[Bionic][PATCH 0/2] Fix for CVE-2019-0136

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bionic][PATCH 0/2] Fix for CVE-2019-0136

Wen-chien Jesse Sung
BugLink: https://launchpad.net/bugs/1839105

== SRU Justification ==

* Impact:
A potential security vulnerability in Intel® PROSet/Wireless WiFi Software
may allow denial of service.
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00232.html

* Fix:
588f7d39b359 mac80211: drop robust management frames from unknown TA
79c92ca42b5a mac80211: handle deauthentication/disassociation from TDLS peer

* Risk of Regression:
Low. These commits are already in 4.14.130 and 4.19.56 so will eventually
land in an SRU release or two. We just need them to be included in this cycle
for Bionic to meet project schedule.


Johannes Berg (1):
  mac80211: drop robust management frames from unknown TA

Yu Wang (1):
  mac80211: handle deauthentication/disassociation from TDLS peer

 net/mac80211/ieee80211_i.h |  3 +++
 net/mac80211/mlme.c        | 12 +++++++++++-
 net/mac80211/rx.c          |  2 ++
 net/mac80211/tdls.c        | 23 +++++++++++++++++++++++
 4 files changed, 39 insertions(+), 1 deletion(-)

--
2.20.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[Bionic][PATCH 1/2] mac80211: drop robust management frames from unknown TA

Wen-chien Jesse Sung
From: Johannes Berg <[hidden email]>

BugLink: https://launchpad.net/bugs/1839105

When receiving a robust management frame, drop it if we don't have
rx->sta since then we don't have a security association and thus
couldn't possibly validate the frame.

Cc: [hidden email]
Signed-off-by: Johannes Berg <[hidden email]>

CVE-2019-0136

(cherry picked from commit 588f7d39b3592a36fb7702ae3b8bdd9be4621e2f)
Signed-off-by: Wen-chien Jesse Sung <[hidden email]>
---
 net/mac80211/rx.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 9e19ddbcb06e..ec34cab43642 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -3586,6 +3586,8 @@ static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx)
  case NL80211_IFTYPE_STATION:
  if (!bssid && !sdata->u.mgd.use_4addr)
  return false;
+ if (ieee80211_is_robust_mgmt_frame(skb) && !rx->sta)
+ return false;
  if (multicast)
  return true;
  return ether_addr_equal(sdata->vif.addr, hdr->addr1);
--
2.20.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[Bionic][PATCH 2/2] mac80211: handle deauthentication/disassociation from TDLS peer

Wen-chien Jesse Sung
In reply to this post by Wen-chien Jesse Sung
From: Yu Wang <[hidden email]>

BugLink: https://launchpad.net/bugs/1839105

When receiving a deauthentication/disassociation frame from a TDLS
peer, a station should not disconnect the current AP, but only
disable the current TDLS link if it's enabled.

Without this change, a TDLS issue can be reproduced by following the
steps as below:

1. STA-1 and STA-2 are connected to AP, bidirection traffic is running
   between STA-1 and STA-2.
2. Set up TDLS link between STA-1 and STA-2, stay for a while, then
   teardown TDLS link.
3. Repeat step #2 and monitor the connection between STA and AP.

During the test, one STA may send a deauthentication/disassociation
frame to another, after TDLS teardown, with reason code 6/7, which
means: Class 2/3 frame received from nonassociated STA.

On receive this frame, the receiver STA will disconnect the current
AP and then reconnect. It's not a expected behavior, purpose of this
frame should be disabling the TDLS link, not the link with AP.

