* CVE-2020-3702: Firmware updates for ath9k and ath10k chips @ 2020-08-10 9:01 ` Pali Rohár 0 siblings, 0 replies; 26+ messages in thread From: Pali Rohár @ 2020-08-10 9:01 UTC (permalink / raw) To: ath10k, ath9k-devel, linux-wireless, Kalle Valo Hello! ESET engineers on their blog published some information about new security vulnerability CVE-2020-3702 in ath9k wifi cards: https://www.welivesecurity.com/2020/08/06/beyond-kr00k-even-more-wifi-chips-vulnerable-eavesdropping/ According to Qualcomm security bulletin this CVE-2020-3702 affects also some Qualcomm IPQ chips which are handled by ath10k driver: https://www.qualcomm.com/company/product-security/bulletins/august-2020-security-bulletin#_cve-2020-3702 Kalle, could you or other people from Qualcomm provide updated and fixed version of ath9k and ath10k firmwares in linux-firmware git repository? According to Qualcomm security bulletin this issue has Critical security rating, so I think fixed firmware files should be updated also in stable releases of linux distributions. _______________________________________________ ath10k mailing list ath10k@lists.infradead.org http://lists.infradead.org/mailman/listinfo/ath10k ^ permalink raw reply [flat|nested] 26+ messages in thread
* CVE-2020-3702: Firmware updates for ath9k and ath10k chips @ 2020-08-10 9:01 ` Pali Rohár 0 siblings, 0 replies; 26+ messages in thread From: Pali Rohár @ 2020-08-10 9:01 UTC (permalink / raw) To: ath10k, ath9k-devel, linux-wireless, Kalle Valo Hello! ESET engineers on their blog published some information about new security vulnerability CVE-2020-3702 in ath9k wifi cards: https://www.welivesecurity.com/2020/08/06/beyond-kr00k-even-more-wifi-chips-vulnerable-eavesdropping/ According to Qualcomm security bulletin this CVE-2020-3702 affects also some Qualcomm IPQ chips which are handled by ath10k driver: https://www.qualcomm.com/company/product-security/bulletins/august-2020-security-bulletin#_cve-2020-3702 Kalle, could you or other people from Qualcomm provide updated and fixed version of ath9k and ath10k firmwares in linux-firmware git repository? According to Qualcomm security bulletin this issue has Critical security rating, so I think fixed firmware files should be updated also in stable releases of linux distributions. ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips 2020-08-10 9:01 ` Pali Rohár @ 2020-08-12 8:36 ` Pali Rohár -1 siblings, 0 replies; 26+ messages in thread From: Pali Rohár @ 2020-08-12 8:36 UTC (permalink / raw) To: ath10k, ath9k-devel, linux-wireless, Kalle Valo On Monday 10 August 2020 11:01:26 Pali Rohár wrote: > Hello! > > ESET engineers on their blog published some information about new > security vulnerability CVE-2020-3702 in ath9k wifi cards: > https://www.welivesecurity.com/2020/08/06/beyond-kr00k-even-more-wifi-chips-vulnerable-eavesdropping/ > > According to Qualcomm security bulletin this CVE-2020-3702 affects also > some Qualcomm IPQ chips which are handled by ath10k driver: > https://www.qualcomm.com/company/product-security/bulletins/august-2020-security-bulletin#_cve-2020-3702 > > Kalle, could you or other people from Qualcomm provide updated and fixed > version of ath9k and ath10k firmwares in linux-firmware git repository? > > According to Qualcomm security bulletin this issue has Critical security > rating, so I think fixed firmware files should be updated also in stable > releases of linux distributions. Hello! Qualcomm has already sent following statement to media: Qualcomm has already made mitigations available to OEMs in May 2020, and we encourage end users to update their devices as patches have become available from OEMs. And based on information from ESET blog post, Qualcomm's proprietary driver for these wifi cards is fixed since Qualcomm July release. Could somebody react and provide some details when fixes would be available for ath9k and ath10k Linux drivers? And what is current state of this issue for Linux? I'm looking at ath9k and ath10k git trees [1] [2] [3] and I do not see there any change which could be related to CVE-2020-3702. Based on ESET tests, wifi cards which use ath9k driver (opensource, not that Qualcomm proprietary) are still vulnerable. [1] - https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/log/ath10k [2] - https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git/log/drivers/net/wireless/ath/ath10k?h=master-pending [3] - https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git/log/drivers/net/wireless/ath/ath9k?h=master-pending _______________________________________________ ath10k mailing list ath10k@lists.infradead.org http://lists.infradead.org/mailman/listinfo/ath10k ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips @ 2020-08-12 8:36 ` Pali Rohár 0 siblings, 0 replies; 26+ messages in thread From: Pali Rohár @ 2020-08-12 8:36 UTC (permalink / raw) To: ath10k, ath9k-devel, linux-wireless, Kalle Valo On Monday 10 August 2020 11:01:26 Pali Rohár wrote: > Hello! > > ESET engineers on their blog published some information about new > security vulnerability CVE-2020-3702 in ath9k wifi cards: > https://www.welivesecurity.com/2020/08/06/beyond-kr00k-even-more-wifi-chips-vulnerable-eavesdropping/ > > According to Qualcomm security bulletin this CVE-2020-3702 affects also > some Qualcomm IPQ chips which are handled by ath10k driver: > https://www.qualcomm.com/company/product-security/bulletins/august-2020-security-bulletin#_cve-2020-3702 > > Kalle, could you or other people from Qualcomm provide