lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 8 Nov 2020 20:34:22 +0100
From:   Thomas Deutschmann <whissi@...too.org>
To:     Mathy Vanhoef <Mathy.Vanhoef@...euven.be>,
        Johannes Berg <johannes@...solutions.net>,
        linux-wireless@...r.kernel.org, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org,
        "stable@...r.kernel.org" <stable@...r.kernel.org>
Cc:     Christian Hesse <list@...rm.de>
Subject: Re: [PATCH] mac80211: fix regression where EAPOL frames were sent in
 plaintext

Hi,

On 2020-10-19 18:01, Mathy Vanhoef wrote:
> When sending EAPOL frames via NL80211 they are treated as injected
> frames in mac80211. Due to commit 1df2bdba528b ("mac80211: never drop
> injected frames even if normally not allowed") these injected frames
> were not assigned a sta context in the function ieee80211_tx_dequeue,
> causing certain wireless network cards to always send EAPOL frames in
> plaintext. This may cause compatibility issues with some clients or
> APs, which for instance can cause the group key handshake to fail and
> in turn would cause the station to get disconnected.
> 
> This commit fixes this regression by assigning a sta context in
> ieee80211_tx_dequeue to injected frames as well.
> 
> Note that sending EAPOL frames in plaintext is not a security issue
> since they contain their own encryption and authentication protection.
> 
> Fixes: 1df2bdba528b ("mac80211: never drop injected frames even if normally not allowed")
> Reported-by: Thomas Deutschmann <whissi@...too.org>
> Tested-by: Christian Hesse <list@...rm.de>
> Tested-by: Thomas Deutschmann <whissi@...too.org>
> Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@...euven.be>
> ---
>   net/mac80211/tx.c | 7 ++++---
>   1 file changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
> index 8ba10a48d..55b41167a 100644
> --- a/net/mac80211/tx.c
> +++ b/net/mac80211/tx.c
> @@ -3619,13 +3619,14 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
>   	tx.skb = skb;
>   	tx.sdata = vif_to_sdata(info->control.vif);
>   
> -	if (txq->sta && !(info->flags & IEEE80211_TX_CTL_INJECTED)) {
> +	if (txq->sta) {
>   		tx.sta = container_of(txq->sta, struct sta_info, sta);
>   		/*
>   		 * Drop unicast frames to unauthorised stations unless they are
> -		 * EAPOL frames from the local station.
> +		 * injected frames or EAPOL frames from the local station.
>   		 */
> -		if (unlikely(ieee80211_is_data(hdr->frame_control) &&
> +		if (unlikely(!(info->flags & IEEE80211_TX_CTL_INJECTED) &&
> +			     ieee80211_is_data(hdr->frame_control) &&
>   			     !ieee80211_vif_is_mesh(&tx.sdata->vif) &&
>   			     tx.sdata->vif.type != NL80211_IFTYPE_OCB &&
>   			     !is_multicast_ether_addr(hdr->addr1) &&
> 

Can we please get this applied to linux-5.10 and linux-5.9?

Is there anything left to do where I can help with?

Thanks!


-- 
Regards,
Thomas Deutschmann / Gentoo Linux Developer
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5



Download attachment "OpenPGP_signature" of type "application/pgp-signature" (496 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