ACK/Cmnt: [Xenial][SRU][CVE-2019-0136][PATCH 1/1] mac80211: handle deauthentication/disassociation from TDLS peer

Stefan Bader stefan.bader at canonical.com
Mon Aug 26 14:46:57 UTC 2019 

On 20.08.19 17:19, Connor Kuehl wrote:
> From: Yu Wang <yyuwang at codeaurora.org>
> 
> CVE-2019-0136
> 
> When receiving a deauthentication/disassociation frame from a TDLS
> peer, a station should not disconnect the current AP, but only
> disable the current TDLS link if it's enabled.
> 
> Without this change, a TDLS issue can be reproduced by following the
> steps as below:
> 
> 1. STA-1 and STA-2 are connected to AP, bidirection traffic is running
>    between STA-1 and STA-2.
> 2. Set up TDLS link between STA-1 and STA-2, stay for a while, then
>    teardown TDLS link.
> 3. Repeat step #2 and monitor the connection between STA and AP.
> 
> During the test, one STA may send a deauthentication/disassociation
> frame to another, after TDLS teardown, with reason code 6/7, which
> means: Class 2/3 frame received from nonassociated STA.
> 
> On receive this frame, the receiver STA will disconnect the current
> AP and then reconnect. It's not a expected behavior, purpose of this
> frame should be disabling the TDLS link, not the link with AP.
> 
> Cc: stable at vger.kernel.org
> Signed-off-by: Yu Wang <yyuwang at codeaurora.org>
> Signed-off-by: Johannes Berg <johannes.berg at intel.com>
> (backported from commit 79c92ca42b5a3e0ea172ea2ce8df8e125af237da)
> [ Connor Kuehl: the patch context differed slightly in the new addition
>   to ieee80211_rx_mgmt_disassoc(). Mainline commit 68506e9af132
>   "mac80211: Print text for disassociation reason" introduces some more
>   information to the call to sdata_info() but Xenial does not contain that
>   commit and it is not necessary to fix this CVE. So, that hunk was placed
>   manually and the call to sdata_info() remains the same as it was before. ]
> Signed-off-by: Connor Kuehl <connor.kuehl at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> ---

tl;dr is minor context adjustment

>  net/mac80211/ieee80211_i.h |  3 +++
>  net/mac80211/mlme.c        | 12 +++++++++++-
>  net/mac80211/tdls.c        | 23 +++++++++++++++++++++++
>  3 files changed, 37 insertions(+), 1 deletion(-)
> 
> diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
> index 7b271f3ded6b..72f76da88912 100644
> --- a/net/mac80211/ieee80211_i.h
> +++ b/net/mac80211/ieee80211_i.h
> @@ -2059,6 +2059,9 @@ void ieee80211_tdls_cancel_channel_switch(struct wiphy *wiphy,
>  					  const u8 *addr);
>  void ieee80211_teardown_tdls_peers(struct ieee80211_sub_if_data *sdata);
>  void ieee80211_tdls_chsw_work(struct work_struct *wk);
> +void ieee80211_tdls_handle_disconnect(struct ieee80211_sub_if_data *sdata,
> +				      const u8 *peer, u16 reason);
> +const char *ieee80211_get_reason_code_string(u16 reason_code);
>  
>  extern const struct ethtool_ops ieee80211_ethtool_ops;
>  
> diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
> index 08384dbf426c..d9536226d12a 100644
> --- a/net/mac80211/mlme.c
> +++ b/net/mac80211/mlme.c
> @@ -2733,7 +2733,7 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
>  #define case_WLAN(type) \
>  	case WLAN_REASON_##type: return #type
>  
> -static const char *ieee80211_get_reason_code_string(u16 reason_code)
> +const char *ieee80211_get_reason_code_string(u16 reason_code)
>  {
>  	switch (reason_code) {
>  	case_WLAN(UNSPECIFIED);
> @@ -2798,6 +2798,11 @@ static void ieee80211_rx_mgmt_deauth(struct ieee80211_sub_if_data *sdata,
>  	if (len < 24 + 2)
>  		return;
>  
> +	if (!ether_addr_equal(mgmt->bssid, mgmt->sa)) {
> +		ieee80211_tdls_handle_disconnect(sdata, mgmt->sa, reason_code);
> +		return;
> +	}
> +
>  	if (ifmgd->associated &&
>  	    ether_addr_equal(mgmt->bssid, ifmgd->associated->bssid)) {
>  		const u8 *bssid = ifmgd->associated->bssid;
> @@ -2847,6 +2852,11 @@ static void ieee80211_rx_mgmt_disassoc(struct ieee80211_sub_if_data *sdata,
>  
>  	reason_code = le16_to_cpu(mgmt->u.disassoc.reason_code);
>  
> +	if (!ether_addr_equal(mgmt->bssid, mgmt->sa)) {
> +		ieee80211_tdls_handle_disconnect(sdata, mgmt->sa, reason_code);
> +		return;
> +	}
> +
>  	sdata_info(sdata, "disassociated from %pM (Reason: %u)\n",
>  		   mgmt->sa, reason_code);
>  
> diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c
> index c9eeb3f12808..ce2ece424384 100644
> --- a/net/mac80211/tdls.c
> +++ b/net/mac80211/tdls.c
> @@ -1963,3 +1963,26 @@ void ieee80211_tdls_chsw_work(struct work_struct *wk)
>  	}
>  	rtnl_unlock();
>  }
> +
> +void ieee80211_tdls_handle_disconnect(struct ieee80211_sub_if_data *sdata,
> +				      const u8 *peer, u16 reason)
> +{
> +	struct ieee80211_sta *sta;
> +
> +	rcu_read_lock();
> +	sta = ieee80211_find_sta(&sdata->vif, peer);
> +	if (!sta || !sta->tdls) {
> +		rcu_read_unlock();
> +		return;
> +	}
> +	rcu_read_unlock();
> +
> +	tdls_dbg(sdata, "disconnected from TDLS peer %pM (Reason: %u=%s)\n",
> +		 peer, reason,
> +		 ieee80211_get_reason_code_string(reason));
> +
> +	ieee80211_tdls_oper_request(&sdata->vif, peer,
> +				    NL80211_TDLS_TEARDOWN,
> +				    WLAN_REASON_TDLS_TEARDOWN_UNREACHABLE,
> +				    GFP_ATOMIC);
> +}
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20190826/c97583cb/attachment.sig>

More information about the kernel-team mailing list