#4866 closed enhancement (fixed)


Reported by: Bruce Dubbs Owned by: lfs-book
Priority: high Milestone: 11.0
Component: Book Version: git
Severity: normal Keywords:


New point version.

Change History (3)

comment:1 by Bruce Dubbs, 14 months ago

Summary: linux-5.12.9linux-5.12.10

Now version 5.12.10.

comment:2 by Douglas R. Reno, 14 months ago

Priority: normalhigh

Two CVE fixes in 5.12.10:


    Bluetooth: fix the erroneous flush_work() order
    commit 6a137caec23aeb9e036cdfd8a46dd8a366460e5d upstream.
    In the cleanup routine for failed initialization of HCI device,
    the flush_work(&hdev->rx_work) need to be finished before the
    flush_work(&hdev->cmd_work). Otherwise, the hci_rx_work() can
    possibly invoke new cmd_work and cause a bug, like double free,
    in late processings.
    This was assigned CVE-2021-3564.
    This patch reorder the flush_work() to fix this bug.


    xen-netback: take a reference to the RX task thread
    commit 107866a8eb0b664675a260f1ba0655010fac1e08 upstream.
    Do this in order to prevent the task from being freed if the thread
    returns (which can be triggered by the frontend) before the call to
    kthread_stop done as part of the backend tear down. Not taking the
    reference will lead to a use-after-free in that scenario. Such
    reference was taken before but dropped as part of the rework done in
    Reintroduce the reference taking and add a comment this time
    explaining why it's needed.
    This is XSA-374 / CVE-2021-28691.

Over in 5.12.9, things are much worse:


    ath11k: Clear the fragment cache during key install
    commit c3944a5621026c176001493d48ee66ff94e1a39a upstream.
    Currently the fragment cache setup during peer assoc is
    cleared only during peer delete. In case a key reinstallation
    happens with the same peer, the same fragment cache with old
    fragments added before key installation could be clubbed
    with fragments received after. This might be exploited
    to mix fragments of different data resulting in a proper
    unintended reassembled packet to be passed up the stack.
    Hence flush the fragment cache on every key installation to prevent
    potential attacks (CVE-2020-24587).


    ath10k: Fix TKIP Michael MIC verification for PCIe
    commit 0dc267b13f3a7e8424a898815dd357211b737330 upstream.
    TKIP Michael MIC was not verified properly for PCIe cases since the
    validation steps in ieee80211_rx_h_michael_mic_verify() in mac80211 did
    not get fully executed due to unexpected flag values in
    Fix this by setting the flags property to meet mac80211 expectations for
    performing Michael MIC validation there. This fixes CVE-2020-26141. It
    does the same as ath10k_htt_rx_proc_rx_ind_hl() for SDIO which passed
    MIC verification case. This applies only to QCA6174/QCA9377 PCIe.
    Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1


    ath10k: drop MPDU which has discard flag set by firmware for SDIO
    commit 079a108feba474b4b32bd3471db03e11f2f83b81 upstream.
    When the discard flag is set by the firmware for an MPDU, it should be
    dropped. This allows a mitigation for CVE-2020-24588 to be implemented
    in the firmware.
    Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00049


    ath10k: drop fragments with multicast DA for SDIO
    commit 40e7462dad6f3d06efdb17d26539e61ab6e34db1 upstream.
    Fragmentation is not used with multicast frames. Discard unexpected
    fragments with multicast DA. This fixes CVE-2020-26145.
    Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00049


    ath10k: drop fragments with multicast DA for PCIe
    commit 65c415a144ad8132b6a6d97d4a1919ffc728e2d1 upstream.
    Fragmentation is not used with multicast frames. Discard unexpected
    fragments with multicast DA. This fixes CVE-2020-26145.
    Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1

CVE-2020-24586 AND CVE-2020-24587

    mac80211: extend protection against mixed key and fragment cache attacks
    commit 3edc6b0d6c061a70d8ca3c3c72eb1f58ce29bfb1 upstream.
    For some chips/drivers, e.g., QCA6174 with ath10k, the decryption is
    done by the hardware, and the Protected bit in the Frame Control field
    is cleared in the lower level driver before the frame is passed to
    mac80211. In such cases, the condition for ieee80211_has_protected() is
    not met in ieee80211_rx_h_defragment() of mac80211 and the new security
    validation steps are not executed.
    Extend mac80211 to cover the case where the Protected bit has been
    cleared, but the frame is indicated as having been decrypted by the
    hardware. This extends protection against mixed key and fragment cache
    attack for additional drivers/chips. This fixes CVE-2020-24586 and
    CVE-2020-24587 for such cases.
    Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1


    mac80211: drop A-MSDUs on old ciphers
    commit 270032a2a9c4535799736142e1e7c413ca7b836e upstream.
    With old ciphers (WEP and TKIP) we shouldn't be using A-MSDUs
    since A-MSDUs are only supported if we know that they are, and
    the only practical way for that is HT support which doesn't
    support old ciphers.
    However, we would normally accept them anyway. Since we check
    the MMIC before deaggregating A-MSDUs, and the A-MSDU bit in
    the QoS header is not protected in TKIP (or WEP), this enables
    attacks similar to CVE-2020-24588. To prevent that, drop A-MSDUs
    completely with old ciphers.

    cfg80211: mitigate A-MSDU aggregation attacks
    commit 2b8a1fee3488c602aca8bea004a087e60806a5cf upstream.
    Mitigate A-MSDU injection attacks (CVE-2020-24588) by detecting if the
    destination address of a subframe equals an RFC1042 (i.e., LLC/SNAP)
    header, and if so dropping the complete A-MSDU frame. This mitigates
    known attacks, although new (unknown) aggregation-based attacks may
    remain possible.
    This defense works because in A-MSDU aggregation injection attacks, a
    normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means
    the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042
    header. In other words, the destination MAC address of the first A-MSDU
    subframe contains the start of an RFC1042 header during an aggregation
    attack. We can detect this and thereby prevent this specific attack.
    For details, see Section 7.2 of "Fragment and Forge: Breaking Wi-Fi
    Through Frame Aggregation and Fragmentation".
    Note that for kernel 4.9 and above this patch depends on "mac80211:
    properly handle A-MSDUs that start with a rfc1042 header". Otherwise
    this patch has no impact and attacks will remain possible.

A lot of the CVEs in 5.12.9 were WiFi related.

comment:3 by Bruce Dubbs, 14 months ago

Resolution: fixed
Status: newclosed

Fixed at commit 7fe99c2ca7bd3c4ea21e4c17b3350dbec7f4a1b6

Package Updates.
    Update to iana-etc-20210611.
    Update to vim-8.2.3001.
    Update to util-linux-2.37.
    Update to meson-0.58.1.
    Update to linux-5.12.10.
    Update to m4-1.4.19.
    Update to grub-2.06.

Also moved man-db to be after systemd.

Note: See TracTickets for help on using tickets.