[Xenial][SRU][CVE-2019-0136][PATCH 0/1] Fix for CVE-2019-0136

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[Xenial][SRU][CVE-2019-0136][PATCH 0/1] Fix for CVE-2019-0136

Connor Kuehl
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-0136.html

From the link above:

"Insufficient access control in the Intel(R) PROSet/Wireless WiFi Software
driver before version 21.10 may allow an unauthenticated user to
potentially enable denial of service via adjacent access."

The CVE analysis above shows that Xenial and Disco both require these patches.
I have only sent the 2nd patch (and only for Xenial) because:

In Xenial, the first patch "mac80211: drop robust management frames from unknown TA"
was included in this PR (and it is fix released) that syncs with upstream stable:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1836668

In Disco, both patches are included in a pending upstream stable sync PR:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1840373

Minor backport required due to context adjustments.

Yu Wang (1):
  mac80211: handle deauthentication/disassociation from TDLS peer

 net/mac80211/ieee80211_i.h |  3 +++
 net/mac80211/mlme.c        | 12 +++++++++++-
 net/mac80211/tdls.c        | 23 +++++++++++++++++++++++
 3 files changed, 37 insertions(+), 1 deletion(-)

--
2.20.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[Xenial][SRU][CVE-2019-0136][PATCH 1/1] mac80211: handle deauthentication/disassociation from TDLS peer

Connor Kuehl
From: Yu Wang <[hidden email]>

CVE-2019-0136

When receiving a deauthentication/disassociation frame from a TDLS
peer, a station should not disconnect the current AP, but only
disable the current TDLS link if it's enabled.

Without this change, a TDLS issue can be reproduced by following the
steps as below:

1. STA-1 and STA-2 are connected to AP, bidirection traffic is running
   between STA-1 and STA-2.
2. Set up TDLS link between STA-1 and STA-2, stay for a while, then
   teardown TDLS link.
3. Repeat step #2 and monitor the connection between STA and AP.

During the test, one STA may send a deauthentication/disassociation
frame to another, after TDLS teardown, with reason code 6/7, which
means: Class 2/3 frame received from nonassociated STA.

On receive this frame, the receiver STA will disconnect the current
AP and then reconnect. It's not a expected behavior, purpose of this
frame should be disabling the TDLS link, not the link with AP.

Cc: [hidden email]
Signed-off-by: Yu Wang <[hidden email]>
Signed-off-by: Johannes Berg <[hidden email]>
(backported from commit 79c92ca42b5a3e0ea172ea2ce8df8e125af237da)
[ Connor Kuehl: the patch context differed slightly in the new addition
  to ieee80211_rx_mgmt_disassoc(). Mainline commit 68506e9af132
  "mac80211: Print text for disassociation reason" introduces some more
  information to the call to sdata_info() but Xenial does not contain that
  commit and it is not necessary to fix this CVE. So, that hunk was placed
  manually and the call to sdata_info() remains the same as it was before. ]
Signed-off-by: Connor Kuehl <[hidden email]>
---
 net/mac80211/ieee80211_i.h |  3 +++
 net/mac80211/mlme.c        | 12 +++++++++++-
 net/mac80211/tdls.c        | 23 +++++++++++++++++++++++
 3 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 7b271f3ded6b..72f76da88912 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -2059,6 +2059,9 @@ void ieee80211_tdls_cancel_channel_switch(struct wiphy *wiphy,
   const u8 *addr);
 void ieee80211_teardown_tdls_peers(struct ieee80211_sub_if_data *sdata);
 void ieee80211_tdls_chsw_work(struct work_struct *wk);
+void ieee80211_tdls_handle_disconnect(struct ieee80211_sub_if_data *sdata,
+      const u8 *peer, u16 reason);
+const char *ieee80211_get_reason_code_string(u16 reason_code);
 
 extern const struct ethtool_ops ieee80211_ethtool_ops;
 
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 08384dbf426c..d9536226d12a 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -2733,7 +2733,7 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
 #define case_WLAN(type) \
  case WLAN_REASON_##type: return #type
 