updated and fixed > version of ath9k and ath10k firmwares in linux-firmware git repository? > > According to Qualcomm security bulletin this issue has Critical security > rating, so I think fixed firmware files should be updated also in stable > releases of linux distributions. Hello! Qualcomm has already sent following statement to media: Qualcomm has already made mitigations available to OEMs in May 2020, and we encourage end users to update their devices as patches have become available from OEMs. And based on information from ESET blog post, Qualcomm's proprietary driver for these wifi cards is fixed since Qualcomm July release. Could somebody react and provide some details when fixes would be available for ath9k and ath10k Linux drivers? And what is current state of this issue for Linux? I'm looking at ath9k and ath10k git trees [1] [2] [3] and I do not see there any change which could be related to CVE-2020-3702. Based on ESET tests, wifi cards which use ath9k driver (opensource, not that Qualcomm proprietary) are still vulnerable. [1] - https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/log/ath10k [2] - https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git/log/drivers/net/wireless/ath/ath10k?h=master-pending [3] - https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git/log/drivers/net/wireless/ath/ath9k?h=master-pending ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips 2020-08-12 8:36 ` Pali Rohár @ 2020-08-12 9:17 ` Toke Høiland-Jørgensen -1 siblings, 0 replies; 26+ messages in thread From: Toke Høiland-Jørgensen @ 2020-08-12 9:17 UTC (permalink / raw) To: Pali Rohár, ath10k, ath9k-devel, linux-wireless, Kalle Valo Pali Rohár <pali@kernel.org> writes: > On Monday 10 August 2020 11:01:26 Pali Rohár wrote: >> Hello! >> >> ESET engineers on their blog published some information about new >> security vulnerability CVE-2020-3702 in ath9k wifi cards: >> https://www.welivesecurity.com/2020/08/06/beyond-kr00k-even-more-wifi-chips-vulnerable-eavesdropping/ >> >> According to Qualcomm security bulletin this CVE-2020-3702 affects also >> some Qualcomm IPQ chips which are handled by ath10k driver: >> https://www.qualcomm.com/company/product-security/bulletins/august-2020-security-bulletin#_cve-2020-3702 >> >> Kalle, could you or other people from Qualcomm provide updated and fixed >> version of ath9k and ath10k firmwares in linux-firmware git repository? >> >> According to Qualcomm security bulletin this issue has Critical security >> rating, so I think fixed firmware files should be updated also in stable >> releases of linux distributions. > > Hello! > > Qualcomm has already sent following statement to media: > > Qualcomm has already made mitigations available to OEMs in May 2020, > and we encourage end users to update their devices as patches have > become available from OEMs. > > And based on information from ESET blog post, Qualcomm's proprietary > driver for these wifi cards is fixed since Qualcomm July release. > > Could somebody react and provide some details when fixes would be > available for ath9k and ath10k Linux drivers? And what is current state > of this issue for Linux? > > I'm looking at ath9k and ath10k git trees [1] [2] [3] and I do not see > there any change which could be related to CVE-2020-3702. How about these, from March: a0761a301746 ("mac80211: drop data frames without key on encrypted links") ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211_tx_dequeue() case") b16798f5b907 ("mac80211: mark station unauthorized before key removal") -Toke _______________________________________________ ath10k mailing list ath10k@lists.infradead.org http://lists.infradead.org/mailman/listinfo/ath10k ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips @ 2020-08-12 9:17 ` Toke Høiland-Jørgensen 0 siblings, 0 replies; 26+ messages in thread From: Toke Høiland-Jørgensen @ 2020-08-12 9:17 UTC (permalink / raw) To: Pali Rohár, ath10k, ath9k-devel, linux-wireless, Kalle Valo Pali Rohár <pali@kernel.org> writes: > On Monday 10 August 2020 11:01:26 Pali Rohár wrote: >> Hello! >> >> ESET engineers on their blog published some information about new >> security vulnerability CVE-2020-3702 in ath9k wifi cards: >> https://www.welivesecurity.com/2020/08/06/beyond-kr00k-even-more-wifi-chips-vulnerable-eavesdropping/ >> >> According to Qualcomm security bulletin this CVE-2020-3702 affects also >> some Qualcomm IPQ chips which are handled by ath10k driver: >> https://www.qualcomm.com/company/product-security/bulletins/august-2020-security-bulletin#_cve-2020-3702 >> >> Kalle, could you or other people from Qualcomm provide updated and fixed >> version of ath9k and ath10k firmwares in linux-firmware git repository? >> >> According to Qualcomm security bulletin this issue has Critical security >> rating, so I think fixed firmware files should be updated also in stable >> releases of linux distributions. > > Hello! > > Qualcomm has already sent following statement to media: > > Qualcomm has already made mitigations available to OEMs in May 2020, > and we encourage end users to update their devices as patches have > become available from OEMs. > > And based on information from ESET blog post, Qualcomm's proprietary > driver for these wifi cards is fixed since Qualcomm July release. > > Could somebody react and provide some details when fixes would be > available for ath9k and ath10k Linux drivers? And what is current state > of this issue for Linux? > > I'm looking at ath9k and ath10k git trees [1] [2] [3] and I do not see > there any change which could be related to CVE-2020-3702. How about these, from March: a0761a301746 ("mac80211: drop data frames without key on encrypted links") ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211_tx_dequeue() case") b16798f5b907 ("mac80211: mark station unauthorized before key removal") -Toke ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips 2020-08-12 9:17 ` Toke Høiland-Jørgensen @ 2020-08-12 9:23 ` Jouni Malinen -1 siblings, 0 replies; 26+ messages in thread From: Jouni Malinen @ 2020-08-12 9:23 UTC (permalink / raw) To: Toke Høiland-Jørgensen Cc: Kalle Valo, linux-wireless, Pali Rohár, ath9k-devel, ath10k On Wed, Aug 12, 2020 at 11:17:47AM +0200, Toke Høiland-Jørgensen wrote: > Pali Rohár <pali@kernel.org> writes: > > Could somebody react and provide some details when fixes would be > > available for ath9k and ath10k Linux drivers? And what is current state > > of this issue for Linux? > > > > I'm looking at ath9k and ath10k git trees [1] [2] [3] and I do not see > > there any change which could be related to CVE-2020-3702. > > How about these, from March: > > a0761a301746 ("mac80211: drop data frames without key on encrypted links") > ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211_tx_dequeue() case") > b16798f5b907 ("mac80211: mark station unauthorized before key removal") Those cover most of the identified issues for drivers using mac80211 (e.g., ath9k and ath10k; though, I don't remember whether I actually ever managed to reproduce this with ath10k in practice). I have couple of additional ath9k-specific patches that cover additional lower layer paths for this. I hope to get those out after confirming they work with the current kernel tree snapshot. -- Jouni Malinen PGP id EFC895FA _______________________________________________ ath10k mailing list ath10k@lists.infradead.org http://lists.infradead.org/mailman/listinfo/ath10k ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips @ 2020-08-12 9:23 ` Jouni Malinen 0 siblings, 0 replies; 26+ messages in thread From: Jouni Malinen @ 2020-08-12 9:23 UTC (permalink / raw) To: Toke Høiland-Jørgensen Cc: Pali Rohár, ath10k, ath9k-devel, linux-wireless, Kalle Valo On Wed, Aug 12, 2020 at 11:17:47AM +0200, Toke Høiland-Jørgensen wrote: > Pali Rohár <pali@kernel.org> writes: > > Could somebody react and provide some details when fixes would be > > available for ath9k and ath10k Linux drivers? And what is current state > > of this issue for Linux? > > > > I'm looking at ath9k and ath10k git trees [1] [2] [3] and I do not see > > there any change which could be related to CVE-2020-3702. > > How about these, from March: > > a0761a301746 ("mac80211: drop data frames without key on encrypted links") > ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211_tx_dequeue() case") > b16798f5b907 ("mac80211: mark station unauthorized before key removal") Those cover most of the identified issues for drivers using mac80211 (e.g., ath9k and ath10k; though, I don't remember whether I actually ever managed to reproduce this with ath10k in practice). I have couple of additional ath9k-specific patches that cover additional lower layer paths for this. I hope to get those out after confirming they work with the current kernel tree snapshot. -- Jouni Malinen PGP id EFC895FA ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips 2020-08-12 9:23 ` Jouni Malinen @ 2020-08-12 9:32 ` Michał Kazior -1 siblings, 0 replies; 26+ messages in thread From: Michał Kazior @ 2020-08-12 9:32 UTC (permalink / raw) To: Jouni Malinen Cc: Toke Høiland-Jørgensen, linux-wireless, ath9k-devel, ath10k, Pali Rohár, Kalle Valo On Wed, 12 Aug 2020 at 11:26, Jouni Malinen <j@w1.fi> wrote: > > On Wed, Aug 12, 2020 at 11:17:47AM +0200, Toke Høiland-Jørgensen wrote: > > Pali Rohár <pali@kernel.org> writes: > > > Could somebody react and provide some details when fixes would be > > > available for ath9k and ath10k Linux drivers? And what is current state > > > of this issue for Linux? > > > > > > I'm looking at ath9k and ath10k git trees [1] [2] [3] and I do not see > > > there any change which could be related to CVE-2020-3702. > > > > How about these, from March: > > > > a0761a301746 ("mac80211: drop data frames without key on encrypted links") > > ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211_tx_dequeue() case") > > b16798f5b907 ("mac80211: mark station unauthorized before key removal") > > Those cover most of the identified issues for drivers using mac80211 > (e.g., ath9k and ath10k; though, I don't remember whether I actually > ever managed to reproduce this with ath10k in practice). I have couple > of additional ath9k-specific patches that cover additional lower layer > paths for this. I hope to get those out after confirming they work with > the current kernel tree snapshot. As far as I understand the problem can manifest on partial in-hw ampdu retransmits if a key was removed in between. Not exactly an easy thing to reproduce. The actual drivers (ath9k, ath10k) or their microcodes may need to be fixed as well since mac80211 can only do so much. Michal _______________________________________________ ath10k mailing list ath10k@lists.infradead.org http://lists.infradead.org/mailman/listinfo/ath10k ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips @ 2020-08-12 9:32 ` Michał Kazior 0 siblings, 0 replies; 26+ messages in thread From: Michał Kazior @ 2020-08-12 9:32 UTC (permalink / raw) To: Jouni Malinen Cc: Toke Høiland-Jørgensen, Pali