diff options
Diffstat (limited to 'package/kernel/mac80211/patches/subsys/383-cfg80211-mitigate-A-MSDU-aggregation-attacks.patch')
| -rw-r--r-- | package/kernel/mac80211/patches/subsys/383-cfg80211-mitigate-A-MSDU-aggregation-attacks.patch | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/package/kernel/mac80211/patches/subsys/383-cfg80211-mitigate-A-MSDU-aggregation-attacks.patch b/package/kernel/mac80211/patches/subsys/383-cfg80211-mitigate-A-MSDU-aggregation-attacks.patch new file mode 100644 index 0000000000..8ea78dca84 --- /dev/null +++ b/package/kernel/mac80211/patches/subsys/383-cfg80211-mitigate-A-MSDU-aggregation-attacks.patch @@ -0,0 +1,40 @@ +From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be> +Date: Tue, 11 May 2021 20:02:45 +0200 +Subject: [PATCH] cfg80211: mitigate A-MSDU aggregation attacks + +Mitigate A-MSDU injection attacks (CVE-2020-24588) by detecting if the +destination address of a subframe equals an RFC1042 (i.e., LLC/SNAP) +header, and if so dropping the complete A-MSDU frame. This mitigates +known attacks, although new (unknown) aggregation-based attacks may +remain possible. + +This defense works because in A-MSDU aggregation injection attacks, a +normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means +the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042 +header. In other words, the destination MAC address of the first A-MSDU +subframe contains the start of an RFC1042 header during an aggregation +attack. We can detect this and thereby prevent this specific attack. +For details, see Section 7.2 of "Fragment and Forge: Breaking Wi-Fi +Through Frame Aggregation and Fragmentation". + +Note that for kernel 4.9 and above this patch depends on "mac80211: +properly handle A-MSDUs that start with a rfc1042 header". Otherwise +this patch has no impact and attacks will remain possible. + +Cc: stable@vger.kernel.org +Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be> +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +--- + +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -775,6 +775,9 @@ void ieee80211_amsdu_to_8023s(struct sk_ + remaining = skb->len - offset; + if (subframe_len > remaining) + goto purge; ++ /* mitigate A-MSDU aggregation injection attacks */ ++ if (ether_addr_equal(eth.h_dest, rfc1042_header)) ++ goto purge; + + offset += sizeof(struct ethhdr); + last = remaining <= subframe_len + padding; |