diff options
| author | Hauke Mehrtens <hauke@hauke-m.de> | 2020-08-28 23:48:40 +0200 |
|---|---|---|
| committer | Hauke Mehrtens <hauke@hauke-m.de> | 2020-08-31 00:09:18 +0200 |
| commit | 8e89e1c337685013d35fe588d1bf6e323829ba98 (patch) | |
| tree | f4e8c1c5d4dbdc878ac383b0a326b2ba521455a6 /package/kernel/mac80211/patches/481-mac80211-Check-port-authorization-in-the-ieee80211_t.patch | |
| parent | fec2888ae568ef392529bb1c6f75178cc8aad8c7 (diff) | |
| download | upstream-8e89e1c337685013d35fe588d1bf6e323829ba98.tar.gz upstream-8e89e1c337685013d35fe588d1bf6e323829ba98.tar.bz2 upstream-8e89e1c337685013d35fe588d1bf6e323829ba98.zip | |
mac80211: Backport fixes for Kr00k vulnerabilities
This backports some fixes from kernel 5.6 and 4.14.175.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Tested-By: Baptiste Jonglez <git@bitsofnetworks.org>
Diffstat (limited to 'package/kernel/mac80211/patches/481-mac80211-Check-port-authorization-in-the-ieee80211_t.patch')
| -rw-r--r-- | package/kernel/mac80211/patches/481-mac80211-Check-port-authorization-in-the-ieee80211_t.patch | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/package/kernel/mac80211/patches/481-mac80211-Check-port-authorization-in-the-ieee80211_t.patch b/package/kernel/mac80211/patches/481-mac80211-Check-port-authorization-in-the-ieee80211_t.patch new file mode 100644 index 0000000000..1867e809be --- /dev/null +++ b/package/kernel/mac80211/patches/481-mac80211-Check-port-authorization-in-the-ieee80211_t.patch @@ -0,0 +1,54 @@ +From 07dc42ff9b9c38eae221b36acda7134ab8670af8 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@codeaurora.org> +Date: Thu, 26 Mar 2020 15:51:34 +0100 +Subject: [PATCH] mac80211: Check port authorization in the + ieee80211_tx_dequeue() case + +commit ce2e1ca703071723ca2dd94d492a5ab6d15050da upstream. + +mac80211 used to check port authorization in the Data frame enqueue case +when going through start_xmit(). However, that authorization status may +change while the frame is waiting in a queue. Add a similar check in the +dequeue case to avoid sending previously accepted frames after +authorization change. This provides additional protection against +potential leaking of frames after a station has been disconnected and +the keys for it are being removed. + +Cc: stable@vger.kernel.org +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> +Link: https://lore.kernel.org/r/20200326155133.ced84317ea29.I34d4c47cd8cc8a4042b38a76f16a601fbcbfd9b3@changeid +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/mac80211/tx.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -3496,8 +3496,25 @@ begin: + tx.sdata = vif_to_sdata(info->control.vif); + tx.hdrlen = ieee80211_padded_hdrlen(hw, hdr->frame_control); + +- if (txq->sta) ++ if (txq->sta) { + tx.sta = container_of(txq->sta, struct sta_info, sta); ++ /* ++ * Drop unicast frames to unauthorised stations unless they are ++ * EAPOL frames from the local station. ++ */ ++ if (unlikely(!ieee80211_vif_is_mesh(&tx.sdata->vif) && ++ tx.sdata->vif.type != NL80211_IFTYPE_OCB && ++ !is_multicast_ether_addr(hdr->addr1) && ++ !test_sta_flag(tx.sta, WLAN_STA_AUTHORIZED) && ++ (!(info->control.flags & ++ IEEE80211_TX_CTRL_PORT_CTRL_PROTO) || ++ !ether_addr_equal(tx.sdata->vif.addr, ++ hdr->addr2)))) { ++ I802_DEBUG_INC(local->tx_handlers_drop_unauth_port); ++ ieee80211_free_txskb(&local->hw, skb); ++ goto begin; ++ } ++ } + + /* + * The key can be removed while the packet was queued, so need to call |