-static const char *ieee80211_get_reason_code_string(u16 reason_code)
+const char *ieee80211_get_reason_code_string(u16 reason_code)
 {
  switch (reason_code) {
  case_WLAN(UNSPECIFIED);
@@ -2798,6 +2798,11 @@ static void ieee80211_rx_mgmt_deauth(struct ieee80211_sub_if_data *sdata,
  if (len < 24 + 2)
  return;
 
+ if (!ether_addr_equal(mgmt->bssid, mgmt->sa)) {
+ ieee80211_tdls_handle_disconnect(sdata, mgmt->sa, reason_code);
+ return;
+ }
+
  if (ifmgd->associated &&
     ether_addr_equal(mgmt->bssid, ifmgd->associated->bssid)) {
  const u8 *bssid = ifmgd->associated->bssid;
@@ -2847,6 +2852,11 @@ static void ieee80211_rx_mgmt_disassoc(struct ieee80211_sub_if_data *sdata,
 
  reason_code = le16_to_cpu(mgmt->u.disassoc.reason_code);
 
+ if (!ether_addr_equal(mgmt->bssid, mgmt->sa)) {
+ ieee80211_tdls_handle_disconnect(sdata, mgmt->sa, reason_code);
+ return;
+ }
+
  sdata_info(sdata, "disassociated from %pM (Reason: %u)\n",
    mgmt->sa, reason_code);
 
diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c
index c9eeb3f12808..ce2ece424384 100644
--- a/net/mac80211/tdls.c
+++ b/net/mac80211/tdls.c
@@ -1963,3 +1963,26 @@ void ieee80211_tdls_chsw_work(struct work_struct *wk)
  }
  rtnl_unlock();
 }
+
+void ieee80211_tdls_handle_disconnect(struct ieee80211_sub_if_data *sdata,
+      const u8 *peer, u16 reason)
+{
+ struct ieee80211_sta *sta;
+
+ rcu_read_lock();
+ sta = ieee80211_find_sta(&sdata->vif, peer);
+ if (!sta || !sta->tdls) {
+ rcu_read_unlock();
+ return;
+ }
+ rcu_read_unlock();
+
+ tdls_dbg(sdata, "disconnected from TDLS peer %pM (Reason: %u=%s)\n",
+ peer, reason,
+ ieee80211_get_reason_code_string(reason));
+
+ ieee80211_tdls_oper_request(&sdata->vif, peer,
+    NL80211_TDLS_TEARDOWN,
+    WLAN_REASON_TDLS_TEARDOWN_UNREACHABLE,
+    GFP_ATOMIC);
+}
--
2.20.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK/Cmnt: [Xenial][SRU][CVE-2019-0136][PATCH 1/1] mac80211: handle deauthentication/disassociation from TDLS peer

Stefan Bader-2
On 20.08.19 17:19, Connor Kuehl wrote:

> From: Yu Wang <[hidden email]>
>
> CVE-2019-0136
>
> When receiving a deauthentication/disassociation frame from a TDLS
> peer, a station should not disconnect the current AP, but only
> disable the current TDLS link if it's enabled.
>
> Without this change, a TDLS issue can be reproduced by following the
> steps as below:
>
> 1. STA-1 and STA-2 are connected to AP, bidirection traffic is running
>    between STA-1 and STA-2.
> 2. Set up TDLS link between STA-1 and STA-2, stay for a while, then
>    teardown TDLS link.
> 3. Repeat step #2 and monitor the connection between STA and AP.
>
> During the test, one STA may send a deauthentication/disassociation
> frame to another, after TDLS teardown, with reason code 6/7, which
> means: Class 2/3 frame received from nonassociated STA.
>
> On receive this frame, the receiver STA will disconnect the current
> AP and then reconnect. It's not a expected behavior, purpose of this
> frame should be disabling the TDLS link, not the link with AP.
>
> Cc: [hidden email]
> Signed-off-by: Yu Wang <[hidden email]>
> Signed-off-by: Johannes Berg <[hidden email]>
> (backported from commit 79c92ca42b5a3e0ea172ea2ce8df8e125af237da)
> [ Connor Kuehl: the patch context differed slightly in the new addition
>   to ieee80211_rx_mgmt_disassoc(). Mainline commit 68506e9af132
>   "mac80211: Print text for disassociation reason" introduces some more
>   information to the call to sdata_info() but Xenial does not contain that
>   commit and it is not necessary to fix this CVE. So, that hunk was placed
>   manually and the call to sdata_info() remains the same as it was before. ]
> Signed-off-by: Connor Kuehl <[hidden email]>
Acked-by: Stefan Bader <[hidden email]>
> ---

tl;dr is minor context adjustment

>  net/mac80211/ieee80211_i.h |  3 +++
>  net/mac80211/mlme.c        | 12 +++++++++++-
>  net/mac80211/tdls.c        | 23 +++++++++++++++++++++++
>  3 files changed, 37 insertions(+), 1 deletion(-)
>
> diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
> index 7b271f3ded6b..72f76da88912 100644
> --- a/net/mac80211/ieee80211_i.h
> +++ b/net/mac80211/ieee80211_i.h
> @@ -2059,6 +2059,9 @@ void ieee80211_tdls_cancel_channel_switch(struct wiphy *wiphy,
>    const u8 *addr);
>  void ieee80211_teardown_tdls_peers(struct ieee80211_sub_if_data *sdata);
>  void ieee80211_tdls_chsw_work(struct work_struct *wk);
> +void ieee80211_tdls_handle_disconnect(struct ieee80211_sub_if_data *sdata,
> +      const u8 *peer, u16 reason);
> +const char *ieee80211_get_reason_code_string(u16 reason_code);
>  
>  extern const struct ethtool_ops ieee80211_ethtool_ops;
>  
> diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
> index 08384dbf426c..d9536226d12a 100644
> --- a/net/mac80211/mlme.c
> +++ b/net/mac80211/mlme.c
> @@ -2733,7 +2733,7 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
>  #define case_WLAN(type) \
>   case WLAN_REASON_##type: return #type
>  
> -static const char *ieee80211_get_reason_code_string(u16 reason_code)
> +const char *ieee80211_get_reason_code_string(u16 reason_code)
>  {
>   switch (reason_code) {
>   case_WLAN(UNSPECIFIED);
> @@ -2798,6 +2798,11 @@ static void ieee80211_rx_mgmt_deauth(struct ieee80211_sub_if_data *sdata,
>   if (len < 24 + 2)
>   return;
>  
> + if (!ether_addr_equal(mgmt->bssid, mgmt->sa)) {
> + ieee80211_tdls_handle_disconnect(sdata, mgmt->sa, reason_code);
> + return;
> + }
> +
>   if (ifmgd->associated &&
>      ether_addr_equal(mgmt->bssid, ifmgd->associated->bssid)) {
>   const u8 *bssid = ifmgd->associated->bssid;
> @@ -2847,6 +2852,11 @@ static void ieee80211_rx_mgmt_disassoc(struct ieee80211_sub_if_data *sdata,
>  
>   reason_code = le16_to_cpu(mgmt->u.disassoc.reason_code);
>  
> + if (!ether_addr_equal(mgmt->bssid, mgmt->sa)) {
> + ieee80211_tdls_handle_disconnect(sdata, mgmt->sa, reason_code);
> + return;
> + }
> +
>   sdata_info(sdata, "disassociated from %pM (Reason: %u)\n",
>     mgmt->sa, reason_code);
>  
> diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c
> index c9eeb3f12808..ce2ece424384 100644
> --- a/net/mac80211/tdls.c
> +++ b/net/mac80211/tdls.c
> @@ -1963,3 +1963,26 @@ void ieee80211_tdls_chsw_work(struct work_struct *wk)
>   }
>   rtnl_unlock();
>  }
> +
> +void ieee80211_tdls_handle_disconnect(struct ieee80211_sub_if_data *sdata,
> +      const u8 *peer, u16 reason)
> +{
> + struct ieee80211_sta *sta;
> +
> + rcu_read_lock();
> + sta = ieee80211_find_sta(&sdata->vif, peer);
> + if (!sta || !sta->tdls) {
> + rcu_read_unlock();
> + return;
> + }
> + rcu_read_unlock();
> +
> + tdls_dbg(sdata, "disconnected from TDLS peer %pM (Reason: %u=%s)\n",
> + peer, reason,
> + ieee80211_get_reason_code_string(reason));
> +
> + ieee80211_tdls_oper_request(&sdata->vif, peer,
> +    NL80211_TDLS_TEARDOWN,
> +    WLAN_REASON_TDLS_TEARDOWN_UNREACHABLE,
> +    GFP_ATOMIC);
> +}
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