Rohár, ath10k, ath9k-devel, linux-wireless, Kalle Valo On Wed, 12 Aug 2020 at 11:26, Jouni Malinen <j@w1.fi> wrote: > > On Wed, Aug 12, 2020 at 11:17:47AM +0200, Toke Høiland-Jørgensen wrote: > > Pali Rohár <pali@kernel.org> writes: > > > Could somebody react and provide some details when fixes would be > > > available for ath9k and ath10k Linux drivers? And what is current state > > > of this issue for Linux? > > > > > > I'm looking at ath9k and ath10k git trees [1] [2] [3] and I do not see > > > there any change which could be related to CVE-2020-3702. > > > > How about these, from March: > > > > a0761a301746 ("mac80211: drop data frames without key on encrypted links") > > ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211_tx_dequeue() case") > > b16798f5b907 ("mac80211: mark station unauthorized before key removal") > > Those cover most of the identified issues for drivers using mac80211 > (e.g., ath9k and ath10k; though, I don't remember whether I actually > ever managed to reproduce this with ath10k in practice). I have couple > of additional ath9k-specific patches that cover additional lower layer > paths for this. I hope to get those out after confirming they work with > the current kernel tree snapshot. As far as I understand the problem can manifest on partial in-hw ampdu retransmits if a key was removed in between. Not exactly an easy thing to reproduce. The actual drivers (ath9k, ath10k) or their microcodes may need to be fixed as well since mac80211 can only do so much. Michal ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips 2020-08-12 9:23 ` Jouni Malinen (?) (?) @ 2020-08-29 11:48 ` Baptiste Jonglez 2020-09-07 15:46 ` Kalle Valo -1 siblings, 1 reply; 26+ messages in thread From: Baptiste Jonglez @ 2020-08-29 11:48 UTC (permalink / raw) To: ath10k; +Cc: openwrt-devel [-- Attachment #1.1: Type: text/plain, Size: 1679 bytes --] Hi, Cross-posting to openwrt-devel because we are backporting the necessary fixes. On 12-08-20, Jouni Malinen wrote: > On Wed, Aug 12, 2020 at 11:17:47AM +0200, Toke H?iland-J?rgensen wrote: > > Pali Roh?r <pali at kernel.org> writes: > > > Could somebody react and provide some details when fixes would be > > > available for ath9k and ath10k Linux drivers? And what is current state > > > of this issue for Linux? > > > > > > I'm looking at ath9k and ath10k git trees [1] [2] [3] and I do not see > > > there any change which could be related to CVE-2020-3702. > > > > How about these, from March: > > > > a0761a301746 ("mac80211: drop data frames without key on encrypted links") > > ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211_tx_dequeue() case") > > b16798f5b907 ("mac80211: mark station unauthorized before key removal") > > Those cover most of the identified issues for drivers using mac80211 > (e.g., ath9k and ath10k; though, I don't remember whether I actually > ever managed to reproduce this with ath10k in practice). I have couple > of additional ath9k-specific patches that cover additional lower layer > paths for this. I hope to get those out after confirming they work with > the current kernel tree snapshot. I could find linux-stable backports for ce2e1ca70307 and b16798f5b907, but not for a0761a301746. Is it intended? From the commit message, it looks like it does fix an important issue. Also, for the sake of completeness, this subsequent commit is also related to CVE-2020-3702 (and already backported): 5981fe5b0529 ("mac80211: fix misplaced while instead of if") Thanks, Baptiste [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] [-- Attachment #2: Type: text/plain, Size: 146 bytes --] _______________________________________________ ath10k mailing list ath10k@lists.infradead.org http://lists.infradead.org/mailman/listinfo/ath10k ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips 2020-08-29 11:48 ` Baptiste Jonglez @ 2020-09-07 15:46 ` Kalle Valo 0 siblings, 0 replies; 26+ messages in thread From: Kalle Valo @ 2020-09-07 15:46 UTC (permalink / raw) To: Baptiste Jonglez; +Cc: openwrt-devel, ath10k Baptiste Jonglez <baptiste@bitsofnetworks.org> writes: > Hi, > > Cross-posting to openwrt-devel because we are backporting the necessary fixes. > > On 12-08-20, Jouni Malinen wrote: >> On Wed, Aug 12, 2020 at 11:17:47AM +0200, Toke H?iland-J?rgensen wrote: >> > Pali Roh?r <pali at kernel.org> writes: >> > > Could somebody react and provide some details when fixes would be >> > > available for ath9k and ath10k Linux drivers? And what is current state >> > > of this issue for Linux? >> > > >> > > I'm looking at ath9k and ath10k git trees [1] [2] [3] and I do not see >> > > there any change which could be related to CVE-2020-3702. >> > >> > How about these, from March: >> > >> > a0761a301746 ("mac80211: drop data frames without key on encrypted links") >> > ce2e1ca70307 ("mac80211: Check port authorization in the >> > ieee80211_tx_dequeue() case") >> > b16798f5b907 ("mac80211: mark station unauthorized before key removal") >> >> Those cover most of the identified issues for drivers using mac80211 >> (e.g., ath9k and ath10k; though, I don't remember whether I actually >> ever managed to reproduce this with ath10k in practice). I have couple >> of additional ath9k-specific patches that cover additional lower layer >> paths for this. I hope to get those out after confirming they work with >> the current kernel tree snapshot. > > I could find linux-stable backports for ce2e1ca70307 and b16798f5b907, but > not for a0761a301746. Is it intended? From the commit message, it looks > like it does fix an important issue. > > Also, for the sake of completeness, this subsequent commit is also related > to CVE-2020-3702 (and already backported): > > 5981fe5b0529 ("mac80211: fix misplaced while instead of if") I think you should ask the stable to also take commit a0761a301746, most likely they just missed it by accident. -- https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches _______________________________________________ ath10k mailing list ath10k@lists.infradead.org http://lists.infradead.org/mailman/listinfo/ath10k ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips 2020-08-12 9:23 ` Jouni Malinen @ 2020-10-07 8:25 ` Pali Rohár -1 siblings, 0 replies; 26+ messages in thread From: Pali Rohár @ 2020-10-07 8:25 UTC (permalink / raw) To: Jouni Malinen Cc: Kalle Valo, Toke Høiland-Jørgensen, linux-wireless, ath9k-devel, ath10k On Wednesday 12 August 2020 12:23:34 Jouni Malinen wrote: > On Wed, Aug 12, 2020 at 11:17:47AM +0200, Toke Høiland-Jørgensen wrote: > > Pali Rohár <pali@kernel.org> writes: > > > Could somebody react and provide some details when fixes would be > > > available for ath9k and ath10k Linux drivers? And what is current state > > > of this issue for Linux? > > > > > > I'm looking at ath9k and ath10k git trees [1] [2] [3] and I do not see > > > there any change which could be related to CVE-2020-3702. > > > > How about these, from March: > > > > a0761a301746 ("mac80211: drop data frames without key on encrypted links") > > ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211_tx_dequeue() case") > > b16798f5b907 ("mac80211: mark station unauthorized before key removal") > > Those cover most of the identified issues for drivers using mac80211 > (e.g., ath9k and ath10k; though, I don't remember whether I actually > ever managed to reproduce this with ath10k in practice). I have couple > of additional ath9k-specific patches that cover additional lower layer > paths for this. I hope to get those out after confirming they work with > the current kernel tree snapshot. Hello! Could you please share your ath9k patches which address this issue? _______________________________________________ ath10k mailing list ath10k@lists.infradead.org http://lists.infradead.org/mailman/listinfo/ath10k ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips @ 2020-10-07 8:25 ` Pali Rohár 0 siblings, 0 replies; 26+ messages in thread From: Pali Rohár @ 2020-10-07 8:25 UTC (permalink / raw) To: Jouni Malinen Cc: Toke Høiland-Jørgensen, ath10k, ath9k-devel, linux-wireless, Kalle Valo On Wednesday 12 August 2020 12:23:34 Jouni Malinen wrote: > On Wed, Aug 12, 2020 at 11:17:47AM +0200, Toke Høiland-Jørgensen wrote: > > Pali Rohár <pali@kernel.org> writes: > > > Could somebody react and provide some details when fixes would be > > > available for ath9k and ath10k Linux drivers? And what is current state > > > of this issue for Linux? > > > > > > I'm looking at ath9k and ath10k git trees [1] [2] [3] and I do not see > > > there any change which could be related to CVE-2020-3702. > > > > How about these, from March: > > > > a0761a301746 ("mac80211: drop data frames without key on encrypted links") > > ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211_tx_dequeue() case") > > b16798f5b907 ("mac80211: mark station unauthorized before key removal") > > Those cover most of the identified issues for drivers using mac80211 > (e.g., ath9k and ath10k; though, I don't remember whether I actually > ever managed to reproduce this with ath10k in practice). I have couple > of additional ath9k-specific patches that cover additional lower layer > paths for this. I hope to get those out after confirming they work with > the current kernel tree snapshot. Hello! Could you please share your ath9k patches which address this issue? ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips 2020-10-07 8:25 ` Pali Rohár @ 2020-12-07 14:04 ` Pali Rohár -1 siblings, 0 replies; 26+ messages in thread From: Pali Rohár @ 2020-12-07 14:04 UTC (permalink / raw) To: Jouni Malinen Cc: Kalle Valo, Toke Høiland-Jørgensen, linux-wireless, ath9k-devel, ath10k On Wednesday 07 October 2020 10:25:02 Pali Rohár wrote: > On Wednesday 12 August 2020 12:23:34 Jouni Malinen wrote: > > On Wed, Aug 12, 2020 at 11:17:47AM +0200, Toke Høiland-Jørgensen wrote: > > > Pali Rohár <pali@kernel.org> writes: > > > > Could somebody react and provide some details when fixes would be > > > > available for ath9k and ath10k Linux drivers? And what is current state > > > > of this issue for Linux? > > > > > > > > I'm looking at ath9k and ath10k git trees [1] [2] [3] and I do not see > > > > there any change which could be related to CVE-2020-3702. > > > > > > How about these, from March: > > > > > > a0761a301746 ("mac80211: drop data frames without key on encrypted links") > > > ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211_tx_dequeue() case") > > > b16798f5b907 ("mac80211: mark station unauthorized before key removal") > > > > Those cover most of the identified issues for drivers using mac80211 > > (e.g., ath9k and ath10k; though, I don't remember whether I actually > > ever managed to reproduce this with ath10k in practice). I have couple > > of additional ath9k-specific patches that cover additional lower layer > > paths for this. I hope to get those out after confirming they work with > > the current kernel tree snapshot. > > Hello! Could you please share your ath9k patches which address this issue? Hello! Has somebody