mac80211: extend protection against mixed key and fragment cache attacks - kernel/linux.git

diff options

author	Wen Gong <wgong@codeaurora.org>	2021-05-11 21:02:51 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-06-03 10:00:29 +0300
commit	6abcc01e8b3b804a7f18721666d978f39470e30c (patch)
tree	a05027395376ba766298cc2a1511164cb4ece44e /certs
parent	2b9b07b9a06fab16bda3d33da3be70fe33bd95cb (diff)
download	linux-6abcc01e8b3b804a7f18721666d978f39470e30c.tar.xz

mac80211: extend protection against mixed key and fragment cache attacks

commit 3edc6b0d6c061a70d8ca3c3c72eb1f58ce29bfb1 upstream. For some chips/drivers, e.g., QCA6174 with ath10k, the decryption is done by the hardware, and the Protected bit in the Frame Control field is cleared in the lower level driver before the frame is passed to mac80211. In such cases, the condition for ieee80211_has_protected() is not met in ieee80211_rx_h_defragment() of mac80211 and the new security validation steps are not executed. Extend mac80211 to cover the case where the Protected bit has been cleared, but the frame is indicated as having been decrypted by the hardware. This extends protection against mixed key and fragment cache attack for additional drivers/chips. This fixes CVE-2020-24586 and CVE-2020-24587 for such cases. Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1 Cc: stable@vger.kernel.org Signed-off-by: Wen Gong <wgong@codeaurora.org> Signed-off-by: Jouni Malinen <jouni@codeaurora.org> Link: https://lore.kernel.org/r/20210511200110.037aa5ca0390.I7bb888e2965a0db02a67075fcb5deb50eb7408aa@changeid Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'certs')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: