linux-stable-4.9.y: please apply serious ath10k security

Kalle Valo kvalo at codeaurora.org
Tue Jan 9 06:58:51 PST 2018 

Hi Linux stable team,

ath10k has a replay detection problem which was fixed in v4.14. I would
like to get the fix also to linux-stable-4.9.y but for that it depends
on a small mac80211 patch. So then cherrypicking the fixes please take
the mac80211 commit first:

cef0acd4d7d4 mac80211: Add RX flag to indicate ICV stripped
7eccb738fce5 ath10k: rebuild crypto header in rx data frames

I tested and in this order commits apply just fine to linux-4.9.y.

The ath10k patch is largish but as this fixes a security issue I hope it
still can be applied to linux-stable. Please let me know if there are
any problems.

This is the commit log describing the problem:

--------------------------------------------------------------------------------
ath10k: rebuild crypto header in rx data frames

Rx data frames notified through HTT_T2H_MSG_TYPE_RX_IND and
HTT_T2H_MSG_TYPE_RX_FRAG_IND expect PN/TSC check to be done
on host (mac80211) rather than firmware. Rebuild cipher header
in every received data frames (that are notified through those
HTT interfaces) from the rx_hdr_status tlv available in the
rx descriptor of the first msdu. Skip setting RX_FLAG_IV_STRIPPED
flag for the packets which requires mac80211 PN/TSC check support
and set appropriate RX_FLAG for stripped crypto tail. Hw QCA988X,
QCA9887, QCA99X0, QCA9984, QCA9888 and QCA4019 currently need the
rebuilding of cipher header to perform PN/TSC check for replay
attack.

Please note that removing crypto tail for CCMP-256, GCMP and GCMP-256 ciphers
in raw mode needs to be fixed. Since Rx with these ciphers in raw
mode does not work in the current form even without this patch and
removing crypto tail for these chipers needs clean up, raw mode related
issues in CCMP-256, GCMP and GCMP-256 can be addressed in follow up
patches.

Tested-by: Manikanta Pubbisetty <mpubbise at qti.qualcomm.com>
Signed-off-by: Vasanthakumar Thiagarajan <vthiagar at qti.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo at qca.qualcomm.com>
----------------------------------------------------------------------

-- 
Kalle Valo

More information about the ath10k mailing list