From: Sasha Levin <sashal@kernel.org>
To: patches@lists.linux.dev, stable@vger.kernel.org
Cc: Benjamin Lin <benjamin-jw.lin@mediatek.com>,
Shayne Chen <shayne.chen@mediatek.com>,
Felix Fietkau <nbd@nbd.name>, Sasha Levin <sashal@kernel.org>,
matthias.bgg@gmail.com, angelogioacchino.delregno@collabora.com,
lorenzo@kernel.org, chui-hao.chiu@mediatek.com,
Bo.Jiao@mediatek.com, StanleyYP.Wang@mediatek.com,
linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-mediatek@lists.infradead.org
Subject: [PATCH AUTOSEL 6.6 07/62] wifi: mt76: mt7996: drop fragments with multicast or broadcast RA
Date: Tue, 3 Jun 2025 21:01:18 -0400 [thread overview]
Message-ID: <20250604010213.3462-7-sashal@kernel.org> (raw)
In-Reply-To: <20250604010213.3462-1-sashal@kernel.org>
From: Benjamin Lin <benjamin-jw.lin@mediatek.com>
[ Upstream commit 80fda1cd7b0a1edd0849dc71403a070d0922118d ]
IEEE 802.11 fragmentation can only be applied to unicast frames.
Therefore, drop fragments with multicast or broadcast RA. This patch
addresses vulnerabilities such as CVE-2020-26145.
Signed-off-by: Benjamin Lin <benjamin-jw.lin@mediatek.com>
Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
Link: https://patch.msgid.link/20250515032952.1653494-4-shayne.chen@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
## Analysis Complete **YES** This commit should be backported to stable
kernel trees. Here's my extensive analysis: ### Security Fix for Known
CVE The commit directly addresses **CVE-2020-26145**, a documented
security vulnerability related to improper handling of fragmented frames
with multicast/broadcast addresses. This is explicitly mentioned in the
commit message and code comments. ### Code Analysis The change adds a
critical security check in
`drivers/net/wireless/mediatek/mt76/mt7996/mac.c` in the
`mt7996_mac_fill_rx()` function: ```c /bin /bin.usr-is-merged /boot /dev
/etc /home /init /lib /lib.usr-is-merged /lib64 /lost+found /media /mnt
/opt /proc /root /run /sbin /sbin.usr-is-merged /snap /srv /sys /tmp
/usr /var IEEE 802.11 fragmentation can only be applied to unicast
frames. linux Hence, drop fragments with multicast/broadcast RA. linux
This check fixes vulnerabilities, like CVE-2020-26145. linux/ if
((ieee80211_has_morefrags(fc) || seq_ctrl & IEEE80211_SCTL_FRAG) &&
FIELD_GET(MT_RXD3_NORMAL_ADDR_TYPE, rxd3) != MT_RXD3_NORMAL_U2M) return
-EINVAL; ``` The logic checks: 1. **Fragment detection**:
`ieee80211_has_morefrags(fc)` detects if there are more fragments, and
`seq_ctrl & IEEE80211_SCTL_FRAG` checks the fragment number field 2.
**Address type filtering**: `FIELD_GET(MT_RXD3_NORMAL_ADDR_TYPE, rxd3)
!= MT_RXD3_NORMAL_U2M` ensures only unicast-to-multicast (U2M) frames
are allowed when fragmented ### Comparison with Similar Commits Looking
at the historical examples: **Similar Backported Commits (Status:
YES):** - ath10k commits dropping multicast fragments (both PCIe and
SDIO versions) for the same CVE-2020-26145 - mt7915 fragmentation
threshold dummy implementation **Pattern Match:** This commit follows
the exact same pattern as the successfully backported ath10k commits
that address CVE-2020-26145 by dropping fragmented frames with
multicast/broadcast destination addresses. ### Risk Assessment **Low
Risk:** - **Small, contained change**: Only 4 lines of code added -
**Early validation**: Check happens early in the RX path before frame
processing - **Conservative approach**: Drops potentially malicious
frames rather than processing them - **No architectural changes**:
Doesn't modify existing data structures or interfaces - **Clear error
path**: Returns `-EINVAL` which is a standard error handling pattern in
this codebase **High Security Benefit:** - Addresses a known CVE
affecting wireless security - Prevents potential exploitation through
malformed fragmented multicast frames - Aligns with IEEE 802.11 standard
(fragmentation only for unicast) ### Subsystem Stability The mt7996
driver is part of the MediaTek mt76 wireless driver family, and similar
security fixes have been successfully backported to other drivers in
this family without issues. ### Conclusion This is a textbook example of
a commit that should be backported: it's a small, low-risk security fix
for a documented CVE, follows established patterns from other successful
backports, and provides important protection against a wireless security
vulnerability.
drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
index 73d46ec1181ae..c55b3e621bc0e 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
@@ -650,6 +650,14 @@ mt7996_mac_fill_rx(struct mt7996_dev *dev, struct sk_buff *skb)
status->last_amsdu = amsdu_info == MT_RXD4_LAST_AMSDU_FRAME;
}
+ /* IEEE 802.11 fragmentation can only be applied to unicast frames.
+ * Hence, drop fragments with multicast/broadcast RA.
+ * This check fixes vulnerabilities, like CVE-2020-26145.
+ */
+ if ((ieee80211_has_morefrags(fc) || seq_ctrl & IEEE80211_SCTL_FRAG) &&
+ FIELD_GET(MT_RXD3_NORMAL_ADDR_TYPE, rxd3) != MT_RXD3_NORMAL_U2M)
+ return -EINVAL;
+
hdr_gap = (u8 *)rxd - skb->data + 2 * remove_pad;
if (hdr_trans && ieee80211_has_morefrags(fc)) {
if (mt7996_reverse_frag0_hdr_trans(skb, hdr_gap))
--
2.39.5
next prev parent reply other threads:[~2025-06-04 1:02 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-04 1:01 [PATCH AUTOSEL 6.6 01/62] net: macb: Check return value of dma_set_mask_and_coherent() Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 02/62] net: lan743x: Modify the EEPROM and OTP size for PCI1xxxx devices Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 03/62] tipc: use kfree_sensitive() for aead cleanup Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 04/62] f2fs: use vmalloc instead of kvmalloc in .init_{,de}compress_ctx Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 05/62] bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem() Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 06/62] i2c: designware: Invoke runtime suspend on quick slave re-registration Sasha Levin
2025-06-04 1:01 ` Sasha Levin [this message]
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 08/62] emulex/benet: correct command version selection in be_cmd_get_stats() Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 09/62] wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 10/62] wifi: mt76: mt7921: add 160 MHz AP for mt7922 device Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 11/62] sctp: Do not wake readers in __sctp_write_space() Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 12/62] cpufreq: scmi: Skip SCMI devices that aren't used by the CPUs Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 13/62] i2c: tegra: check msg length in SMBUS block read Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 14/62] i2c: npcm: Add clock toggle recovery Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 15/62] net: dlink: add synchronization for stats update Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 16/62] wifi: ath12k: fix macro definition HAL_RX_MSDU_PKT_LENGTH_GET Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 17/62] wifi: ath12k: fix a possible dead lock caused by ab->base_lock Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 18/62] wifi: ath11k: Fix QMI memory reuse logic Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 19/62] wifi: rtw89: leave idle mode when setting WEP encryption for AP mode Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 20/62] tcp: always seek for minimal rtt in tcp_rcv_rtt_update() Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 21/62] tcp: fix initial tp->rcvq_space.space value for passive TS enabled flows Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 22/62] x86/sgx: Prevent attempts to reclaim poisoned pages Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 23/62] ipv4/route: Use this_cpu_inc() for stats on PREEMPT_RT Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 24/62] openvswitch: Stricter validation for the userspace action Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 25/62] net: atlantic: generate software timestamp just before the doorbell Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 26/62] pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 27/62] pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 28/62] pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 29/62] pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 30/62] net: mlx4: add SOF_TIMESTAMPING_TX_SOFTWARE flag when getting ts info Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 