Created attachment 225220 [details] patch: git diff file FreeBSD accepts fragmented 802.11 frames in a protected Wi-Fi network even when some of the fragments were not encrypted. This corresponds to CVE-2020-26147 of the "FragAttacks" research. For background see Section 6.3 in https://papers.mathyvanhoef.com/usenix2021.pdf This vulnerability can be reproduced using the FragAttack test tool at https://github.com/vanhoefm/fragattacks with the test case "ping I,P,E" and/or "ping I,P,E" (the transmitted ping request should be rejected by the kernel). The attached patches fixes this vulnerability. It was tested using a Belkin F5D8053 (run driver) in client mode. I'm not sure if I'm using the best way to track whether a fragment was encrypted, but it gets the job done with a low number of code changes. FYI: I've submitted a similar patch to NetBSD: https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=56204
Thanks for all the work and submitting the patches. I have uploaded them to our review system (given they are public). This one is here: https://reviews.freebsd.org/D30663
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=11572d7d7fb9802ceb46ea9dc6cbe3bb95373e55 commit 11572d7d7fb9802ceb46ea9dc6cbe3bb95373e55 Author: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be> AuthorDate: 2021-06-06 22:10:41 +0000 Commit: Bjoern A. Zeeb <bz@FreeBSD.org> CommitDate: 2021-09-30 14:47:41 +0000 net80211: reject mixed plaintext/encrypted fragments ieee80211_defrag() accepts fragmented 802.11 frames in a protected Wi-Fi network even when some of the fragments are not encrypted. Track whether the fragments are encrypted or not and only accept successive ones if they match the state of the first fragment. This relates to section 6.3 in the 2021 Usenix "FragAttacks" (Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation) paper. Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be) Security: CVE-2020-26147 PR: 256118 Differential Revision: https://reviews.freebsd.org/D30663 sys/net80211/ieee80211_adhoc.c | 2 +- sys/net80211/ieee80211_hostap.c | 2 +- sys/net80211/ieee80211_input.c | 21 ++++++++++++++++++--- sys/net80211/ieee80211_input.h | 2 +- sys/net80211/ieee80211_mesh.c | 2 +- sys/net80211/ieee80211_sta.c | 2 +- sys/net80211/ieee80211_wds.c | 2 +- 7 files changed, 24 insertions(+), 9 deletions(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=e13d483c5677d12b52f1c81537d54faa85ed43b9 commit e13d483c5677d12b52f1c81537d54faa85ed43b9 Author: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be> AuthorDate: 2021-06-06 22:10:41 +0000 Commit: Bjoern A. Zeeb <bz@FreeBSD.org> CommitDate: 2021-11-19 00:01:24 +0000 net80211: reject mixed plaintext/encrypted fragments ieee80211_defrag() accepts fragmented 802.11 frames in a protected Wi-Fi network even when some of the fragments are not encrypted. Track whether the fragments are encrypted or not and only accept successive ones if they match the state of the first fragment. This relates to section 6.3 in the 2021 Usenix "FragAttacks" (Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation) paper. Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be) Security: CVE-2020-26147 PR: 256118 (cherry picked from commit 11572d7d7fb9802ceb46ea9dc6cbe3bb95373e55) sys/net80211/ieee80211_adhoc.c | 2 +- sys/net80211/ieee80211_hostap.c | 2 +- sys/net80211/ieee80211_input.c | 21 ++++++++++++++++++--- sys/net80211/ieee80211_input.h | 2 +- sys/net80211/ieee80211_mesh.c | 2 +- sys/net80211/ieee80211_sta.c | 2 +- sys/net80211/ieee80211_wds.c | 2 +- 7 files changed, 24 insertions(+), 9 deletions(-)
A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=00cd5a2f614ae2cf1daa30cde7f91de9cdde2393 commit 00cd5a2f614ae2cf1daa30cde7f91de9cdde2393 Author: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be> AuthorDate: 2021-06-06 22:10:41 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2022-02-15 15:03:09 +0000 net80211: reject mixed plaintext/encrypted fragments ieee80211_defrag() accepts fragmented 802.11 frames in a protected Wi-Fi network even when some of the fragments are not encrypted. Track whether the fragments are encrypted or not and only accept successive ones if they match the state of the first fragment. This relates to section 6.3 in the 2021 Usenix "FragAttacks" (Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation) paper. Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be) Security: CVE-2020-26147 PR: 256118 (cherry picked from commit 11572d7d7fb9802ceb46ea9dc6cbe3bb95373e55) (cherry picked from commit e13d483c5677d12b52f1c81537d54faa85ed43b9) sys/net80211/ieee80211_adhoc.c | 2 +- sys/net80211/ieee80211_hostap.c | 2 +- sys/net80211/ieee80211_input.c | 21 ++++++++++++++++++--- sys/net80211/ieee80211_input.h | 2 +- sys/net80211/ieee80211_mesh.c | 2 +- sys/net80211/ieee80211_sta.c | 2 +- sys/net80211/ieee80211_wds.c | 2 +- 7 files changed, 24 insertions(+), 9 deletions(-)
