From nobody Mon Feb 14 20:28:20 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4DB30194AC59; Mon, 14 Feb 2022 20:28:21 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JyG511hKfz4hMM; Mon, 14 Feb 2022 20:28:21 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1644870501; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=E6rZAdQrxxoPe5So9WtugcmDQ8TNd5XBt0xshO8sMPk=; b=SFH+bc2Qj8oOKeCZiZo4WxmVAfQfsmXRaeF+SkvIsl53TX6xXp+ESqBKrAd60ivz5WhWFw qD4aLp4RuO5OvQmFf14jqQXesDzni3wBCO76Jxj6MAvBi8BKFs3AuX+9C9//pBN4sX1KFV VHI3A4IQb+twCG2l1uv9kLtO1kVuDSJ7ZUli+o7AP3GyyOeIGKbaXJcfjaBxXNKV6T9z9y ELp++Qt8qoMSwdsqHgWP0yOiPCHOtyYHsJyaxqcr5RHPimGvpPuyB2ercNlTfWS57fDuFR sZjwhnmD/OZPzW7WGQCqTN3FI31lai4ytONtIkqC4M/4xmotJUCgElfs+VWnhw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 19F351570A; Mon, 14 Feb 2022 20:28:21 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 21EKSLiK090336; Mon, 14 Feb 2022 20:28:21 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 21EKSKOT090335; Mon, 14 Feb 2022 20:28:20 GMT (envelope-from git) Date: Mon, 14 Feb 2022 20:28:20 GMT Message-Id: <202202142028.21EKSKOT090335@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 76ee776f4d9f - stable/12 - net80211: mitigation against A-MSDU design flaw List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 76ee776f4d9f146f7a97ac9bab388c51a1c787c9 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1644870501; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=E6rZAdQrxxoPe5So9WtugcmDQ8TNd5XBt0xshO8sMPk=; b=vdm8bBWA5bBoIiVIQZDrQyeQY6XbNI+vRHldV/MA3ofATlSU9K8Nr8JC8rzEgk6rSwKbk2 4qnU01QEX8Yq31zR7iaE7cniei9F6R29Vd3FVJBjN8TG2N9ezhlUSbsbaufyaTeG8r2Dhf C6xKKjX+E3o8DhVzEmRmNNb8v+bSuqnQGP64lVDNovIaRmuT9dQxZtNjFS9SN6/XuZFg1t NdE2acroXcJULLKLKKexMjaQRMDQ57MzVdNBEBvtRV1+tLybKhXsbbxHZSIKeyuuZ1xOmv FpMuHbIvpvfJWitP50yQQEHL3JmdFMjxKXj5m4NmFMRHc1MYiKKAWcyKL5x/EA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1644870501; a=rsa-sha256; cv=none; b=AABWNXNeGrjn0AaXzXw/k8sHerGx5HuOFrdo22+6POw/nNcZxGnmjywHH3ieqiwhFFkygd BIoVkhlcuco7eGgsgCAp2umruiqC0mBO8NkvJVCKW0LQajEvUkrj8bkJWwrj0Of92xwKcA 3jGnaZe2Y4cdqRsTqdT0u88FJcsg9BkPq5STPQFKSLunKn/4R52bTylZHNHaJgRCPINkUI OWTz9pwajmukxuYWQXEUxrtPeH3I99iC6gwjpvllefNC2LXZpF3EV52Qz9OxG44t2S6JS7 36rMgdnaESnXmSKjDfl/LaVPTzvzBiF54umnZ+TOPPBGsKmlhnWgQzQzAGEMJQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch stable/12 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=76ee776f4d9f146f7a97ac9bab388c51a1c787c9 commit 76ee776f4d9f146f7a97ac9bab388c51a1c787c9 Author: Mathy Vanhoef AuthorDate: 2021-06-06 22:10:52 +0000 Commit: Ed Maste CommitDate: 2022-02-14 20:26:46 +0000 net80211: mitigation against A-MSDU design flaw Mitigate A-MSDU injection attacks by detecting if the destination address of a subframe equals an RFC1042 (i.e., LLC/SNAP) header, and if so dropping the complete A-MSDU frame. This mitigates known attacks, although new (unknown) aggregation-based attacks may remain possible. This defense works because in A-MSDU aggregation injection attacks, a normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042 header. In other words, the destination MAC address of the first A-MSDU subframe contains the start of an RFC1042 header during an aggregation attack. We can detect this and thereby prevent this specific attack. This relates to section 7.2 in the 2021 Usenix "FragAttacks" (Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation) paper. Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be) Security: CVE-2020-24588 PR: 256119 (cherry picked from commit f024bdf1155f36d2d8c4caa533b66e4040c4c469) (cherry picked from commit 41ca1d50a8657959df2009daa300dda56a090d5e) --- sys/net80211/ieee80211_adhoc.c | 2 +- sys/net80211/ieee80211_hostap.c | 2 +- sys/net80211/ieee80211_input.c | 20 ++++++++++++++++++-- sys/net80211/ieee80211_input.h | 3 ++- sys/net80211/ieee80211_sta.c | 2 +- sys/net80211/ieee80211_wds.c | 2 +- 6 files changed, 24 insertions(+), 7 deletions(-) diff --git a/sys/net80211/ieee80211_adhoc.c b/sys/net80211/ieee80211_adhoc.c index ea1519b3381d..c97b99425caa 100644 --- a/sys/net80211/ieee80211_adhoc.c +++ b/sys/net80211/ieee80211_adhoc.c @@ -558,7 +558,7 @@ adhoc_input(struct ieee80211_node *ni, struct mbuf *m, /* * Finally, strip the 802.11 header. */ - m = ieee80211_decap(vap, m, hdrspace); + m = ieee80211_decap(vap, m, hdrspace, qos); if (m == NULL) { /* XXX