aboutsummaryrefslogtreecommitdiffstats
path: root/package/kernel/mac80211/patches/subsys/381-mac80211-prevent-mixed-key-and-fragment-cache-attack.patch
diff options
context:
space:
mode:
authorHauke Mehrtens <hauke@hauke-m.de>2021-06-05 18:21:57 +0200
committerHauke Mehrtens <hauke@hauke-m.de>2021-06-06 17:54:58 +0200
commit00d7a459f3ebb2a0d5f806cc3f95e171b42600e9 (patch)
tree97c6b86877bc558c2228db775778bc86da8e564d /package/kernel/mac80211/patches/subsys/381-mac80211-prevent-mixed-key-and-fragment-cache-attack.patch
parentb55d3d69044ae872c96b4b287b43a57c8e96e7cd (diff)
downloadupstream-00d7a459f3ebb2a0d5f806cc3f95e171b42600e9.tar.gz
upstream-00d7a459f3ebb2a0d5f806cc3f95e171b42600e9.tar.bz2
upstream-00d7a459f3ebb2a0d5f806cc3f95e171b42600e9.zip
mac80211: Update to backports-5.10.42
The removed patches were integrated upstream. The brcmf_driver_work workqueue was removed in brcmfmac with kernel 5.10.42, the asynchronous call was covered to a synchronous call. There is no need to wait any more. This part was removed manually from this patch: brcm/860-brcmfmac-register-wiphy-s-during-module_init.patch Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 04a260911ca0f10a0e37c487c220e1aae3623dda)
Diffstat (limited to 'package/kernel/mac80211/patches/subsys/381-mac80211-prevent-mixed-key-and-fragment-cache-attack.patch')
-rw-r--r--package/kernel/mac80211/patches/subsys/381-mac80211-prevent-mixed-key-and-fragment-cache-attack.patch87
1 files changed, 0 insertions, 87 deletions
diff --git a/package/kernel/mac80211/patches/subsys/381-mac80211-prevent-mixed-key-and-fragment-cache-attack.patch b/package/kernel/mac80211/patches/subsys/381-mac80211-prevent-mixed-key-and-fragment-cache-attack.patch
deleted file mode 100644
index de0f89a5b0..0000000000
--- a/package/kernel/mac80211/patches/subsys/381-mac80211-prevent-mixed-key-and-fragment-cache-attack.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
-Date: Tue, 11 May 2021 20:02:43 +0200
-Subject: [PATCH] mac80211: prevent mixed key and fragment cache attacks
-
-Simultaneously prevent mixed key attacks (CVE-2020-24587) and fragment
-cache attacks (CVE-2020-24586). This is accomplished by assigning a
-unique color to every key (per interface) and using this to track which
-key was used to decrypt a fragment. When reassembling frames, it is
-now checked whether all fragments were decrypted using the same key.
-
-To assure that fragment cache attacks are also prevented, the ID that is
-assigned to keys is unique even over (re)associations and (re)connects.
-This means fragments separated by a (re)association or (re)connect will
-not be reassembled. Because mac80211 now also prevents the reassembly of
-mixed encrypted and plaintext fragments, all cache attacks are prevented.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
-
---- a/net/mac80211/ieee80211_i.h
-+++ b/net/mac80211/ieee80211_i.h
-@@ -97,6 +97,7 @@ struct ieee80211_fragment_entry {
- u8 rx_queue;
- bool check_sequential_pn; /* needed for CCMP/GCMP */
- u8 last_pn[6]; /* PN of the last fragment if CCMP was used */
-+ unsigned int key_color;
- };
-
-
---- a/net/mac80211/key.c
-+++ b/net/mac80211/key.c
-@@ -799,6 +799,7 @@ int ieee80211_key_link(struct ieee80211_
- struct ieee80211_sub_if_data *sdata,
- struct sta_info *sta)
- {
-+ static atomic_t key_color = ATOMIC_INIT(0);
- struct ieee80211_key *old_key;
- int idx = key->conf.keyidx;
- bool pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE;
-@@ -850,6 +851,12 @@ int ieee80211_key_link(struct ieee80211_
- key->sdata = sdata;
- key->sta = sta;
-
-+ /*
-+ * Assign a unique ID to every key so we can easily prevent mixed
-+ * key and fragment cache attacks.
-+ */
-+ key->color = atomic_inc_return(&key_color);
-+
- increment_tailroom_need_count(sdata);
-
- ret = ieee80211_key_replace(sdata, sta, pairwise, old_key, key);
---- a/net/mac80211/key.h
-+++ b/net/mac80211/key.h
-@@ -128,6 +128,8 @@ struct ieee80211_key {
- } debugfs;
- #endif
-
-+ unsigned int color;
-+
- /*
- * key config, must be last because it contains key
- * material as variable length member
---- a/net/mac80211/rx.c
-+++ b/net/mac80211/rx.c
-@@ -2265,6 +2265,7 @@ ieee80211_rx_h_defragment(struct ieee802
- * next fragment has a sequential PN value.
- */
- entry->check_sequential_pn = true;
-+ entry->key_color = rx->key->color;
- memcpy(entry->last_pn,
- rx->key->u.ccmp.rx_pn[queue],
- IEEE80211_CCMP_PN_LEN);
-@@ -2302,6 +2303,11 @@ ieee80211_rx_h_defragment(struct ieee802
-
- if (!requires_sequential_pn(rx, fc))
- return RX_DROP_UNUSABLE;
-+
-+ /* Prevent mixed key and fragment cache attacks */
-+ if (entry->key_color != rx->key->color)
-+ return RX_DROP_UNUSABLE;
-+
- memcpy(pn, entry->last_pn, IEEE80211_CCMP_PN_LEN);
- for (i = IEEE80211_CCMP_PN_LEN - 1; i >= 0; i--) {
- pn[i]++;