ACK: [Xenial][SRU][CVE-2019-0136][PATCH 1/1] mac80211: handle deauthentication/disassociation from TDLS peer

Kleber Souza
In reply to this post by Connor Kuehl
On 8/20/19 5:19 PM, Connor Kuehl wrote:

> From: Yu Wang <[hidden email]>
>
> CVE-2019-0136
>
> When receiving a deauthentication/disassociation frame from a TDLS
> peer, a station should not disconnect the current AP, but only
> disable the current TDLS link if it's enabled.
>
> Without this change, a TDLS issue can be reproduced by following the
> steps as below:
>
> 1. STA-1 and STA-2 are connected to AP, bidirection traffic is running
>    between STA-1 and STA-2.
> 2. Set up TDLS link between STA-1 and STA-2, stay for a while, then
>    teardown TDLS link.
> 3. Repeat step #2 and monitor the connection between STA and AP.
>
> During the test, one STA may send a deauthentication/disassociation
> frame to another, after TDLS teardown, with reason code 6/7, which
> means: Class 2/3 frame received from nonassociated STA.
>
> On receive this frame, the receiver STA will disconnect the current
> AP and then reconnect. It's not a expected behavior, purpose of this
> frame should be disabling the TDLS link, not the link with AP.
>
> Cc: [hidden email]
> Signed-off-by: Yu Wang <[hidden email]>
> Signed-off-by: Johannes Berg <[hidden email]>
> (backported from commit 79c92ca42b5a3e0ea172ea2ce8df8e125af237da)
> [ Connor Kuehl: the patch context differed slightly in the new addition
>   to ieee80211_rx_mgmt_disassoc(). Mainline commit 68506e9af132
>   "mac80211: Print text for disassociation reason" introduces some more
>   information to the call to sdata_info() but Xenial does not contain that
>   commit and it is not necessary to fix this CVE. So, that hunk was placed
>   manually and the call to sdata_info() remains the same as it was before. ]
> Signed-off-by: Connor Kuehl <[hidden email]>