Cc: [hidden email]
Signed-off-by: Yu Wang <[hidden email]>
Signed-off-by: Johannes Berg <[hidden email]>

CVE-2019-0136

(cherry picked from commit 79c92ca42b5a3e0ea172ea2ce8df8e125af237da)
Signed-off-by: Wen-chien Jesse Sung <[hidden email]>
---
 net/mac80211/ieee80211_i.h |  3 +++
 net/mac80211/mlme.c        | 12 +++++++++++-
 net/mac80211/tdls.c        | 23 +++++++++++++++++++++++
 3 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 61db1fb156ed..7c5fc2b24567 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -2153,6 +2153,9 @@ void ieee80211_tdls_cancel_channel_switch(struct wiphy *wiphy,
   const u8 *addr);
 void ieee80211_teardown_tdls_peers(struct ieee80211_sub_if_data *sdata);
 void ieee80211_tdls_chsw_work(struct work_struct *wk);
+void ieee80211_tdls_handle_disconnect(struct ieee80211_sub_if_data *sdata,
+      const u8 *peer, u16 reason);
+const char *ieee80211_get_reason_code_string(u16 reason_code);
 
 extern const struct ethtool_ops ieee80211_ethtool_ops;
 
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index d20a84b9d1a8..42a33b79fa2f 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -2733,7 +2733,7 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
 #define case_WLAN(type) \
  case WLAN_REASON_##type: return #type
 
-static const char *ieee80211_get_reason_code_string(u16 reason_code)
+const char *ieee80211_get_reason_code_string(u16 reason_code)
 {
  switch (reason_code) {
  case_WLAN(UNSPECIFIED);
@@ -2798,6 +2798,11 @@ static void ieee80211_rx_mgmt_deauth(struct ieee80211_sub_if_data *sdata,
  if (len < 24 + 2)
  return;
 
+ if (!ether_addr_equal(mgmt->bssid, mgmt->sa)) {
+ ieee80211_tdls_handle_disconnect(sdata, mgmt->sa, reason_code);
+ return;
+ }
+
  if (ifmgd->associated &&
     ether_addr_equal(mgmt->bssid, ifmgd->associated->bssid)) {
  const u8 *bssid = ifmgd->associated->bssid;
@@ -2847,6 +2852,11 @@ static void ieee80211_rx_mgmt_disassoc(struct ieee80211_sub_if_data *sdata,
 
  reason_code = le16_to_cpu(mgmt->u.disassoc.reason_code);
 
+ if (!ether_addr_equal(mgmt->bssid, mgmt->sa)) {
+ ieee80211_tdls_handle_disconnect(sdata, mgmt->sa, reason_code);
+ return;
+ }
+
  sdata_info(sdata, "disassociated from %pM (Reason: %u=%s)\n",
    mgmt->sa, reason_code,
    ieee80211_get_reason_code_string(reason_code));
diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c
index 6e7aa65cf345..7a32b6820397 100644
--- a/net/mac80211/tdls.c
+++ b/net/mac80211/tdls.c
@@ -1988,3 +1988,26 @@ void ieee80211_tdls_chsw_work(struct work_struct *wk)
  }
  rtnl_unlock();
 }
+
+void ieee80211_tdls_handle_disconnect(struct ieee80211_sub_if_data *sdata,
+      const u8 *peer, u16 reason)
+{
+ struct ieee80211_sta *sta;
+
+ rcu_read_lock();
+ sta = ieee80211_find_sta(&sdata->vif, peer);
+ if (!sta || !sta->tdls) {
+ rcu_read_unlock();
+ return;
+ }
+ rcu_read_unlock();
+
+ tdls_dbg(sdata, "disconnected from TDLS peer %pM (Reason: %u=%s)\n",
+ peer, reason,
+ ieee80211_get_reason_code_string(reason));
+
+ ieee80211_tdls_oper_request(&sdata->vif, peer,
+    NL80211_TDLS_TEARDOWN,
+    WLAN_REASON_TDLS_TEARDOWN_UNREACHABLE,
+    GFP_ATOMIC);
+}
--
2.20.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [Bionic][PATCH 0/2] Fix for CVE-2019-0136

Tyler Hicks-2
In reply to this post by Wen-chien Jesse Sung
On 2019-08-06 18:06:31, Wen-chien Jesse Sung wrote:

