[SRU Hirsute, Groovy, Focal/linux-oem-5.10, Focal/linux-oem-5.6, Focal 00/16] Fragattacks mitigations

Thadeu Lima de Souza Cascardo cascardo at canonical.com
Tue May 25 17:46:06 UTC 2021 

[Impact]
Paraphrasing from https://fragattacks.com/:

Fragmentation and aggretation attacks are new security vulnerabilities that
affect wifi devices. An adversary within range can abuse them to steal user
information or attack devices.

[Fixes]
Fixes have been provided to mac80211 layer on Linux and ath10k and ath11k drivers.
They are almost clean cherry pickes for the kernels I am sending them for.
Bionic was skipped for now because it will require further work.

The EAPOL fix did cherry pick cleanly, but the formatted patch did not apply without
further context options, so is provived in two versions here.

Two other commits did not apply cleanly on 5.6 and 5.4, because of context on file
headers containing copyright notices. Those are the only conflicts when cherry picking
on those kernels.

Finally, ath11k is not present on 5.4, so its only fix was skipped for that kernel.

[Testing]
I built all backport versions and booted 5.11 on a system with rtl8192ce driver, which
uses mac80211 layer. Also booted and tested 5.4 on a system with ath5k, that also
uses mac80211 layer.

[Potential regression]
Wifi connection issues might happen, including dropped packets.

Johannes Berg (5):
  mac80211: add fragment cache to sta_info
  mac80211: check defrag PN against current frame
  mac80211: prevent attacks on TKIP/WEP as well
  mac80211: drop A-MSDUs on old ciphers
  mac80211: do not accept/forward invalid EAPOL frames

Mathy Vanhoef (4):
  mac80211: assure all fragments are encrypted
  mac80211: prevent mixed key and fragment cache attacks
  mac80211: properly handle A-MSDUs that start with an RFC 1042 header
  cfg80211: mitigate A-MSDU aggregation attacks

Sriram R (1):
  ath11k: Clear the fragment cache during key install

Wen Gong (6):
  mac80211: extend protection against mixed key and fragment cache
    attacks
  ath10k: drop MPDU which has discard flag set by firmware for SDIO
  ath10k: Fix TKIP Michael MIC verification for PCIe
  ath10k: drop fragments with multicast DA for SDIO
  ath10k: add CCMP PN replay protection for fragmented frames for PCIe
  ath10k: drop fragments with multicast DA for PCIe

 drivers/net/wireless/ath/ath10k/htt.h     |   1 +
 drivers/net/wireless/ath/ath10k/htt_rx.c  | 140 +++++++++++++++++++-
 drivers/net/wireless/ath/ath10k/rx_desc.h |  14 +-
 drivers/net/wireless/ath/ath11k/dp_rx.c   |  18 +++
 drivers/net/wireless/ath/ath11k/dp_rx.h   |   1 +
 drivers/net/wireless/ath/ath11k/mac.c     |   6 +
 include/net/cfg80211.h                    |   4 +-
 net/mac80211/ieee80211_i.h                |  36 ++----
 net/mac80211/iface.c                      |  11 +-
 net/mac80211/key.c                        |   7 +
 net/mac80211/key.h                        |   2 +
 net/mac80211/rx.c                         | 150 +++++++++++++++++-----
 net/mac80211/sta_info.c                   |   6 +-
 net/mac80211/sta_info.h                   |  33 ++++-
 net/mac80211/wpa.c                        |  13 +-
 net/wireless/util.c                       |   7 +-
 16 files changed, 368 insertions(+), 81 deletions(-)

-- 
2.30.2

More information about the kernel-team mailing list