mac80211: fix regression where EAPOL frames were sent in plaintext

3 files changed, 52 insertions, 2 deletions

diff --git a/.SRCINFO b/.SRCINFO
index 73ea987c2499..0defbc54f281 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,6 +1,6 @@
 pkgbase = linux-hardened-git
 	pkgdesc = Security-Hardened Linux
-	pkgver = 5.9.1.r951396.g6738ba9cd565
+	pkgver = 5.9.6.r952626.gf86102e71f88
 	pkgrel = 1
 	url = https://github.com/anthraxx/linux-hardened
 	arch = x86_64
@@ -18,6 +18,7 @@ pkgbase = linux-hardened-git
 	source = linux-hardened::git+https://github.com/anthraxx/linux-hardened#branch=5.9?signed
 	source = config
 	source = sphinx-workaround.patch
+	source = mac80211-fix-regression-where-EAPOL-frames-were-sent-in-plaintext.patch
 	validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886
 	validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E
 	validpgpkeys = 65EEFE022108E2B708CBFCF7F9E712E59AF5F22A
diff --git a/PKGBUILD b/PKGBUILD
index 5416da20b863..7ed7b0f445c2 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -6,7 +6,7 @@
 pkgbase=linux-hardened-git
 _srcname=${pkgbase/-git/}
 _gitbranch=5.9
-pkgver=5.9.1.r951396.g6738ba9cd565
+pkgver=5.9.6.r952626.gf86102e71f88
 pkgrel=1
 pkgdesc='Security-Hardened Linux'
 url='https://github.com/anthraxx/linux-hardened'
@@ -22,6 +22,7 @@ source=(
   "${_srcname}::git+https://github.com/anthraxx/linux-hardened#branch=${_gitbranch}?signed"
   config         # the main kernel config files
   sphinx-workaround.patch
+  mac80211-fix-regression-where-EAPOL-frames-were-sent-in-plaintext.patch
 )
 validpgpkeys=(
   'ABAF11C65A2970B130ABE3C479BE3E4300411886'  # Linus Torvalds
diff --git a/mac80211-fix-regression-where-EAPOL-frames-were-sent-in-plaintext.patch b/mac80211-fix-regression-where-EAPOL-frames-were-sent-in-plaintext.patch
new file mode 100644
index 000000000000..199ee80dc0f9
--- /dev/null
+++ b/mac80211-fix-regression-where-EAPOL-frames-were-sent-in-plaintext.patch
@@ -0,0 +1,48 @@
+From d30a6f983b360a08f962f5b3199b733df2e02418 Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
+Date: Sat, 17 Oct 2020 23:08:18 +0400
+Subject: mac80211: fix regression where EAPOL frames were sent in plaintext
+
+When sending EAPOL frames via NL80211 they are treated as injected
+frames in mac80211. Due to commit 1df2bdba528b ("mac80211: never drop
+injected frames even if normally not allowed") these injected frames
+were not assigned a sta context in the function ieee80211_tx_dequeue,
+causing certain wireless network cards to always send EAPOL frames in
+plaintext. This may cause compatibility issues with some clients or
+APs, which for instance can cause the group key handshake to fail and
+in turn would cause the station to get disconnected.
+
+This commit fixes this regression by assigning a sta context in
+ieee80211_tx_dequeue to injected frames as well.
+
+Note that sending EAPOL frames in plaintext is not a security issue
+since they contain their own encryption and authentication protection.
+
+Fixes: 1df2bdba528b ("mac80211: never drop injected frames even if normally not allowed")
+---
+ net/mac80211/tx.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index 282b0bc201ee..aa486e202a57 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3613,13 +3613,14 @@ begin:
+ 	tx.skb = skb;
+ 	tx.sdata = vif_to_sdata(info->control.vif);
+ 
+-	if (txq->sta && !(info->flags & IEEE80211_TX_CTL_INJECTED)) {
++	if (txq->sta) {
+ 		tx.sta = container_of(txq->sta, struct sta_info, sta);
+ 		/*
+ 		 * Drop unicast frames to unauthorised stations unless they are
+-		 * EAPOL frames from the local station.
++		 * injected frames or EAPOL frames from the local station.
+ 		 */
+-		if (unlikely(ieee80211_is_data(hdr->frame_control) &&
++		if (unlikely(!(info->flags & IEEE80211_TX_CTL_INJECTED) &&
++			     ieee80211_is_data(hdr->frame_control) &&
+ 			     !ieee80211_vif_is_mesh(&tx.sdata->vif) &&
+ 			     tx.sdata->vif.type != NL80211_IFTYPE_OCB &&
+ 			     !is_multicast_ether_addr(hdr->addr1) &&
+--