> BugLink: https://launchpad.net/bugs/1839105
>
> == SRU Justification ==
>
> * Impact:
> A potential security vulnerability in Intel® PROSet/Wireless WiFi Software
> may allow denial of service.
> https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00232.html
>
> * Fix:
> 588f7d39b359 mac80211: drop robust management frames from unknown TA
> 79c92ca42b5a mac80211: handle deauthentication/disassociation from TDLS peer

How were you able to determine that they are the fix for CVE-2019-0136?
I can't find any public info that correlates CVE-2019-0136 with the two
fixes you mentioned. I've left this CVE as untriaged in the Ubuntu CVE
Tracker and was about to reach out to Intel to get more info.

Tyler

>
> * Risk of Regression:
> Low. These commits are already in 4.14.130 and 4.19.56 so will eventually
> land in an SRU release or two. We just need them to be included in this cycle
> for Bionic to meet project schedule.
>
>
> Johannes Berg (1):
>   mac80211: drop robust management frames from unknown TA
>
> Yu Wang (1):
>   mac80211: handle deauthentication/disassociation from TDLS peer
>
>  net/mac80211/ieee80211_i.h |  3 +++
>  net/mac80211/mlme.c        | 12 +++++++++++-
>  net/mac80211/rx.c          |  2 ++
>  net/mac80211/tdls.c        | 23 +++++++++++++++++++++++
>  4 files changed, 39 insertions(+), 1 deletion(-)
>
> --
> 2.20.1
>
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

NACK: [Bionic][PATCH 0/2] Fix for CVE-2019-0136

Tyler Hicks-2
On 2019-08-06 10:48:47, Tyler Hicks wrote:

> On 2019-08-06 18:06:31, Wen-chien Jesse Sung wrote:
> > BugLink: https://launchpad.net/bugs/1839105
> >
> > == SRU Justification ==
> >
> > * Impact:
> > A potential security vulnerability in Intel® PROSet/Wireless WiFi Software
> > may allow denial of service.
> > https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00232.html
> >
> > * Fix:
> > 588f7d39b359 mac80211: drop robust management frames from unknown TA
> > 79c92ca42b5a mac80211: handle deauthentication/disassociation from TDLS peer
>
> How were you able to determine that they are the fix for CVE-2019-0136?
> I can't find any public info that correlates CVE-2019-0136 with the two
> fixes you mentioned. I've left this CVE as untriaged in the Ubuntu CVE
> Tracker and was about to reach out to Intel to get more info.

To update this list, I did reach out to Intel last week but have not
heard back from them yet.

In the meantime, the Bionic branch has received these two commits via
pulling in new upstream linux-stable releases. The Bionic commits are:

 3c8fe31b7686309a4b09eed5ba78d88ba85f89bf
 01d899052fcc05f90e45bd5fce2383abd69d017d

There's no longer a need to apply these patches to Bionic so I'm
NACK'ing them in order for the stable team to know that there's nothing
else needed here.

Tyler

>
> Tyler
>
> >
> > * Risk of Regression:
> > Low. These commits are already in 4.14.130 and 4.19.56 so will eventually
> > land in an SRU release or two. We just need them to be included in this cycle
> > for Bionic to meet project schedule.
> >
> >
> > Johannes Berg (1):
> >   mac80211: drop robust management frames from unknown TA
> >
> > Yu Wang (1):
> >   mac80211: handle deauthentication/disassociation from TDLS peer
> >
> >  net/mac80211/ieee80211_i.h |  3 +++
> >  net/mac80211/mlme.c        | 12 +++++++++++-
> >  net/mac80211/rx.c          |  2 ++
> >  net/mac80211/tdls.c        | 23 +++++++++++++++++++++++
> >  4 files changed, 39 insertions(+), 1 deletion(-)
> >
> > --
> > 2.20.1
> >
> >
> > --
> > kernel-team mailing list
> > [hidden email]
> > https://lists.ubuntu.com/mailman/listinfo/kernel-team
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team