[B/D][SRU] Fix for CVE-2019-5108

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[B/D][SRU] Fix for CVE-2019-5108

Connor Kuehl
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-5108.html

From the link above:

    "An exploitable denial-of-service vulnerability exists in the Linux kernel
    prior to mainline 5.3. An attacker could exploit this vulnerability by
    triggering AP to send IAPP location updates for stations before the
    required authentication process has completed. This could lead to different
    denial-of-service scenarios, either by causing CAM table attacks, or by
    leading to traffic flapping if faking already existing clients in other
    nearby APs of the same wireless infrastructure. An attacker can forge
    Authentication and Association Request packets to trigger this
    vulnerability."

This fix is making its way into Xenial via upstream stable update 4.4.211.

Clean cherry pick into Disco. Picked its pre-requisite patch to make it a clean
cherry pick into Bionic which also allows it to have more parity with Xenial as
the pre-requisite patch was also a part of that upstream stable update.

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[Bionic][SRU][PATCH 1/2] cfg80211/mac80211: make ieee80211_send_layer2_update a public function

Connor Kuehl
From: Dedy Lansky <[hidden email]>

CVE-2019-5108

Make ieee80211_send_layer2_update() a common function so other drivers
can re-use it.

Signed-off-by: Dedy Lansky <[hidden email]>
Signed-off-by: Johannes Berg <[hidden email]>
(backported from commit 30ca1aa536211f5ac3de0173513a7a99a98a97f3)
[ Connor Kuehl: context adjustments ]
Signed-off-by: Connor Kuehl <[hidden email]>
---
 include/net/cfg80211.h | 11 ++++++++++
 net/mac80211/cfg.c     | 48 ++----------------------------------------
 net/wireless/util.c    | 45 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 58 insertions(+), 46 deletions(-)

diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index c45fe070e39f..f205f3af2686 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -4466,6 +4466,17 @@ static inline const u8 *cfg80211_find_ext_ie(u8 ext_eid, const u8 *ies, int len)
 const u8 *cfg80211_find_vendor_ie(unsigned int oui, int oui_type,
   const u8 *ies, int len);
 
+/**
+ * cfg80211_send_layer2_update - send layer 2 update frame
+ *
+ * @dev: network device
+ * @addr: STA MAC address
+ *
+ * Wireless drivers can use this function to update forwarding tables in bridge
+ * devices upon STA association.
+ */
+void cfg80211_send_layer2_update(struct net_device *dev, const u8 *addr);
+
 /**
  * DOC: Regulatory enforcement infrastructure
  *
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 8168c667d91d..f236a990638f 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1089,50 +1089,6 @@ static int ieee80211_stop_ap(struct wiphy *wiphy, struct net_device *dev)
  return 0;
 }
 
-/* Layer 2 Update frame (802.2 Type 1 LLC XID Update response) */
-struct iapp_layer2_update {
- u8 da[ETH_ALEN]; /* broadcast */
- u8 sa[ETH_ALEN]; /* STA addr */
- __be16 len; /* 6 */
- u8 dsap; /* 0 */
- u8 ssap; /* 0 */
- u8 control;
- u8 xid_info[3];
-} __packed;
-
-static void ieee80211_send_layer2_update(struct sta_info *sta)
-{
- struct iapp_layer2_update *msg;
- struct sk_buff *skb;
-
- /* Send Level 2 Update Frame to update forwarding tables in layer 2
- * bridge devices */
-
- skb = dev_alloc_skb(sizeof(*msg));
- if (!skb)
- return;
- msg = skb_put(skb, sizeof(*msg));
-
- /* 802.2 Type 1 Logical Link Control (LLC) Exchange Identifier (XID)
- * Update response frame; IEEE Std 802.2-1998, 5.4.1.2.1 */
-
- eth_broadcast_addr(msg->da);
- memcpy(msg->sa, sta->sta.addr, ETH_ALEN);
- msg->len = htons(6);
- msg->dsap = 0;
- msg->ssap = 0x01; /* NULL LSAP, CR Bit: Response */
- msg->control = 0xaf; /* XID response lsb.1111F101.
- * F=0 (no poll command; unsolicited frame) */
- msg->xid_info[0] = 0x81; /* XID format identifier */
- msg->xid_info[1] = 1; /* LLC types/classes: Type 1 LLC */
- msg->xid_info[2] = 0; /* XID sender's receive window size (RW) */
-
- skb->dev = sta->sdata->dev;
- skb->protocol = eth_type_trans(skb, sta->sdata->dev);
- memset(skb->cb, 0, sizeof(skb->cb));
- netif_rx_ni(skb);
-}
-
 static int sta_apply_auth_flags(struct ieee80211_local *local,
  struct sta_info *sta,
  u32 mask, u32 set)
@@ -1496,7 +1452,7 @@ static int ieee80211_add_station(struct wiphy *wiphy, struct net_device *dev,
  }
 
  if (layer2_update)
- ieee80211_send_layer2_update(sta);
+ cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr);
 
  rcu_read_unlock();
 
