diff options
Diffstat (limited to 'package/kernel/mac80211/patches/ath/301-ath10k-drop-fragments-with-multicast-DA-for-PCIe.patch')
| -rw-r--r-- | package/kernel/mac80211/patches/ath/301-ath10k-drop-fragments-with-multicast-DA-for-PCIe.patch | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/package/kernel/mac80211/patches/ath/301-ath10k-drop-fragments-with-multicast-DA-for-PCIe.patch b/package/kernel/mac80211/patches/ath/301-ath10k-drop-fragments-with-multicast-DA-for-PCIe.patch new file mode 100644 index 0000000000..7288c66612 --- /dev/null +++ b/package/kernel/mac80211/patches/ath/301-ath10k-drop-fragments-with-multicast-DA-for-PCIe.patch @@ -0,0 +1,66 @@ +From: Wen Gong <wgong@codeaurora.org> +Date: Tue, 11 May 2021 20:02:53 +0200 +Subject: [PATCH] ath10k: drop fragments with multicast DA for PCIe + +Fragmentation is not used with multicast frames. Discard unexpected +fragments with multicast DA. This fixes CVE-2020-26145. + +Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1 + +Cc: stable@vger.kernel.org +Signed-off-by: Wen Gong <wgong@codeaurora.org> +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +--- + +--- a/drivers/net/wireless/ath/ath10k/htt_rx.c ++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c +@@ -1768,6 +1768,16 @@ static u64 ath10k_htt_rx_h_get_pn(struct + return pn; + } + ++static bool ath10k_htt_rx_h_frag_multicast_check(struct ath10k *ar, ++ struct sk_buff *skb, ++ u16 offset) ++{ ++ struct ieee80211_hdr *hdr; ++ ++ hdr = (struct ieee80211_hdr *)(skb->data + offset); ++ return !is_multicast_ether_addr(hdr->addr1); ++} ++ + static bool ath10k_htt_rx_h_frag_pn_check(struct ath10k *ar, + struct sk_buff *skb, + u16 peer_id, +@@ -1839,7 +1849,7 @@ static void ath10k_htt_rx_h_mpdu(struct + bool is_decrypted; + bool is_mgmt; + u32 attention; +- bool frag_pn_check = true; ++ bool frag_pn_check = true, multicast_check = true; + + if (skb_queue_empty(amsdu)) + return; +@@ -1946,13 +1956,20 @@ static void ath10k_htt_rx_h_mpdu(struct + 0, + enctype); + +- if (!frag_pn_check) { +- /* Discard the fragment with invalid PN */ ++ if (frag) ++ multicast_check = ath10k_htt_rx_h_frag_multicast_check(ar, ++ msdu, ++ 0); ++ ++ if (!frag_pn_check || !multicast_check) { ++ /* Discard the fragment with invalid PN or multicast DA ++ */ + temp = msdu->prev; + __skb_unlink(msdu, amsdu); + dev_kfree_skb_any(msdu); + msdu = temp; + frag_pn_check = true; ++ multicast_check = true; + continue; + } + |