Acked-by: Kleber Sacilotto de Souza <[hidden email]>

> ---
>  net/mac80211/ieee80211_i.h |  3 +++
>  net/mac80211/mlme.c        | 12 +++++++++++-
>  net/mac80211/tdls.c        | 23 +++++++++++++++++++++++
>  3 files changed, 37 insertions(+), 1 deletion(-)
>
> diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
> index 7b271f3ded6b..72f76da88912 100644
> --- a/net/mac80211/ieee80211_i.h
> +++ b/net/mac80211/ieee80211_i.h
> @@ -2059,6 +2059,9 @@ void ieee80211_tdls_cancel_channel_switch(struct wiphy *wiphy,
>    const u8 *addr);
>  void ieee80211_teardown_tdls_peers(struct ieee80211_sub_if_data *sdata);
>  void ieee80211_tdls_chsw_work(struct work_struct *wk);
> +void ieee80211_tdls_handle_disconnect(struct ieee80211_sub_if_data *sdata,
> +      const u8 *peer, u16 reason);
> +const char *ieee80211_get_reason_code_string(u16 reason_code);
>  
>  extern const struct ethtool_ops ieee80211_ethtool_ops;
>  
> diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
> index 08384dbf426c..d9536226d12a 100644
> --- a/net/mac80211/mlme.c
> +++ b/net/mac80211/mlme.c
> @@ -2733,7 +2733,7 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
>  #define case_WLAN(type) \
>   case WLAN_REASON_##type: return #type
>  
> -static const char *ieee80211_get_reason_code_string(u16 reason_code)
> +const char *ieee80211_get_reason_code_string(u16 reason_code)
>  {
>   switch (reason_code) {
>   case_WLAN(UNSPECIFIED);
> @@ -2798,6 +2798,11 @@ static void ieee80211_rx_mgmt_deauth(struct ieee80211_sub_if_data *sdata,
>   if (len < 24 + 2)
>   return;
>  
> + if (!ether_addr_equal(mgmt->bssid, mgmt->sa)) {
> + ieee80211_tdls_handle_disconnect(sdata, mgmt->sa, reason_code);
> + return;
> + }
> +
>   if (ifmgd->associated &&
>      ether_addr_equal(mgmt->bssid, ifmgd->associated->bssid)) {
>   const u8 *bssid = ifmgd->associated->bssid;
> @@ -2847,6 +2852,11 @@ static void ieee80211_rx_mgmt_disassoc(struct ieee80211_sub_if_data *sdata,
>  
>   reason_code = le16_to_cpu(mgmt->u.disassoc.reason_code);
>  
> + if (!ether_addr_equal(mgmt->bssid, mgmt->sa)) {
> + ieee80211_tdls_handle_disconnect(sdata, mgmt->sa, reason_code);
> + return;
> + }
> +
>   sdata_info(sdata, "disassociated from %pM (Reason: %u)\n",
>     mgmt->sa, reason_code);
>  
> diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c
> index c9eeb3f12808..ce2ece424384 100644
> --- a/net/mac80211/tdls.c
> +++ b/net/mac80211/tdls.c
> @@ -1963,3 +1963,26 @@ void ieee80211_tdls_chsw_work(struct work_struct *wk)
>   }
>   rtnl_unlock();
>  }
> +
> +void ieee80211_tdls_handle_disconnect(struct ieee80211_sub_if_data *sdata,
> +      const u8 *peer, u16 reason)
> +{
> + struct ieee80211_sta *sta;
> +
> + rcu_read_lock();
> + sta = ieee80211_find_sta(&sdata->vif, peer);
> + if (!sta || !sta->tdls) {
> + rcu_read_unlock();
> + return;
> + }
> + rcu_read_unlock();
> +
> + tdls_dbg(sdata, "disconnected from TDLS peer %pM (Reason: %u=%s)\n",
> + peer, reason,
> + ieee80211_get_reason_code_string(reason));
> +
> + ieee80211_tdls_oper_request(&sdata->vif, peer,
> +    NL80211_TDLS_TEARDOWN,
> +    WLAN_REASON_TDLS_TEARDOWN_UNREACHABLE,
> +    GFP_ATOMIC);
> +}
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [Xenial][SRU][CVE-2019-0136][PATCH 0/1] Fix for CVE-2019-0136

Kleber Souza
In reply to this post by Connor Kuehl
On 8/20/19 5:19 PM, Connor Kuehl wrote:

> https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-0136.html
>
> From the link above:
>
> "Insufficient access control in the Intel(R) PROSet/Wireless WiFi Software
> driver before version 21.10 may allow an unauthenticated user to
> potentially enable denial of service via adjacent access."
>
> The CVE analysis above shows that Xenial and Disco both require these patches.
> I have only sent the 2nd patch (and only for Xenial) because:
>
> In Xenial, the first patch "mac80211: drop robust management frames from unknown TA"
> was included in this PR (and it is fix released) that syncs with upstream stable:
> https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1836668
>
> In Disco, both patches are included in a pending upstream stable sync PR:
> https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1840373
>
> Minor backport required due to context adjustments.
>
> Yu Wang (1):
>   mac80211: handle deauthentication/disassociation from TDLS peer
>
>  net/mac80211/ieee80211_i.h |  3 +++
>  net/mac80211/mlme.c        | 12 +++++++++++-
>  net/mac80211/tdls.c        | 23 +++++++++++++++++++++++
>  3 files changed, 37 insertions(+), 1 deletion(-)
>

Applied to xenial/master-next branch.

Thanks,
Kleber

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team