Skip to content
Snippets Groups Projects
Commit eb80aa99 authored by Wen Gong's avatar Wen Gong Committed by Yang Yingliang
Browse files

mac80211: extend protection against mixed key and fragment cache attacks 

stable inclusion
from linux-4.19.193
commit 8b8713c47b032088f83385876a0a7beb00a5be89
CVE: CVE-2020-24586, CVE-2020-24587

--------------------------------

commit 3edc6b0d6c061a70d8ca3c3c72eb1f58ce29bfb1 upstream.

For some chips/drivers, e.g., QCA6174 with ath10k, the decryption is
done by the hardware, and the Protected bit in the Frame Control field
is cleared in the lower level driver before the frame is passed to
mac80211. In such cases, the condition for ieee80211_has_protected() is
not met in ieee80211_rx_h_defragment() of mac80211 and the new security
validation steps are not executed.

Extend mac80211 to cover the case where the Protected bit has been
cleared, but the frame is indicated as having been decrypted by the
hardware. This extends protection against mixed key and fragment cache
attack for additional drivers/chips. This fixes CVE-2020-24586 and
CVE-2020-24587 for such cases.

Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4...
parent cb3b9b8a
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 11 additions and 2 deletions
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment