From nobody Tue Mar 15 18:14:04 2022 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 5A3AD1A22CAB; Tue, 15 Mar 2022 18:14:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KJ1kj0lBnz57R4; Tue, 15 Mar 2022 18:14:05 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1647368045; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=MC9cETm2Pp6W5rU2VFiHc64SGVhvSmMvB4J4nbdm95g=; b=q7/7LSa9sgXPdZTZCuPGldOHI+ONJjhA/36f5LlyNqk4JvQniIIG9Pm94pngcXZLKwB6GF /e8IGZQpTzRyqRpOEt+8h9Co7s32YxGK7+Ubiq5BguVYta87MwiptyKXy7N27hoMbjm78S rIqwtbXUJDHqeRGv56W26nGhN6PGVQYIO0eQgTG6mR5aP1mLzqMTIFyqC3mJ2NPSTAWLHH YxV5jmUm+R6JeRVfNjidRaYKeo9STUmoi+F9JHJ3SDMOVFmfJ5MMYGZfvyblDoFCU/cDDb ZoV4eIW8DqttTznOWpYbG3xYZs+QNXvJ/0ZU2RjLfVig7ldF8+Yu+ahkW8mY2A== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id BC6C926B17; Tue, 15 Mar 2022 18:14:04 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 22FIE4Us074927; Tue, 15 Mar 2022 18:14:04 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 22FIE40x074926; Tue, 15 Mar 2022 18:14:04 GMT (envelope-from git) Date: Tue, 15 Mar 2022 18:14:04 GMT Message-Id: <202203151814.22FIE40x074926@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 7ba07a1452a8 - releng/13.0 - net80211: mitigation against A-MSDU design flaw List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/13.0 X-Git-Reftype: branch X-Git-Commit: 7ba07a1452a82c3cbe696c3dfd162cc76c168dda Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1647368045; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=MC9cETm2Pp6W5rU2VFiHc64SGVhvSmMvB4J4nbdm95g=; b=RCZRJrxgL0K0eohsSAZroxPlmwC9MYV5TooTVGOAQ+DMa1K9ZJuzjn8FVXcwHPqR4RpJC+ p5dYIJHiWQzKt0ux6sE2ANI55Emt5nYV4TRDoRJ6td/4e3y6H9r7Qe6m972ALb7Z63Mgz4 B9vLl/OrdP6MsPaDhr5WcCQ9aajBVzgcjtBDN95nzG1ssDrY2xPBQ2F8TeuGQ7c8sqJwrV OIFDpFnhYaP+9K9fzFM6YAi7MqXOg6NI3u5wVbZIRnSbQoGooVLnjcQk/bAitmraZrdc3k 43Y+u2Anp2vSEXASkPY0sCAdrcVhXmRjdoKZBFE52DH/nw/R97Q9VP8BFlnKrA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1647368045; a=rsa-sha256; cv=none; b=wSanWx5lmM87/phJtjqLu5SnAvKXLWFecXrw96yBHFtNO7KkL65gII9Jh6cqkcALMPPqyb PPnQmj/6LkjNocJvPH4r1MMyWZp6Zx9Ub8BncCIGa4jBhZra8Iw9IouVh23gEjPzwEM8uW SmCofBijCeKTcdppuOq7MwfMcAxJXsW+7xzlWe3+n3DNxraXy5tKyWbSBSTlLCRJU7s7YJ g5p+MaMiou1JPv8PbgYa+cF6aRs+5JkWzWjKMbqLR9XTf1LaZSJ4w1VJ7fe9gt2Pcfm5Di lb7YtPGEHEuRY5O1yuAioPJfJUh+gzj7aKhSXu2RueX/OVKzNwOJHOKH111S/Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch releng/13.0 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=7ba07a1452a82c3cbe696c3dfd162cc76c168dda commit 7ba07a1452a82c3cbe696c3dfd162cc76c168dda Author: Mathy Vanhoef AuthorDate: 2021-06-06 22:10:52 +0000 Commit: Mark Johnston CommitDate: 2022-03-15 17:45:11 +0000 net80211: mitigation against A-MSDU design flaw Mitigate A-MSDU injection attacks by detecting if the destination address of a subframe equals an RFC1042 (i.e., LLC/SNAP) header, and if so dropping the complete A-MSDU frame. This mitigates known attacks, although new (unknown) aggregation-based attacks may remain possible. This defense works because in A-MSDU aggregation injection attacks, a normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042 header. In other words, the destination MAC address of the first A-MSDU subframe contains the start of an RFC1042 header during an aggregation attack. We can detect this and thereby prevent this specific attack. This relates to section 7.2 in the 2021 Usenix "FragAttacks" (Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation) paper. Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be) Security: CVE-2020-24588 PR: 256119 (cherry picked from commit f024bdf1155f36d2d8c4caa533b66e4040c4c469) (cherry picked from commit 41ca1d50a8657959df2009daa300dda56a090d5e) Approved by: so Security: FreeBSD-SA-22:02.wifi --- sys/net80211/ieee80211_adhoc.c | 2 +- sys/net80211/ieee80211_hostap.c | 2 +- sys/net80211/ieee80211_input.c | 20 ++++++++++++++++++-- sys/net80211/ieee80211_input.h | 3 ++- sys/net80211/ieee80211_sta.c | 2 +- sys/net80211/ieee80211_wds.c | 2 +- 6 files changed, 24 insertions(+), 7 deletions(-) diff --git a/sys/net80211/ieee80211_adhoc.c b/sys/net80211/ieee80211_adhoc.c index a23f138802dc..e2164bbb46a1 100644 --- a/sys/net80211/ieee80211_adhoc.c +++ b/sys/net80211/ieee80211_adhoc.c @@ -558,7 +558,7 @@ adhoc_input(struct ieee80211_node *ni, struct mbuf *m, /* * Finally, strip the 802.11 header. */ - m = ieee80211_decap(vap, m, hdrspace); + m = ieee80211_decap(vap, m, hdrspace, qos); if (m == NULL) { /* XXX mask bit to check for both */ /* don't count Null data frames as errors */ diff --git a/sys/net80211/ieee80211_hostap.c b/sys/net80211/ieee80211_hostap.c index d2daaea5bda6..80e58fd752a7 100644 --- a/sys/net80211/ieee80211_hostap.c +++ b/sys/net80211/ieee80211_hostap.c @@ -744,7 +744,7 @@ hostap_input(struct ieee80211_node *ni, struct mbuf *m, /* * Finally, strip the 802.11 header. */ - m = ieee80211_decap(vap, m, hdrspace); + m = ieee80211_decap(vap, m, hdrspace, qos); if (m == NULL) { /* XXX mask bit to check for both */ /* don't count Null data frames as errors */ diff --git a/sys/net80211/ieee80211_input.c b/sys/net80211/ieee80211_input.c index eaeceb9d228e..66a5ba1c4035 100644 --- a/sys/net80211/ieee80211_input.c +++ b/sys/net80211/ieee80211_input.c @@ -309,7 +309,8 @@ ieee80211_deliver_data(struct ieee80211vap *vap, } struct mbuf * -ieee80211_decap(struct ieee80211vap *vap, struct mbuf *m, int hdrlen) +ieee80211_decap(struct ieee80211vap *vap, struct mbuf *m, int hdrlen, + uint8_t qos) { struct ieee80211_qosframe_addr4 wh; struct ether_header *eh; @@ -331,7 +332,9 @@ ieee80211_decap(struct ieee80211vap *vap, struct mbuf *m, int hdrlen) llc->llc_snap.org_code[1] == 0 && llc->llc_snap.org_code[2] == 0 && /* NB: preserve AppleTalk frames that have a native SNAP hdr */ !(llc->llc_snap.ether_type == htons(ETHERTYPE_AARP) || - llc->llc_snap.ether_type == htons(ETHERTYPE_IPX))) { + llc->llc_snap.ether_type == htons(ETHERTYPE_IPX)) && + /* Do not want to touch A-MSDU frames. */ + !(qos & IEEE80211_QOS_AMSDU)) { m_adj(m, hdrlen + sizeof(struct llc) - sizeof(*eh)); llc = NULL; } else { @@ -379,6 +382,10 @@ ieee80211_decap1(struct mbuf *m, int *framelen) #define FF_LLC_SIZE (sizeof(struct ether_header) + sizeof(struct llc)) struct ether_header *eh; struct llc *llc; + const uint8_t llc_hdr_mac[ETHER_ADDR_LEN] = { + /* MAC address matching the 802.2 LLC header */ + LLC_SNAP_LSAP, LLC_SNAP_LSAP, LLC_UI, 0, 0, 0 + }; /* * The frame has an 802.3 header followed by an 802.2 @@ -391,6 +398,15 @@ ieee80211_decap1(struct mbuf *m, int *framelen) if (m->m_len < FF_LLC_SIZE && (m = m_pullup(m, FF_LLC_SIZE)) == NULL) return NULL; eh = mtod(m, struct ether_header *); /* 802.3 header is first */ + + /* + * Detect possible attack where a single 802.11 frame is processed + * as an A-MSDU frame due to an adversary setting the A-MSDU present + * bit in the 802.11 QoS header. [FragAttacks] + */ + if (memcmp(eh->ether_dhost, llc_hdr_mac, ETHER_ADDR_LEN) == 0) + return NULL; + llc = (struct llc *)&eh[1]; /* 802.2 header follows */ *framelen = ntohs(eh->ether_type) /* encap'd frame size */ + sizeof(struct ether_header) - sizeof(struct llc); diff --git a/sys/net80211/ieee80211_input.h b/sys/net80211/ieee80211_input.h index 8ec82eef7369..ae2b4644cc9e 100644 --- a/sys/net80211/ieee80211_input.h +++ b/sys/net80211/ieee80211_input.h @@ -311,7 +311,8 @@ void ieee80211_deliver_data(struct ieee80211vap *, struct mbuf *ieee80211_defrag(struct ieee80211_node *, struct mbuf *, int, int); struct mbuf *ieee80211_realign(struct ieee80211vap *, struct mbuf *, size_t); -struct mbuf *ieee80211_decap(struct ieee80211vap *, struct mbuf *, int); +struct mbuf *ieee80211_decap(struct ieee80211vap *, struct mbuf *, int, + uint8_t); struct mbuf *ieee80211_decap1(struct mbuf *, int *); int ieee80211_setup_rates(struct ieee80211_node *ni, const uint8_t *rates, const uint8_t *xrates, int flags); diff --git a/sys/net80211/ieee80211_sta.c b/sys/net80211/ieee80211_sta.c index 6d24eadc11a6..60a5ea100556 100644 --- a/sys/net80211/ieee80211_sta.c +++ b/sys/net80211/ieee80211_sta.c @@ -827,7 +827,7 @@ sta_input(struct ieee80211_node *ni, struct mbuf *m, /* * Finally, strip the 802.11 header. */ - m = ieee80211_decap(vap, m, hdrspace); + m = ieee80211_decap(vap, m, hdrspace, qos); if (m == NULL) { /* XXX mask bit to check for both */ /* don't count Null data frames as errors */ diff --git a/sys/net80211/ieee80211_wds.c b/sys/net80211/ieee80211_wds.c index f59a92b992d7..f88871ca4ae6 100644 --- a/sys/net80211/ieee80211_wds.c +++ b/sys/net80211/ieee80211_wds.c @@ -621,7 +621,7 @@ wds_input(struct ieee80211_node *ni, struct mbuf *m, /* * Finally, strip the 802.11 header. */ - m = ieee80211_decap(vap, m, hdrspace); + m = ieee80211_decap(vap, m, hdrspace, qos); if (m == NULL) { /* XXX mask bit to check for both */ /* don't count Null data frames as errors */