fixes this security issue in ath9k driver? About 4 months passed and if this issue is not fixed, could you please share at least incomplete / WIP patches? I would like to look at it and have this issue finally fixed. _______________________________________________ ath10k mailing list ath10k@lists.infradead.org http://lists.infradead.org/mailman/listinfo/ath10k ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips @ 2020-12-07 14:04 ` Pali Rohár 0 siblings, 0 replies; 26+ messages in thread From: Pali Rohár @ 2020-12-07 14:04 UTC (permalink / raw) To: Jouni Malinen Cc: Toke Høiland-Jørgensen, ath10k, ath9k-devel, linux-wireless, Kalle Valo On Wednesday 07 October 2020 10:25:02 Pali Rohár wrote: > On Wednesday 12 August 2020 12:23:34 Jouni Malinen wrote: > > On Wed, Aug 12, 2020 at 11:17:47AM +0200, Toke Høiland-Jørgensen wrote: > > > Pali Rohár <pali@kernel.org> writes: > > > > Could somebody react and provide some details when fixes would be > > > > available for ath9k and ath10k Linux drivers? And what is current state > > > > of this issue for Linux? > > > > > > > > I'm looking at ath9k and ath10k git trees [1] [2] [3] and I do not see > > > > there any change which could be related to CVE-2020-3702. > > > > > > How about these, from March: > > > > > > a0761a301746 ("mac80211: drop data frames without key on encrypted links") > > > ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211_tx_dequeue() case") > > > b16798f5b907 ("mac80211: mark station unauthorized before key removal") > > > > Those cover most of the identified issues for drivers using mac80211 > > (e.g., ath9k and ath10k; though, I don't remember whether I actually > > ever managed to reproduce this with ath10k in practice). I have couple > > of additional ath9k-specific patches that cover additional lower layer > > paths for this. I hope to get those out after confirming they work with > > the current kernel tree snapshot. > > Hello! Could you please share your ath9k patches which address this issue? Hello! Has somebody fixes this security issue in ath9k driver? About 4 months passed and if this issue is not fixed, could you please share at least incomplete / WIP patches? I would like to look at it and have this issue finally fixed. ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips 2020-12-07 14:04 ` Pali Rohár @ 2020-12-14 17:41 ` Jouni Malinen -1 siblings, 0 replies; 26+ messages in thread From: Jouni Malinen @ 2020-12-14 17:41 UTC (permalink / raw) To: Pali Rohár Cc: Kalle Valo, Toke Høiland-Jørgensen, linux-wireless, ath9k-devel, ath10k On Mon, Dec 07, 2020 at 03:04:38PM +0100, Pali Rohár wrote: > Hello! Has somebody fixes this security issue in ath9k driver? About > 4 months passed and if this issue is not fixed, could you please share > at least incomplete / WIP patches? I would like to look at it and have > this issue finally fixed. https://patchwork.kernel.org/project/linux-wireless/list/?series=401685 -- Jouni Malinen PGP id EFC895FA _______________________________________________ ath10k mailing list ath10k@lists.infradead.org http://lists.infradead.org/mailman/listinfo/ath10k ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips @ 2020-12-14 17:41 ` Jouni Malinen 0 siblings, 0 replies; 26+ messages in thread From: Jouni Malinen @ 2020-12-14 17:41 UTC (permalink / raw) To: Pali Rohár Cc: Toke Høiland-Jørgensen, ath10k, ath9k-devel, linux-wireless, Kalle Valo On Mon, Dec 07, 2020 at 03:04:38PM +0100, Pali Rohár wrote: > Hello! Has somebody fixes this security issue in ath9k driver? About > 4 months passed and if this issue is not fixed, could you please share > at least incomplete / WIP patches? I would like to look at it and have > this issue finally fixed. https://patchwork.kernel.org/project/linux-wireless/list/?series=401685 -- Jouni Malinen PGP id EFC895FA ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips 2020-12-14 17:41 ` Jouni Malinen @ 2020-12-17 9:35 ` Pali Rohár -1 siblings, 0 replies; 26+ messages in thread From: Pali Rohár @ 2020-12-17 9:35 UTC (permalink / raw) To: Jouni Malinen Cc: Kalle Valo, Toke Høiland-Jørgensen, linux-wireless, ath9k-devel, ath10k On Monday 14 December 2020 19:41:49 Jouni Malinen wrote: > On Mon, Dec 07, 2020 at 03:04:38PM +0100, Pali Rohár wrote: > > Hello! Has somebody fixes this security issue in ath9k driver? About > > 4 months passed and if this issue is not fixed, could you please share > > at least incomplete / WIP patches? I would like to look at it and have > > this issue finally fixed. > > https://patchwork.kernel.org/project/linux-wireless/list/?series=401685 Thank you! I will look at it. _______________________________________________ ath10k mailing list ath10k@lists.infradead.org http://lists.infradead.org/mailman/listinfo/ath10k ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips @ 2020-12-17 9:35 ` Pali Rohár 0 siblings, 0 replies; 26+ messages in thread From: Pali Rohár @ 2020-12-17 9:35 UTC (permalink / raw) To: Jouni Malinen Cc: Toke Høiland-Jørgensen, ath10k, ath9k-devel, linux-wireless, Kalle Valo On Monday 14 December 2020 19:41:49 Jouni Malinen wrote: > On Mon, Dec 07, 2020 at 03:04:38PM +0100, Pali Rohár wrote: > > Hello! Has somebody fixes this security issue in ath9k driver? About > > 4 months passed and if this issue is not fixed, could you please share > > at least incomplete / WIP patches? I would like to look at it and have > > this issue finally fixed. > > https://patchwork.kernel.org/project/linux-wireless/list/?series=401685 Thank you! I will look at it. ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips 2020-08-12 9:17 ` Toke Høiland-Jørgensen @ 2020-08-12 9:31 ` Pali Rohár -1 siblings, 0 replies; 26+ messages in thread From: Pali Rohár @ 2020-08-12 9:31 UTC (permalink / raw) To: Toke Høiland-Jørgensen Cc: Kalle Valo, linux-wireless, ath9k-devel, ath10k On Wednesday 12 August 2020 11:17:47 Toke Høiland-Jørgensen wrote: > Pali Rohár <pali@kernel.org> writes: > > > On Monday 10 August 2020 11:01:26 Pali Rohár wrote: > >> Hello! > >> > >> ESET engineers on their blog published some information about new > >> security vulnerability CVE-2020-3702 in ath9k wifi cards: > >> https://www.welivesecurity.com/2020/08/06/beyond-kr00k-even-more-wifi-chips-vulnerable-eavesdropping/ > >> > >> According to Qualcomm security bulletin this CVE-2020-3702 affects also > >> some Qualcomm IPQ chips which are handled by ath10k driver: > >> https://www.qualcomm.com/company/product-security/bulletins/august-2020-security-bulletin#_cve-2020-3702 > >> > >> Kalle, could you or other people from Qualcomm provide updated and fixed > >> version of ath9k and ath10k firmwares in linux-firmware git repository? > >> > >> According to Qualcomm security bulletin this issue has Critical security > >> rating, so I think fixed firmware files should be updated also in stable > >> releases of linux distributions. > > > > Hello! > > > > Qualcomm has already sent following statement to media: > > > > Qualcomm has already made mitigations available to OEMs in May 2020, > > and we encourage end users to update their devices as patches have > > become available from OEMs. > > > > And based on information from ESET blog post, Qualcomm's proprietary > > driver for these wifi cards is fixed since Qualcomm July release. > > > > Could somebody react and provide some details when fixes would be > > available for ath9k and ath10k Linux drivers? And what is current state > > of this issue for Linux? > > > > I'm looking at ath9k and ath10k git trees [1] [2] [3] and I do not see > > there any change which could be related to CVE-2020-3702. > > How about these, from March: > > a0761a301746 ("mac80211: drop data frames without key on encrypted links") > ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211_tx_dequeue() case") > b16798f5b907 ("mac80211: mark station unauthorized before key removal") Thank you for update! I will look at these commits if they are relevant. Because ESET wrote that problem is in ath9k driver I have not looked at mac80211 layer code. > -Toke > _______________________________________________ ath10k mailing list ath10k@lists.infradead.org http://lists.infradead.org/mailman/listinfo/ath10k ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips @ 2020-08-12 9:31 ` Pali Rohár 0 siblings, 0 replies; 26+ messages in thread From: Pali Rohár @ 2020-08-12 9:31 UTC (permalink / raw) To: Toke Høiland-Jørgensen Cc: ath10k, ath9k-devel, linux-wireless, Kalle Valo On Wednesday 12 August 2020 11:17:47 Toke Høiland-Jørgensen wrote: > Pali Rohár <pali@kernel.org> writes: > > > On Monday 10 August 2020 11:01:26 Pali Rohár wrote: > >> Hello! > >> > >> ESET engineers on their blog published some information about new > >> security vulnerability CVE-2020-3702 in ath9k wifi cards: > >> https://www.welivesecurity.com/2020/08/06/beyond-kr00k-even-more-wifi-chips-vulnerable-eavesdropping/ > >> > >> According to Qualcomm security bulletin this CVE-2020-3702 affects also > >> some Qualcomm IPQ chips which are handled by ath10k driver: > >> https://www.qualcomm.com/company/product-security/bulletins/august-2020-security-bulletin#_cve-2020-3702 > >> > >> Kalle, could you or other people from Qualcomm provide updated and fixed > >> version of ath9k and ath10k firmwares in linux-firmware git repository? > >> > >> According to Qualcomm security bulletin this issue has Critical security > >> rating, so I think fixed firmware files should be updated also in stable > >> releases of linux distributions. > > > > Hello! > > > > Qualcomm has already sent following statement to media: > > > > Qualcomm has already made mitigations available to OEMs in May 2020, > > and we encourage end users to update their devices as patches have > > become available from OEMs. > > > > And based on information from ESET blog post, Qualcomm's proprietary > > driver for these wifi cards is fixed since Qualcomm July release. > > > > Could somebody react and provide some details when fixes would be > > available for ath9k and ath10k Linux drivers? And what is current state > > of this issue for Linux? > > > > I'm looking at ath9k and ath10k git trees [1] [2] [3] and I do not see > > there any change which could be related to CVE-2020-3702. > > How about these, from March: > > a0761a301746 ("mac80211: drop data frames without key on encrypted links") > ce2e1ca70307 ("mac80211: Check port authorization in the ieee80211_tx_dequeue() case") > b16798f5b907 ("mac80211: mark station unauthorized before key removal") Thank you for update! I will look at these commits if they are relevant. Because ESET wrote that problem is in ath9k driver I have not looked at mac80211 layer code. > -Toke > ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips 2020-08-10 9:01 ` Pali Rohár @ 2020-08-17 9:58 ` Kalle Valo -1 siblings, 0 replies; 26+ messages in thread From: Kalle Valo @ 2020-08-17 9:58 UTC (permalink / raw) To: Pali Rohár; +Cc: linux-wireless, ath9k-devel, ath10k Pali Rohár <pali@kernel.org> writes: > ESET engineers on their blog published some information about new > security vulnerability CVE-2020-3702 in ath9k wifi cards: > https://www.welivesecurity.com/2020/08/06/beyond-kr00k-even-more-wifi-chips-vulnerable-eavesdropping/ > > According to Qualcomm security bulletin this CVE-2020-3702 affects also > some Qualcomm IPQ chips which are handled by ath10k driver: > https://www.qualcomm.com/company/product-security/bulletins/august-2020-security-bulletin#_cve-2020-3702 I can't find any refererences to ath10k, or hardware with ath10k chipsets, in the links above. Where did you see it? -- https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches _______________________________________________ ath10k mailing list ath10k@lists.infradead.org http://lists.infradead.org/mailman/listinfo/ath10k ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips @ 2020-08-17 9:58 ` Kalle Valo 0 siblings, 0 replies; 26+ messages in thread From: Kalle Valo @ 2020-08-17 9:58 UTC (permalink / raw) To: Pali Rohár; +Cc: ath10k, ath9k-devel, linux-wireless Pali Rohár <pali@kernel.org> writes: > ESET engineers on their blog published some information about new > security vulnerability CVE-2020-3702 in ath9k wifi cards: > https://www.welivesecurity.com/2020/08/06/beyond-kr00k-even-more-wifi-chips-vulnerable-eavesdropping/ > > According to Qualcomm security bulletin this CVE-2020-3702 affects also > some Qualcomm IPQ chips which are handled by ath10k driver: > https://www.qualcomm.com/company/product-security/bulletins/august-2020-security-bulletin#_cve-2020-3702 I can't find any refererences to ath10k, or hardware with ath10k chipsets, in the links above. Where did you see it? -- https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips 2020-08-17 9:58 ` Kalle Valo @ 2020-08-17 10:36 ` Pali Rohár -1 siblings, 0 replies; 26+ messages in thread From: Pali Rohár @ 2020-08-17 10:36 UTC (permalink / raw) To: Kalle Valo; +Cc: linux-wireless, ath9k-devel, ath10k On Monday 17 August 2020 12:58:52 Kalle Valo wrote: > Pali Rohár <pali@kernel.org> writes: > > > ESET engineers on their blog published some information about new > > security vulnerability CVE-2020-3702 in ath9k wifi cards: > > https://www.welivesecurity.com/2020/08/06/beyond-kr00k-even-more-wifi-chips-vulnerable-eavesdropping/ > > > > According to Qualcomm security bulletin this CVE-2020-3702 affects also > > some Qualcomm IPQ chips which are handled by ath10k driver: > > https://www.qualcomm.com/company/product-security/bulletins/august-2020-security-bulletin#_cve-2020-3702 > > I can't find any refererences to ath10k, or hardware with ath10k > chipsets, in the links above. Where did you see it? Now I'm looking at that security bulletin for CVE-2020-3702 and it contains different list of affected chipset as at time when I wrote previous email. Previously there were IPQ ath10k chipsets and no AR chipsets. Now there are lot of ath9k AR9xxx and none of IPQ. So meanwhile Qualcomm changed vulnerability list. _______________________________________________ ath10k mailing list ath10k@lists.infradead.org http://lists.infradead.org/mailman/listinfo/ath10k ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: CVE-2020-3702: Firmware updates for ath9k and ath10k chips @ 2020-08-17 10:36 ` Pali Rohár 0 siblings, 0 replies; 26+ messages in thread From: Pali Rohár @ 2020-08-17 10:36 UTC (permalink / raw) To: Kalle Valo; +Cc: ath10k, ath9k-devel, linux-wireless On Monday 17 August 2020 12:58:52 Kalle Valo wrote: > Pali Rohár <pali@kernel.org> writes: > > > ESET engineers on their blog published some information about new > > security vulnerability CVE-2020-3702 in ath9k wifi cards: > > https://www.welivesecurity.com/2020/08/06/beyond-kr00k-even-more-wifi-chips-vulnerable-eavesdropping/ > > > > According to Qualcomm security bulletin this CVE-2020-3702 affects also > > some Qualcomm IPQ chips which are handled by ath10k driver: > > https://www.qualcomm.com/company/product-security/bulletins/august-2020-security-bulletin#_cve-2020-3702 > > I can't find any refererences to ath10k, or hardware with ath10k > chipsets, in the links above. Where did you see it? Now I'm looking at that security bulletin for CVE-2020-3702 and it contains different list of affected chipset as at time when I wrote previous email. Previously there were IPQ ath10k chipsets and no AR chipsets. Now there are lot of ath9k AR9xxx and none of IPQ. So meanwhile Qualcomm changed vulnerability list. ^ permalink raw reply [flat|nested] 26+ messages in thread
end of thread, other threads:[~2020-12-17 9:36 UTC | newest] Thread overview: 26+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-08-10 9:01 CVE-2020-3702: Firmware updates for ath9k and ath10k chips Pali Rohár 2020-08-10 9:01 ` Pali Rohár 2020-08-12 8:36 ` Pali Rohár 2020-08-12 8:36 ` Pali Rohár 2020-08-12 9:17 ` Toke Høiland-Jørgensen 2020-08-12 9:17 ` Toke Høiland-Jørgensen 2020-08-12 9:23 ` Jouni Malinen 2020-08-12 9:23 ` Jouni Malinen 2020-08-12 9:32 ` Michał Kazior 2020-08-12 9:32 ` Michał Kazior 2020-08-29 11:48 ` Baptiste Jonglez 2020-09-07 15:46 ` Kalle Valo 2020-10-07 8:25 ` Pali Rohár 2020-10-07 8:25 ` Pali Rohár 2020-12-07 14:04 ` Pali Rohár 2020-12-07 14:04 ` Pali Rohár 2020-12-14 17:41 ` Jouni Malinen 2020-12-14 17:41 ` Jouni Malinen 2020-12-17 9:35 ` Pali Rohár 2020-12-17 9:35 ` Pali Rohár 2020-08-12 9:31 ` Pali Rohár 2020-08-12 9:31 ` Pali Rohár 2020-08-17 9:58 ` Kalle Valo 2020-08-17 9:58 ` Kalle Valo 2020-08-17 10:36 ` Pali Rohár 2020-08-17 10:36 ` Pali Rohár
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.