A commit in branch releng/13.0 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=cf15ab553dd0dabd8718995aedbe90e3ff0bc7e1 commit cf15ab553dd0dabd8718995aedbe90e3ff0bc7e1 Author: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be> AuthorDate: 2021-06-06 22:10:41 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2022-03-15 17:43:54 +0000 net80211: reject mixed plaintext/encrypted fragments ieee80211_defrag() accepts fragmented 802.11 frames in a protected Wi-Fi network even when some of the fragments are not encrypted. Track whether the fragments are encrypted or not and only accept successive ones if they match the state of the first fragment. This relates to section 6.3 in the 2021 Usenix "FragAttacks" (Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation) paper. Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be) Security: CVE-2020-26147 PR: 256118 (cherry picked from commit 11572d7d7fb9802ceb46ea9dc6cbe3bb95373e55) (cherry picked from commit e13d483c5677d12b52f1c81537d54faa85ed43b9) Approved by: so Security: FreeBSD-SA-22:02.wifi sys/net80211/ieee80211_adhoc.c | 2 +- sys/net80211/ieee80211_hostap.c | 2 +- sys/net80211/ieee80211_input.c | 21 ++++++++++++++++++--- sys/net80211/ieee80211_input.h | 2 +- sys/net80211/ieee80211_mesh.c | 2 +- sys/net80211/ieee80211_sta.c | 2 +- sys/net80211/ieee80211_wds.c | 2 +- 7 files changed, 24 insertions(+), 9 deletions(-)
A commit in branch releng/12.3 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=060c556da720145912ac79f67e91ef656f74a78b commit 060c556da720145912ac79f67e91ef656f74a78b Author: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be> AuthorDate: 2021-06-06 22:10:41 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2022-03-15 18:16:01 +0000 net80211: reject mixed plaintext/encrypted fragments ieee80211_defrag() accepts fragmented 802.11 frames in a protected Wi-Fi network even when some of the fragments are not encrypted. Track whether the fragments are encrypted or not and only accept successive ones if they match the state of the first fragment. This relates to section 6.3 in the 2021 Usenix "FragAttacks" (Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation) paper. Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be) Security: CVE-2020-26147 PR: 256118 (cherry picked from commit 11572d7d7fb9802ceb46ea9dc6cbe3bb95373e55) (cherry picked from commit e13d483c5677d12b52f1c81537d54faa85ed43b9) (cherry picked from commit 00cd5a2f614ae2cf1daa30cde7f91de9cdde2393) Approved by: so Security: FreeBSD-SA-22:02.wifi sys/net80211/ieee80211_adhoc.c | 2 +- sys/net80211/ieee80211_hostap.c | 2 +- sys/net80211/ieee80211_input.c | 21 ++++++++++++++++++--- sys/net80211/ieee80211_input.h | 2 +- sys/net80211/ieee80211_mesh.c | 2 +- sys/net80211/ieee80211_sta.c | 2 +- sys/net80211/ieee80211_wds.c | 2 +- 7 files changed, 24 insertions(+), 9 deletions(-)
A commit in branch releng/12.2 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=a780210457fe7448c6f4cdd81578f377974b2925 commit a780210457fe7448c6f4cdd81578f377974b2925 Author: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be> AuthorDate: 2021-06-06 22:10:41 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2022-03-15 17:40:34 +0000 net80211: reject mixed plaintext/encrypted fragments ieee80211_defrag() accepts fragmented 802.11 frames in a protected Wi-Fi network even when some of the fragments are not encrypted. Track whether the fragments are encrypted or not and only accept successive ones if they match the state of the first fragment. This relates to section 6.3 in the 2021 Usenix "FragAttacks" (Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation) paper. Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be) Security: CVE-2020-26147 PR: 256118 (cherry picked from commit 11572d7d7fb9802ceb46ea9dc6cbe3bb95373e55) (cherry picked from commit e13d483c5677d12b52f1c81537d54faa85ed43b9) (cherry picked from commit 00cd5a2f614ae2cf1daa30cde7f91de9cdde2393) Approved by: so Security: FreeBSD-SA-22:02.wifi sys/net80211/ieee80211_adhoc.c | 2 +- sys/net80211/ieee80211_hostap.c | 2 +- sys/net80211/ieee80211_input.c | 21 ++++++++++++++++++--- sys/net80211/ieee80211_input.h | 2 +- sys/net80211/ieee80211_mesh.c | 2 +- sys/net80211/ieee80211_sta.c | 2 +- sys/net80211/ieee80211_wds.c | 2 +- 7 files changed, 24 insertions(+), 9 deletions(-)