31/62] net: vertexcom: mse102x: Return code for mse102x_rx_pkt_spi Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 32/62] wireless: purelifi: plfxlc: fix memory leak in plfxlc_usb_wreq_asyn() Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 33/62] wifi: mac80211: do not offer a mesh path if forwarding is disabled Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 34/62] bpftool: Fix cgroup command to only show cgroup bpf programs Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 35/62] clk: rockchip: rk3036: mark ddrphy as critical Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 36/62] libbpf: Add identical pointer detection to btf_dedup_is_equiv() Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 37/62] scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 38/62] iommu/amd: Ensure GA log notifier callbacks finish running before module unload Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 39/62] wifi: iwlwifi: pcie: make sure to lock rxq->read Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 40/62] wifi: mac80211_hwsim: Prevent tsf from setting if beacon is disabled Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 41/62] wifi: mac80211: VLAN traffic in multicast path Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 42/62] wifi: iwlwifi: Add missing MODULE_FIRMWARE for Qu-c0-jf-b0 Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 43/62] net: bridge: mcast: update multicast contex when vlan state is changed Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 44/62] net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 45/62] vxlan: Do not treat dst cache initialization errors as fatal Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 46/62] net: ethernet: ti: am65-cpsw: handle -EPROBE_DEFER Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 47/62] software node: Correct a OOB check in software_node_get_reference_args() Sasha Levin
2025-06-04 1:01 ` [PATCH AUTOSEL 6.6 48/62] pinctrl: mcp23s08: Reset all pins to input at probe Sasha Levin
2025-06-04 1:02 ` [PATCH AUTOSEL 6.6 49/62] wifi: ath12k: fix failed to set mhi state error during reboot with hardware grouping Sasha Levin
2025-06-04 1:02 ` [PATCH AUTOSEL 6.6 50/62] scsi: lpfc: Use memcpy() for BIOS version Sasha Levin
2025-06-04 1:02 ` [PATCH AUTOSEL 6.6 51/62] sock: Correct error checking condition for (assign|release)_proto_idx() Sasha Levin
2025-06-04 1:02 ` [PATCH AUTOSEL 6.6 52/62] i40e: fix MMIO write access to an invalid page in i40e_clear_hw Sasha Levin
2025-06-04 1:02 ` [PATCH AUTOSEL 6.6 53/62] ice: fix check for existing switch rule Sasha Levin
2025-06-04 1:02 ` [PATCH AUTOSEL 6.6 54/62] usbnet: asix AX88772: leave the carrier control to phylink Sasha Levin
2025-06-04 1:02 ` [PATCH AUTOSEL 6.6 55/62] f2fs: fix to set atomic write status more clear Sasha Levin
2025-06-04 1:02 ` [PATCH AUTOSEL 6.6 56/62] bpf, sockmap: Fix data lost during EAGAIN retries Sasha Levin
2025-06-04 1:02 ` [PATCH AUTOSEL 6.6 57/62] net: ethernet: cortina: Use TOE/TSO on all TCP Sasha Levin
2025-06-04 1:02 ` [PATCH AUTOSEL 6.6 58/62] octeontx2-pf: Add error log forcn10k_map_unmap_rq_policer() Sasha Levin
2025-06-04 1:02 ` [PATCH AUTOSEL 6.6 59/62] wifi: ath11k: determine PM policy based on machine model Sasha Levin
2025-06-04 1:02 ` [PATCH AUTOSEL 6.6 60/62] wifi: ath12k: fix link valid field initialization in the monitor Rx Sasha Levin
2025-06-04 1:02 ` [PATCH AUTOSEL 6.6 61/62] wifi: ath12k: fix incorrect CE addresses Sasha Levin
2025-06-04 1:02 ` [PATCH AUTOSEL 6.6 62/62] wifi: ath12k: Pass correct values of center freq1 and center freq2 for 160 MHz Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250604010213.3462-7-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=Bo.Jiao@mediatek.com \
--cc=StanleyYP.Wang@mediatek.com \
--cc=angelogioacchino.delregno@collabora.com \
--cc=benjamin-jw.lin@mediatek.com \
--cc=chui-hao.chiu@mediatek.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=lorenzo@kernel.org \
--cc=matthias.bgg@gmail.com \
--cc=nbd@nbd.name \
--cc=patches@lists.linux.dev \
--cc=shayne.chen@mediatek.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox