[PATCH openEuler-1.0-LTS 05/12] cfg80211: mitigate A-MSDU aggregation attacks

From: Mathy Vanhoef Mathy.Vanhoef@kuleuven.be

stable inclusion from linux-4.19.193 commit 8ea9e997642360ea097710cfa7b1cd750a73fe64 CVE: CVE-2020-24588

--------------------------------

commit 2b8a1fee3488c602aca8bea004a087e60806a5cf upstream.

Mitigate A-MSDU injection attacks (CVE-2020-24588) by detecting if the destination address of a subframe equals an RFC1042 (i.e., LLC/SNAP) header, and if so dropping the complete A-MSDU frame. This mitigates known attacks, although new (unknown) aggregation-based attacks may remain possible.

This defense works because in A-MSDU aggregation injection attacks, a normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042 header. In other words, the destination MAC address of the first A-MSDU subframe contains the start of an RFC1042 header during an aggregation attack. We can detect this and thereby prevent this specific attack. For details, see Section 7.2 of "Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation".

Note that for kernel 4.9 and above this patch depends on "mac80211: properly handle A-MSDUs that start with a rfc1042 header". Otherwise this patch has no impact and attacks will remain possible.

Cc: stable@vger.kernel.org Signed-off-by: Mathy Vanhoef Mathy.Vanhoef@kuleuven.be Link: https://lore.kernel.org/r/20210511200110.25d93176ddaf.I9e265b597f2cd23eb4457... Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Yang Yingliang yangyingliang@huawei.com Reviewed-by: Xiu Jianfeng xiujianfeng@huawei.com Reviewed-by: Yue Haibing yuehaibing@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- net/wireless/util.c | 3 +++ 1 file changed, 3 insertions(+)

diff --git a/net/wireless/util.c b/net/wireless/util.c index b1c1b605ae3fa..c619c82a6445a 100644 --- a/net/wireless/util.c +++ b/net/wireless/util.c @@ -652,6 +652,9 @@ void ieee80211_amsdu_to_8023s(struct sk_buff *skb, struct sk_buff_head *list, remaining = skb->len - offset; if (subframe_len > remaining) goto purge; + /* mitigate A-MSDU aggregation injection attacks */ + if (ether_addr_equal(eth.h_dest, rfc1042_header)) + goto purge;

offset += sizeof(struct ethhdr); last = remaining <= subframe_len + padding;