git.baikalelectronics.ru Git - kernel.git/commit

author	Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
	Tue, 11 May 2021 18:02:43 +0000 (20:02 +0200)
committer	Johannes Berg <johannes.berg@intel.com>
	Tue, 11 May 2021 18:12:51 +0000 (20:12 +0200)
commit	a4e1fbde76bce8b3a1161659a9620a09fd6a830b
tree	a6319a8f6aa0c1c11131b86e5328cb4b7b0d54fd	tree \| snapshot
parent	11e1e37e77c41cd20bfc44c29a595db3abc0cb23	commit \| diff

mac80211: prevent mixed key and fragment cache attacks

Simultaneously prevent mixed key attacks (CVE-2020-24587) and fragment
cache attacks (CVE-2020-24586). This is accomplished by assigning a
unique color to every key (per interface) and using this to track which
key was used to decrypt a fragment. When reassembling frames, it is
now checked whether all fragments were decrypted using the same key.

To assure that fragment cache attacks are also prevented, the ID that is
assigned to keys is unique even over (re)associations and (re)connects.
This means fragments separated by a (re)association or (re)connect will
not be reassembled. Because mac80211 now also prevents the reassembly of
mixed encrypted and plaintext fragments, all cache attacks are prevented.

Cc: stable@vger.kernel.org
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
Link: https://lore.kernel.org/r/20210511200110.3f8290e59823.I622a67769ed39257327a362cfc09c812320eb979@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

net/mac80211/ieee80211_i.h		diff \| blob \| history
net/mac80211/key.c		diff \| blob \| history
net/mac80211/key.h		diff \| blob \| history
net/mac80211/rx.c		diff \| blob \| history