diff options
| author | Hauke Mehrtens <hauke@hauke-m.de> | 2020-08-28 23:48:40 +0200 |
|---|---|---|
| committer | Hauke Mehrtens <hauke@hauke-m.de> | 2020-08-31 00:09:18 +0200 |
| commit | 8e89e1c337685013d35fe588d1bf6e323829ba98 (patch) | |
| tree | f4e8c1c5d4dbdc878ac383b0a326b2ba521455a6 /package/kernel/mac80211/patches/480-mac80211-mark-station-unauthorized-before-key-remova.patch | |
| parent | fec2888ae568ef392529bb1c6f75178cc8aad8c7 (diff) | |
| download | upstream-8e89e1c337685013d35fe588d1bf6e323829ba98.tar.gz upstream-8e89e1c337685013d35fe588d1bf6e323829ba98.tar.bz2 upstream-8e89e1c337685013d35fe588d1bf6e323829ba98.zip | |
mac80211: Backport fixes for Kr00k vulnerabilities
This backports some fixes from kernel 5.6 and 4.14.175.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Tested-By: Baptiste Jonglez <git@bitsofnetworks.org>
Diffstat (limited to 'package/kernel/mac80211/patches/480-mac80211-mark-station-unauthorized-before-key-remova.patch')
| -rw-r--r-- | package/kernel/mac80211/patches/480-mac80211-mark-station-unauthorized-before-key-remova.patch | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/package/kernel/mac80211/patches/480-mac80211-mark-station-unauthorized-before-key-remova.patch b/package/kernel/mac80211/patches/480-mac80211-mark-station-unauthorized-before-key-remova.patch new file mode 100644 index 0000000000..012b6cae15 --- /dev/null +++ b/package/kernel/mac80211/patches/480-mac80211-mark-station-unauthorized-before-key-remova.patch @@ -0,0 +1,42 @@ +From 1ec47ff0525c4a530dc7783cb28044179334a4cc Mon Sep 17 00:00:00 2001 +From: Johannes Berg <johannes.berg@intel.com> +Date: Thu, 26 Mar 2020 15:51:35 +0100 +Subject: [PATCH] mac80211: mark station unauthorized before key removal + +commit b16798f5b907733966fd1a558fca823b3c67e4a1 upstream. + +If a station is still marked as authorized, mark it as no longer +so before removing its keys. This allows frames transmitted to it +to be rejected, providing additional protection against leaking +plain text data during the disconnection flow. + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200326155133.ccb4fb0bb356.If48f0f0504efdcf16b8921f48c6d3bb2cb763c99@changeid +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/mac80211/sta_info.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -3,6 +3,7 @@ + * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> + * Copyright 2013-2014 Intel Mobile Communications GmbH + * Copyright (C) 2015 - 2017 Intel Deutschland GmbH ++ * Copyright (C) 2018-2020 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +@@ -976,6 +977,11 @@ static void __sta_info_destroy_part2(str + might_sleep(); + lockdep_assert_held(&local->sta_mtx); + ++ while (sta->sta_state == IEEE80211_STA_AUTHORIZED) { ++ ret = sta_info_move_state(sta, IEEE80211_STA_ASSOC); ++ WARN_ON_ONCE(ret); ++ } ++ + /* now keys can no longer be reached */ + ieee80211_free_sta_keys(local, sta); + |