@@ -1598,7 +1554,7 @@ static int ieee80211_change_station(struct wiphy *wiphy,
  if (test_sta_flag(sta, WLAN_STA_AUTHORIZED))
  ieee80211_vif_inc_num_mcast(sta->sdata);
 
- ieee80211_send_layer2_update(sta);
+ cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr);
  }
 
  err = sta_apply_parameters(local, sta, params);
diff --git a/net/wireless/util.c b/net/wireless/util.c
index 801b61ae1623..cd8a3e63fd73 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -1814,6 +1814,51 @@ const unsigned char bridge_tunnel_header[] __aligned(2) =
  { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0xf8 };
 EXPORT_SYMBOL(bridge_tunnel_header);
 
+/* Layer 2 Update frame (802.2 Type 1 LLC XID Update response) */
+struct iapp_layer2_update {
+ u8 da[ETH_ALEN]; /* broadcast */
+ u8 sa[ETH_ALEN]; /* STA addr */
+ __be16 len; /* 6 */
+ u8 dsap; /* 0 */
+ u8 ssap; /* 0 */
+ u8 control;
+ u8 xid_info[3];
+} __packed;
+
+void cfg80211_send_layer2_update(struct net_device *dev, const u8 *addr)
+{
+ struct iapp_layer2_update *msg;
+ struct sk_buff *skb;
+
+ /* Send Level 2 Update Frame to update forwarding tables in layer 2
+ * bridge devices */
+
+ skb = dev_alloc_skb(sizeof(*msg));
+ if (!skb)
+ return;
+ msg = skb_put(skb, sizeof(*msg));
+
+ /* 802.2 Type 1 Logical Link Control (LLC) Exchange Identifier (XID)
+ * Update response frame; IEEE Std 802.2-1998, 5.4.1.2.1 */
+
+ eth_broadcast_addr(msg->da);
+ ether_addr_copy(msg->sa, addr);
+ msg->len = htons(6);
+ msg->dsap = 0;
+ msg->ssap = 0x01; /* NULL LSAP, CR Bit: Response */
+ msg->control = 0xaf; /* XID response lsb.1111F101.
+ * F=0 (no poll command; unsolicited frame) */
+ msg->xid_info[0] = 0x81; /* XID format identifier */
+ msg->xid_info[1] = 1; /* LLC types/classes: Type 1 LLC */
+ msg->xid_info[2] = 0; /* XID sender's receive window size (RW) */
+
+ skb->dev = dev;
+ skb->protocol = eth_type_trans(skb, dev);
+ memset(skb->cb, 0, sizeof(skb->cb));
+ netif_rx_ni(skb);
+}
+EXPORT_SYMBOL(cfg80211_send_layer2_update);
+
 bool cfg80211_iftype_allowed(struct wiphy *wiphy, enum nl80211_iftype iftype,
      bool is_4addr, u8 check_swif)
 
--
2.20.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[Bionic][SRU][PATCH 2/2] mac80211: Do not send Layer 2 Update frame before authorization

Connor Kuehl
In reply to this post by Connor Kuehl
From: Jouni Malinen <[hidden email]>

CVE-2019-5108

The Layer 2 Update frame is used to update bridges when a station roams
to another AP even if that STA does not transmit any frames after the
reassociation. This behavior was described in IEEE Std 802.11F-2003 as
something that would happen based on MLME-ASSOCIATE.indication, i.e.,
before completing 4-way handshake. However, this IEEE trial-use
recommended practice document was published before RSN (IEEE Std
802.11i-2004) and as such, did not consider RSN use cases. Furthermore,
IEEE Std 802.11F-2003 was withdrawn in 2006 and as such, has not been
maintained amd should not be used anymore.

Sending out the Layer 2 Update frame immediately after association is
fine for open networks (and also when using SAE, FT protocol, or FILS
authentication when the station is actually authenticated by the time
association completes). However, it is not appropriate for cases where
RSN is used with PSK or EAP authentication since the station is actually
fully authenticated only once the 4-way handshake completes after
authentication and attackers might be able to use the unauthenticated
triggering of Layer 2 Update frame transmission to disrupt bridge
behavior.

