git.baikalelectronics.ru Git - kernel.git/commit

author	Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
	Tue, 11 May 2021 18:02:45 +0000 (20:02 +0200)
committer	Johannes Berg <johannes.berg@intel.com>
	Tue, 11 May 2021 18:13:13 +0000 (20:13 +0200)
commit	16fd6feaff10d31756ca8e21c66db20752ba4b7c
tree	a3464afbcada925090f9650a434dbbaf9a162dff	tree \| snapshot
parent	efbe798648e751527e7fb7683da3fc9d3f397466	commit \| diff

cfg80211: mitigate A-MSDU aggregation attacks

Mitigate A-MSDU injection attacks (CVE-2020-24588) by detecting if the
destination address of a subframe equals an RFC1042 (i.e., LLC/SNAP)
header, and if so dropping the complete A-MSDU frame. This mitigates
known attacks, although new (unknown) aggregation-based attacks may
remain possible.

This defense works because in A-MSDU aggregation injection attacks, a
normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means
the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042
header. In other words, the destination MAC address of the first A-MSDU
subframe contains the start of an RFC1042 header during an aggregation
attack. We can detect this and thereby prevent this specific attack.
For details, see Section 7.2 of "Fragment and Forge: Breaking Wi-Fi
Through Frame Aggregation and Fragmentation".

Note that for kernel 4.9 and above this patch depends on "mac80211:
properly handle A-MSDUs that start with a rfc1042 header". Otherwise
this patch has no impact and attacks will remain possible.

Cc: stable@vger.kernel.org
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
Link: https://lore.kernel.org/r/20210511200110.25d93176ddaf.I9e265b597f2cd23eb44573f35b625947b386a9de@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>