Created attachment 225222 [details] patch: git diff file FreeBSD is vulnerable to CVE-2020-26144 of the "FragAttacks" findings. For background see Section 6.5 in https://papers.mathyvanhoef.com/usenix2021.pdf This vulnerability can be reproduced using the FragAttack test tool at https://github.com/vanhoefm/fragattacks with the test case "eapol-amsdu-bad I,P" (the injected ping request should be rejected by the kernel). The attached patches fixes this vulnerability. It was tested using a Belkin F5D8053 (run driver) in client mode.
And lastly this one is at https://reviews.freebsd.org/D30665 . For this one I did add "else eh = NULL" initializations; I am not sure why there were no warnings turned into errors.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=ffc19cf52da5546973965f78cf32aa0f2c9657f8 commit ffc19cf52da5546973965f78cf32aa0f2c9657f8 Author: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be> AuthorDate: 2021-06-06 22:10:56 +0000 Commit: Bjoern A. Zeeb <bz@FreeBSD.org> CommitDate: 2021-09-30 14:54:04 +0000 net80211: prevent plaintext injection by A-MSDU RFC1042/EAPOL frames No longer accept plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL. This is done by only accepting EAPOL packets that are included in non-aggregated 802.11 frames. Note that before this patch, FreeBSD also only accepted EAPOL frames that are sent in a non-aggregated 802.11 frame due to bugs in processing EAPOL packets inside A-MSDUs. In other words, compatibility with legitimate devices remains the same. This relates to section 6.5 in the 2021 Usenix "FragAttacks" (Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation) paper. Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be) Security: CVE-2020-26144 PR: 256120 MFC after: 7 days Differential Revision: https://reviews.freebsd.org/D30665 sys/net80211/ieee80211_adhoc.c | 18 ++++++++++++------ sys/net80211/ieee80211_hostap.c | 18 ++++++++++++------ sys/net80211/ieee80211_sta.c | 18 ++++++++++++------ sys/net80211/ieee80211_wds.c | 18 ++++++++++++------ 4 files changed, 48 insertions(+), 24 deletions(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=8b2ba742cc2c732bc4bc1d43f8256adce06657d0 commit 8b2ba742cc2c732bc4bc1d43f8256adce06657d0 Author: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be> AuthorDate: 2021-06-06 22:10:56 +0000 Commit: Bjoern A. Zeeb <bz@FreeBSD.org> CommitDate: 2021-11-19 00:01:25 +0000 net80211: prevent plaintext injection by A-MSDU RFC1042/EAPOL frames No longer accept plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL. This is done by only accepting EAPOL packets that are included in non-aggregated 802.11 frames. Note that before this patch, FreeBSD also only accepted EAPOL frames that are sent in a non-aggregated 802.11 frame due to bugs in processing EAPOL packets inside A-MSDUs. In other words, compatibility with legitimate devices remains the same. This relates to section 6.5 in the 2021 Usenix "FragAttacks" (Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation) paper. Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be) Security: CVE-2020-26144 PR: 256120 (cherry picked from commit ffc19cf52da5546973965f78cf32aa0f2c9657f8) sys/net80211/ieee80211_adhoc.c | 18 ++++++++++++------ sys/net80211/ieee80211_hostap.c | 18 ++++++++++++------ sys/net80211/ieee80211_sta.c | 18 ++++++++++++------ sys/net80211/ieee80211_wds.c | 18 ++++++++++++------ 4 files changed, 48 insertions(+), 24 deletions(-)
A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=2d09e4366b67dd719ebae5390436868e5430d833 commit 2d09e4366b67dd719ebae5390436868e5430d833 Author: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be> AuthorDate: 2021-06-06 22:10:56 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2022-02-15 15:03:09 +0000 net80211: prevent plaintext injection by A-MSDU RFC1042/EAPOL frames No longer accept plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL. This is done by only accepting EAPOL packets that are included in non-aggregated 802.11 frames. Note that before this patch, FreeBSD also only accepted EAPOL frames that are sent in a non-aggregated 802.11 frame due to bugs in processing EAPOL packets inside A-MSDUs. In other words, compatibility with legitimate devices remains the same. This relates to section 6.5 in the 2021 Usenix "FragAttacks" (Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation) paper. Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be) Security: CVE-2020-26144 PR: 256120 (cherry picked from commit ffc19cf52da5546973965f78cf32aa0f2c9657f8) (cherry picked from commit 8b2ba742cc2c732bc4bc1d43f8256adce06657d0) sys/net80211/ieee80211_adhoc.c | 18 ++++++++++++------ sys/net80211/ieee80211_hostap.c | 18 ++++++++++++------ sys/net80211/ieee80211_sta.c | 18 ++++++++++++------ sys/net80211/ieee80211_wds.c | 18 ++++++++++++------ 4 files changed, 48 insertions(+), 24 deletions(-)