Fix this by postponing transmission of the Layer 2 Update frame from
station entry addition to the point when the station entry is marked
authorized. Similarly, send out the VLAN binding update only if the STA
entry has already been authorized.

Signed-off-by: Jouni Malinen <[hidden email]>
Reviewed-by: Johannes Berg <[hidden email]>
Signed-off-by: David S. Miller <[hidden email]>
(cherry picked from commit 3e493173b7841259a08c5c8e5cbe90adb349da7e)
Signed-off-by: Connor Kuehl <[hidden email]>
---
 net/mac80211/cfg.c      | 14 ++++----------
 net/mac80211/sta_info.c |  4 ++++
 2 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index f236a990638f..d437007b15bb 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1398,7 +1398,6 @@ static int ieee80211_add_station(struct wiphy *wiphy, struct net_device *dev,
  struct sta_info *sta;
  struct ieee80211_sub_if_data *sdata;
  int err;
- int layer2_update;
 
  if (params->vlan) {
  sdata = IEEE80211_DEV_TO_SUB_IF(params->vlan);
@@ -1442,18 +1441,12 @@ static int ieee80211_add_station(struct wiphy *wiphy, struct net_device *dev,
     test_sta_flag(sta, WLAN_STA_ASSOC))
  rate_control_rate_init(sta);
 
- layer2_update = sdata->vif.type == NL80211_IFTYPE_AP_VLAN ||
- sdata->vif.type == NL80211_IFTYPE_AP;
-
  err = sta_info_insert_rcu(sta);
  if (err) {
  rcu_read_unlock();
  return err;
  }
 
- if (layer2_update)
- cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr);
-
  rcu_read_unlock();
 
  return 0;
@@ -1551,10 +1544,11 @@ static int ieee80211_change_station(struct wiphy *wiphy,
  sta->sdata = vlansdata;
  ieee80211_check_fast_xmit(sta);
 
- if (test_sta_flag(sta, WLAN_STA_AUTHORIZED))
+ if (test_sta_flag(sta, WLAN_STA_AUTHORIZED)) {
  ieee80211_vif_inc_num_mcast(sta->sdata);
-
- cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr);
+ cfg80211_send_layer2_update(sta->sdata->dev,
+    sta->sta.addr);
+ }
  }
 
  err = sta_apply_parameters(local, sta, params);
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index 844c024f1cbe..3bce168a2d21 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -1899,6 +1899,10 @@ int sta_info_move_state(struct sta_info *sta,
  ieee80211_check_fast_xmit(sta);
  ieee80211_check_fast_rx(sta);
  }
+ if (sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN ||
+    sta->sdata->vif.type == NL80211_IFTYPE_AP)
+ cfg80211_send_layer2_update(sta->sdata->dev,
+    sta->sta.addr);
  break;
  default:
  break;
--
2.20.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[Disco][SRU][PATCH] mac80211: Do not send Layer 2 Update frame before authorization

Connor Kuehl
In reply to this post by Connor Kuehl
From: Jouni Malinen <[hidden email]>

CVE-2019-5108

The Layer 2 Update frame is used to update bridges when a station roams
to another AP even if that STA does not transmit any frames after the
reassociation. This behavior was described in IEEE Std 802.11F-2003 as
something that would happen based on MLME-ASSOCIATE.indication, i.e.,
before completing 4-way handshake. However, this IEEE trial-use
recommended practice document was published before RSN (IEEE Std
802.11i-2004) and as such, did not consider RSN use cases. Furthermore,
IEEE Std 802.11F-2003 was withdrawn in 2006 and as such, has not been
maintained amd should not be used anymore.

Sending out the Layer 2 Update frame immediately after association is
fine for open networks (and also when using SAE, FT protocol, or FILS
authentication when the station is actually authenticated by the time
association completes). However, it is not appropriate for cases where
RSN is used with PSK or EAP authentication since the station is actually
fully authenticated only once the 4-way handshake completes after
authentication and attackers might be able to use the unauthenticated
triggering of Layer 2 Update frame transmission to disrupt bridge
behavior.

Fix this by postponing transmission of the Layer 2 Update frame from
station entry addition to the point when the station entry is marked
authorized. Similarly, send out the VLAN binding update only if the STA
entry has already been authorized.

