag(tx.sta, WLAN_STA_AUTHORIZED) &&
|
||||
+ (!(info->control.flags &
|
||||
+ IEEE80211_TX_CTRL_PORT_CTRL_PROTO) ||
|
||||
+ !ether_addr_equal(tx.sdata->vif.addr,
|
||||
+ hdr->addr2)))) {
|
||||
+ I802_DEBUG_INC(local->tx_handlers_drop_unauth_port);
|
||||
+ ieee80211_free_txskb(&local->hw, skb);
|
||||
+ goto begin;
|
||||
+ }
|
||||
+ }
|
||||
|
||||
/*
|
||||
* The key can be removed while the packet was queued, so need to call
|
@ -0,0 +1,34 @@
|
||||
From 8ad73f9e86bdb079043868e3543d302b57068b80 Mon Sep 17 00:00:00 2001
|
||||
From: Johannes Berg <johannes.berg@intel.com>
|
||||
Date: Sun, 29 Mar 2020 22:50:06 +0200
|
||||
Subject: [PATCH] mac80211: fix authentication with iwlwifi/mvm
|
||||
|
||||
commit be8c827f50a0bcd56361b31ada11dc0a3c2fd240 upstream.
|
||||
|
||||
The original patch didn't copy the ieee80211_is_data() condition
|
||||
because on most drivers the management frames don't go through
|
||||
this path. However, they do on iwlwifi/mvm, so we do need to keep
|
||||
the condition here.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Fixes: ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211_tx_dequeue() case")
|
||||
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
Cc: Woody Suwalski <terraluna977@gmail.com>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
net/mac80211/tx.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/net/mac80211/tx.c
|
||||
+++ b/net/mac80211/tx.c
|
||||
@@ -3502,7 +3502,8 @@ begin:
|
||||
* Drop unicast frames to unauthorised stations unless they are
|
||||
* EAPOL frames from the local station.
|
||||
*/
|
||||
- if (unlikely(!ieee80211_vif_is_mesh(&tx.sdata->vif) &&
|
||||
+ if (unlikely(ieee80211_is_data(hdr->frame_control) &&
|
||||
+ !ieee80211_vif_is_mesh(&tx.sdata->vif) &&
|
||||
tx.sdata->vif.type != NL80211_IFTYPE_OCB &&
|
||||
!is_multicast_ether_addr(hdr->addr1) &&
|
||||
!test_sta_flag(tx.sta, WLAN_STA_AUTHORIZED) &&
|
Loading…
Reference in New Issue
Block a user