projects / GitHub / LineageOS / android_kernel_motorola_exynos9610.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: c39f180) | patch
mac80211: prevent mixed key and fragment cache attacks
authorMathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
Mon, 31 May 2021 20:31:27 +0000 (22:31 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 3 Jun 2021 06:36:13 +0000 (08:36 +0200)
commitf643397142c196d3ac653b2df32997dad991cb29
tree614a7f82026ff325756bfbe043f47ee6c96bae5ctree | snapshot (tar.gz zip)
parentc39f180c7bd8379de238a4fd4a2f7515e03802f8commit | diff
mac80211: prevent mixed key and fragment cache attacks

commit 94034c40ab4a3fcf581fbc7f8fdf4e29943c4a24 upstream.

Simultaneously prevent mixed key attacks (CVE-2020-24587) and fragment
cache attacks (CVE-2020-24586). This is accomplished by assigning a
unique color to every key (per interface) and using this to track which
key was used to decrypt a fragment. When reassembling frames, it is
now checked whether all fragments were decrypted using the same key.

To assure that fragment cache attacks are also prevented, the ID that is
assigned to keys is unique even over (re)associations and (re)connects.
This means fragments separated by a (re)association or (re)connect will
not be reassembled. Because mac80211 now also prevents the reassembly of
mixed encrypted and plaintext fragments, all cache attacks are prevented.

Cc: stable@vger.kernel.org
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
Link: https://lore.kernel.org/r/20210511200110.3f8290e59823.I622a67769ed39257327a362cfc09c812320eb979@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
net/mac80211/ieee80211_i.h diff | blob | blame | history
net/mac80211/key.c diff | blob | blame | history
net/mac80211/key.h diff | blob | blame | history
net/mac80211/rx.c diff | blob | blame | history