From patchwork Thu May 15 03:29:47 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Shayne Chen X-Patchwork-Id: 891011 Received: from mailgw01.mediatek.com (unknown [60.244.123.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 857242A1AA for ; Thu, 15 May 2025 03:32:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=60.244.123.138 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747279974; cv=none; b=dU3UHFp7GmWxd+DaOoBwQ3N9PC49jFDyw0Yk9yE6aPUUIX9BPyPv+Jm5GxlEX9AQ+y5YrAJxteVNXi0P39vCSiOI6mlLHE7/kfmA8h4rJTcYFshn30JQ1AthJ8/nJmNcqjSZkJPINRCroWLIXrxoi3YIltl5Gqxa9MGPb56oWG4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747279974; c=relaxed/simple; bh=P2tGUMeIjk61ew4A+rbzD7xLIduHPD3J3XszJwQc3xY=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=DbmO4ZZa5mns5T+1pAdAHGUwV58VG+wn7RwyS2SiTQeLadjLIYKt73q8dPzBjpg6R/45tTkq0K28AiZl//tQnIZ9tk39eLouq3zZrOKpXzG0MhLMKLkHSjxElqWzsVsT9PFhgi/yjxbdF2AxL9Y2sIOo3JDU/dQ+x4Efxxl3COM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=mediatek.com; spf=pass smtp.mailfrom=mediatek.com; dkim=pass (1024-bit key) header.d=mediatek.com header.i=@mediatek.com header.b=J6O5um4N; arc=none smtp.client-ip=60.244.123.138 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=mediatek.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=mediatek.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=mediatek.com header.i=@mediatek.com header.b="J6O5um4N" X-UUID: 418b90a6313d11f0813e4fe1310efc19-20250515 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mediatek.com; s=dk; h=Content-Type:Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:CC:To:From; bh=0EzT01P7tj5RwErqpG8puFP+57lEozMmRA9Y4cUJeBI=; b=J6O5um4Nnr0f170pgiFShdVfb6I0hBARxLZrGgnPer517hTk+lk00wNRQXw8TUQH0jhjI0c8f39Ut9ub/o6DMo8guLSVvL0UQA2D4TgLcZIOE5jMzwLWb3iHShKHkwiZ8BFGPAbcIpMPJV0DH9QFWd95+Eu/3F2HaQEMqjjhXvk=; X-CID-P-RULE: Release_Ham X-CID-O-INFO: VERSION:1.2.1, REQID:b9d7faa6-f86e-45ab-bf80-97de48f40d60, IP:0, UR L:0,TC:0,Content:0,EDM:0,RT:0,SF:0,FILE:0,BULK:0,RULE:Release_Ham,ACTION:r elease,TS:0 X-CID-META: VersionHash:0ef645f, CLOUDID:13acbe97-7410-4084-8094-24619d975b02, B ulkID:nil,BulkQuantity:0,Recheck:0,SF:81|82|102,TC:nil,Content:0|50,EDM:-3 ,IP:nil,URL:0,File:nil,RT:nil,Bulk:nil,QS:nil,BEC:nil,COL:0,OSI:0,OSA:0,AV :0,LES:1,SPR:NO,DKR:0,DKP:0,BRR:0,BRE:0,ARC:0 X-CID-BVR: 0 X-CID-BAS: 0,_,0,_ X-CID-FACTOR: TF_CID_SPAM_SNR X-UUID: 418b90a6313d11f0813e4fe1310efc19-20250515 Received: from mtkmbs14n1.mediatek.inc [(172.21.101.75)] by mailgw01.mediatek.com (envelope-from ) (Generic MTA with TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256/256) with ESMTP id 414308603; Thu, 15 May 2025 11:32:41 +0800 Received: from mtkmbs11n2.mediatek.inc (172.21.101.187) by mtkmbs10n1.mediatek.inc (172.21.101.34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.39; Thu, 15 May 2025 11:32:39 +0800 Received: from mtksitap99.mediatek.inc (10.233.130.16) by mtkmbs11n2.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id 15.2.1258.39 via Frontend Transport; Thu, 15 May 2025 11:32:39 +0800 From: Shayne Chen To: Felix Fietkau CC: linux-wireless , Lorenzo Bianconi , Ryder Lee , Evelyn Tsai , linux-mediatek , Benjamin Lin , Shayne Chen Subject: [PATCH mt76-next 4/9] wifi: mt76: mt7996: drop fragments with multicast or broadcast RA Date: Thu, 15 May 2025 11:29:47 +0800 Message-ID: <20250515032952.1653494-4-shayne.chen@mediatek.com> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20250515032952.1653494-1-shayne.chen@mediatek.com> References: <20250515032952.1653494-1-shayne.chen@mediatek.com> Precedence: bulk X-Mailing-List: linux-wireless@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MTK: N From: Benjamin Lin IEEE 802.11 fragmentation can only be applied to unicast frames. Therefore, drop fragments with multicast or broadcast RA. This patch addresses vulnerabilities such as CVE-2020-26145. Signed-off-by: Benjamin Lin Signed-off-by: Shayne Chen --- drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c index 771c16e8d10c..0dbd4662bc84 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c +++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c @@ -647,6 +647,14 @@ mt7996_mac_fill_rx(struct mt7996_dev *dev, enum mt76_rxq_id q, status->last_amsdu = amsdu_info == MT_RXD4_LAST_AMSDU_FRAME; } + /* IEEE 802.11 fragmentation can only be applied to unicast frames. + * Hence, drop fragments with multicast/broadcast RA. + * This check fixes vulnerabilities, like CVE-2020-26145. + */ + if ((ieee80211_has_morefrags(fc) || seq_ctrl & IEEE80211_SCTL_FRAG) && + FIELD_GET(MT_RXD3_NORMAL_ADDR_TYPE, rxd3) != MT_RXD3_NORMAL_U2M) + return -EINVAL; + hdr_gap = (u8 *)rxd - skb->data + 2 * remove_pad; if (hdr_trans && ieee80211_has_morefrags(fc)) { if (mt7996_reverse_frag0_hdr_trans(skb, hdr_gap))