mask bit to check for both */ /* don't count Null data frames as errors */ diff --git a/sys/net80211/ieee80211_hostap.c b/sys/net80211/ieee80211_hostap.c index 6687276d0181..8c132332f86b 100644 --- a/sys/net80211/ieee80211_hostap.c +++ b/sys/net80211/ieee80211_hostap.c @@ -744,7 +744,7 @@ hostap_input(struct ieee80211_node *ni, struct mbuf *m, /* * Finally, strip the 802.11 header. */ - m = ieee80211_decap(vap, m, hdrspace); + m = ieee80211_decap(vap, m, hdrspace, qos); if (m == NULL) { /* XXX mask bit to check for both */ /* don't count Null data frames as errors */ diff --git a/sys/net80211/ieee80211_input.c b/sys/net80211/ieee80211_input.c index 404eaf96716a..979e9aef9d12 100644 --- a/sys/net80211/ieee80211_input.c +++ b/sys/net80211/ieee80211_input.c @@ -294,7 +294,8 @@ ieee80211_deliver_data(struct ieee80211vap *vap, } struct mbuf * -ieee80211_decap(struct ieee80211vap *vap, struct mbuf *m, int hdrlen) +ieee80211_decap(struct ieee80211vap *vap, struct mbuf *m, int hdrlen, + uint8_t qos) { struct ieee80211_qosframe_addr4 wh; struct ether_header *eh; @@ -316,7 +317,9 @@ ieee80211_decap(struct ieee80211vap *vap, struct mbuf *m, int hdrlen) llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0 && /* NB: preserve AppleTalk frames that have a native SNAP hdr */ !(llc->llc_snap.ether_type == htons(ETHERTYPE_AARP) || - llc->llc_snap.ether_type == htons(ETHERTYPE_IPX))) { + llc->llc_snap.ether_type == htons(ETHERTYPE_IPX)) && + /* Do not want to touch A-MSDU frames. */ + !(qos & IEEE80211_QOS_AMSDU)) { m_adj(m, hdrlen + sizeof(struct llc) - sizeof(*eh)); llc = NULL; } else { @@ -364,6 +367,10 @@ ieee80211_decap1(struct mbuf *m, int *framelen) #define FF_LLC_SIZE (sizeof(struct ether_header) + sizeof(struct llc)) struct ether_header *eh; struct llc *llc; + const uint8_t llc_hdr_mac[ETHER_ADDR_LEN] = { + /* MAC address matching the 802.2 LLC header */ + LLC_SNAP_LSAP, LLC_SNAP_LSAP, LLC_UI, 0, 0, 0 + }; /* * The frame has an 802.3 header followed by an 802.2 @@ -376,6 +383,15 @@ ieee80211_decap1(struct mbuf *m, int *framelen) if (m->m_len < FF_LLC_SIZE && (m = m_pullup(m, FF_LLC_SIZE)) == NULL) return NULL; eh = mtod(m, struct ether_header *); /* 802.3 header is first */ + + /* + * Detect possible attack where a single 802.11 frame is processed + * as an A-MSDU frame due to an adversary setting the A-MSDU present + * bit in the 802.11 QoS header. [FragAttacks] + */ + if (memcmp(eh->ether_dhost, llc_hdr_mac, ETHER_ADDR_LEN) == 0) + return NULL; + llc = (struct llc *)&eh[1]; /* 802.2 header follows */ *framelen = ntohs(eh->ether_type) /* encap'd frame size */ + sizeof(struct ether_header) - sizeof(struct llc); diff --git a/sys/net80211/ieee80211_input.h b/sys/net80211/ieee80211_input.h index 810dcbde7978..5959319c76d7 100644 --- a/sys/net80211/ieee80211_input.h +++ b/sys/net80211/ieee80211_input.h @@ -311,7 +311,8 @@ void ieee80211_deliver_data(struct ieee80211vap *, struct mbuf *ieee80211_defrag(struct ieee80211_node *, struct mbuf *, int); struct mbuf *ieee80211_realign(struct ieee80211vap *, struct mbuf *, size_t); -struct mbuf *ieee80211_decap(struct ieee80211vap *, struct mbuf *, int); +struct mbuf *ieee80211_decap(struct ieee80211vap *, struct mbuf *, int, + uint8_t); struct mbuf *ieee80211_decap1(struct mbuf *, int *); int ieee80211_setup_rates(struct ieee80211_node *ni, const uint8_t *rates, const uint8_t *xrates, int flags); diff --git a/sys/net80211/ieee80211_sta.c b/sys/net80211/ieee80211_sta.c index 75f6c652c0fb..56372543a200 100644 --- a/sys/net80211/ieee80211_sta.c +++ b/sys/net80211/ieee80211_sta.c @@ -827,7 +827,7 @@ sta_input(struct ieee80211_node *ni, struct mbuf *m, /* * Finally, strip the 802.11 header. */ - m = ieee80211_decap(vap, m, hdrspace); + m = ieee80211_decap(vap, m, hdrspace, qos); if (m == NULL) { /* XXX mask bit to check for both */ /* don't count Null data frames as errors */ diff --git a/sys/net80211/ieee80211_wds.c b/sys/net80211/ieee80211_wds.c index ea13572cf2d9..74cc764b856e 100644 --- a/sys/net80211/ieee80211_wds.c +++ b/sys/net80211/ieee80211_wds.c @@ -619,7 +619,7 @@ wds_input(struct ieee80211_node *ni, struct mbuf *m, /* * Finally, strip the 802.11 header. */ - m = ieee80211_decap(vap, m, hdrspace); + m = ieee80211_decap(vap, m, hdrspace, qos); if (m == NULL) { /* XXX mask bit to check for both */ /* don't count Null data frames as errors */