A commit in branch releng/13.0 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=cbfb77f1953bde3c4d23bf2278e2762053d80fe9 commit cbfb77f1953bde3c4d23bf2278e2762053d80fe9 Author: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be> AuthorDate: 2021-06-06 22:10:56 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2022-03-15 17:45:19 +0000 net80211: prevent plaintext injection by A-MSDU RFC1042/EAPOL frames No longer accept plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL. This is done by only accepting EAPOL packets that are included in non-aggregated 802.11 frames. Note that before this patch, FreeBSD also only accepted EAPOL frames that are sent in a non-aggregated 802.11 frame due to bugs in processing EAPOL packets inside A-MSDUs. In other words, compatibility with legitimate devices remains the same. This relates to section 6.5 in the 2021 Usenix "FragAttacks" (Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation) paper. Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be) Security: CVE-2020-26144 PR: 256120 (cherry picked from commit ffc19cf52da5546973965f78cf32aa0f2c9657f8) (cherry picked from commit 8b2ba742cc2c732bc4bc1d43f8256adce06657d0) Approved by: so Security: FreeBSD-SA-22:02.wifi sys/net80211/ieee80211_adhoc.c | 18 ++++++++++++------ sys/net80211/ieee80211_hostap.c | 18 ++++++++++++------ sys/net80211/ieee80211_sta.c | 18 ++++++++++++------ sys/net80211/ieee80211_wds.c | 18 ++++++++++++------ 4 files changed, 48 insertions(+), 24 deletions(-)
A commit in branch releng/12.3 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=1c136ac8a969a0c39962371a0b187845373015c1 commit 1c136ac8a969a0c39962371a0b187845373015c1 Author: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be> AuthorDate: 2021-06-06 22:10:56 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2022-03-15 18:16:01 +0000 net80211: prevent plaintext injection by A-MSDU RFC1042/EAPOL frames No longer accept plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL. This is done by only accepting EAPOL packets that are included in non-aggregated 802.11 frames. Note that before this patch, FreeBSD also only accepted EAPOL frames that are sent in a non-aggregated 802.11 frame due to bugs in processing EAPOL packets inside A-MSDUs. In other words, compatibility with legitimate devices remains the same. This relates to section 6.5 in the 2021 Usenix "FragAttacks" (Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation) paper. Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be) Security: CVE-2020-26144 PR: 256120 (cherry picked from commit ffc19cf52da5546973965f78cf32aa0f2c9657f8) (cherry picked from commit 8b2ba742cc2c732bc4bc1d43f8256adce06657d0) (cherry picked from commit 2d09e4366b67dd719ebae5390436868e5430d833) Approved by: so Security: FreeBSD-SA-22:02.wifi sys/net80211/ieee80211_adhoc.c | 18 ++++++++++++------ sys/net80211/ieee80211_hostap.c | 18 ++++++++++++------ sys/net80211/ieee80211_sta.c | 18 ++++++++++++------ sys/net80211/ieee80211_wds.c | 18 ++++++++++++------ 4 files changed, 48 insertions(+), 24 deletions(-)
A commit in branch releng/12.2 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=409819ae9998eed7ef852e4b392d76ab01416864 commit 409819ae9998eed7ef852e4b392d76ab01416864 Author: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be> AuthorDate: 2021-06-06 22:10:56 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2022-03-15 17:40:55 +0000 net80211: prevent plaintext injection by A-MSDU RFC1042/EAPOL frames No longer accept plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL. This is done by only accepting EAPOL packets that are included in non-aggregated 802.11 frames. Note that before this patch, FreeBSD also only accepted EAPOL frames that are sent in a non-aggregated 802.11 frame due to bugs in processing EAPOL packets inside A-MSDUs. In other words, compatibility with legitimate devices remains the same. This relates to section 6.5 in the 2021 Usenix "FragAttacks" (Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation) paper. Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be) Security: CVE-2020-26144 PR: 256120 (cherry picked from commit ffc19cf52da5546973965f78cf32aa0f2c9657f8) (cherry picked from commit 8b2ba742cc2c732bc4bc1d43f8256adce06657d0) (cherry picked from commit 2d09e4366b67dd719ebae5390436868e5430d833) Approved by: so Security: FreeBSD-SA-22:02.wifi sys/net80211/ieee80211_adhoc.c | 18 ++++++++++++------ sys/net80211/ieee80211_hostap.c | 18 ++++++++++++------ sys/net80211/ieee80211_sta.c | 18 ++++++++++++------ sys/net80211/ieee80211_wds.c | 18 ++++++++++++------ 4 files changed, 48 insertions(+), 24 deletions(-)