Signed-off-by: Jouni Malinen <[hidden email]>
Reviewed-by: Johannes Berg <[hidden email]>
Signed-off-by: David S. Miller <[hidden email]>
(cherry picked from commit 3e493173b7841259a08c5c8e5cbe90adb349da7e)
Signed-off-by: Connor Kuehl <[hidden email]>
---
 net/mac80211/cfg.c      | 14 ++++----------
 net/mac80211/sta_info.c |  4 ++++
 2 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 28027952769b..d1a71b3305b9 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1474,7 +1474,6 @@ static int ieee80211_add_station(struct wiphy *wiphy, struct net_device *dev,
  struct sta_info *sta;
  struct ieee80211_sub_if_data *sdata;
  int err;
- int layer2_update;
 
  if (params->vlan) {
  sdata = IEEE80211_DEV_TO_SUB_IF(params->vlan);
@@ -1518,18 +1517,12 @@ static int ieee80211_add_station(struct wiphy *wiphy, struct net_device *dev,
     test_sta_flag(sta, WLAN_STA_ASSOC))
  rate_control_rate_init(sta);
 
- layer2_update = sdata->vif.type == NL80211_IFTYPE_AP_VLAN ||
- sdata->vif.type == NL80211_IFTYPE_AP;
-
  err = sta_info_insert_rcu(sta);
  if (err) {
  rcu_read_unlock();
  return err;
  }
 
- if (layer2_update)
- cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr);
-
  rcu_read_unlock();
 
  return 0;
@@ -1627,10 +1620,11 @@ static int ieee80211_change_station(struct wiphy *wiphy,
  sta->sdata = vlansdata;
  ieee80211_check_fast_xmit(sta);
 
- if (test_sta_flag(sta, WLAN_STA_AUTHORIZED))
+ if (test_sta_flag(sta, WLAN_STA_AUTHORIZED)) {
  ieee80211_vif_inc_num_mcast(sta->sdata);
-
- cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr);
+ cfg80211_send_layer2_update(sta->sdata->dev,
+    sta->sta.addr);
+ }
  }
 
  err = sta_apply_parameters(local, sta, params);
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index 463abfbbcccf..9ed035720b5d 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -1911,6 +1911,10 @@ int sta_info_move_state(struct sta_info *sta,
  ieee80211_check_fast_xmit(sta);
  ieee80211_check_fast_rx(sta);
  }
+ if (sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN ||
+    sta->sdata->vif.type == NL80211_IFTYPE_AP)
+ cfg80211_send_layer2_update(sta->sdata->dev,
+    sta->sta.addr);
  break;
  default:
  break;
--
2.20.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [B/D][SRU] Fix for CVE-2019-5108

Marcelo Henrique Cerri
In reply to this post by Connor Kuehl
Acked-by: Marcelo Henrique Cerri <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (673 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

ACK: [B/D][SRU] Fix for CVE-2019-5108

Tyler Hicks-2
In reply to this post by Connor Kuehl
On 2020-01-24 11:14:21, Connor Kuehl wrote:

> https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-5108.html
>
> From the link above:
>
>     "An exploitable denial-of-service vulnerability exists in the Linux kernel
>     prior to mainline 5.3. An attacker could exploit this vulnerability by
>     triggering AP to send IAPP location updates for stations before the
>     required authentication process has completed. This could lead to different
>     denial-of-service scenarios, either by causing CAM table attacks, or by
>     leading to traffic flapping if faking already existing clients in other
>     nearby APs of the same wireless infrastructure. An attacker can forge
>     Authentication and Association Request packets to trigger this
>     vulnerability."
>
> This fix is making its way into Xenial via upstream stable update 4.4.211.
>
> Clean cherry pick into Disco. Picked its pre-requisite patch to make it a clean
> cherry pick into Bionic which also allows it to have more parity with Xenial as
> the pre-requisite patch was also a part of that upstream stable update.

Acked-by: Tyler Hicks <[hidden email]>

Thanks!

Tyler

>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [B/D][SRU] Fix for CVE-2019-5108

Khaled Elmously
In reply to this post by Connor Kuehl
On 2020-01-24 11:14:21 , Connor Kuehl wrote:

> https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-5108.html
>
> From the link above:
>
>     "An exploitable denial-of-service vulnerability exists in the Linux kernel
>     prior to mainline 5.3. An attacker could exploit this vulnerability by
>     triggering AP to send IAPP location updates for stations before the
>     required authentication process has completed. This could lead to different
>     denial-of-service scenarios, either by causing CAM table attacks, or by
>     leading to traffic flapping if faking already existing clients in other
>     nearby APs of the same wireless infrastructure. An attacker can forge
>     Authentication and Association Request packets to trigger this
>     vulnerability."
>
> This fix is making its way into Xenial via upstream stable update 4.4.211.
>
> Clean cherry pick into Disco. Picked its pre-requisite patch to make it a clean
> cherry pick into Bionic which also allows it to have more parity with Xenial as
> the pre-requisite patch was also a part of that upstream stable update.
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team