Date: Tuesday, November 10, 2020 @ 19:25:28 Author: anthraxx Revision: 400112
upgpkg: linux-hardened 5.9.7.a-1 Modified: linux-hardened/trunk/PKGBUILD linux-hardened/trunk/config Deleted: linux-hardened/trunk/mac80211-fix-regression-where-EAPOL-frames-were-sent-in-plaintext.patch -------------------------------------------------------------------------+ PKGBUILD | 12 +- config | 4 mac80211-fix-regression-where-EAPOL-frames-were-sent-in-plaintext.patch | 48 ---------- 3 files changed, 7 insertions(+), 57 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2020-11-10 19:11:04 UTC (rev 400111) +++ PKGBUILD 2020-11-10 19:25:28 UTC (rev 400112) @@ -4,7 +4,7 @@ # Contributor: Thomas Baechler <tho...@archlinux.org> pkgbase=linux-hardened -pkgver=5.9.6.a +pkgver=5.9.7.a pkgrel=1 pkgdesc='Security-Hardened Linux' url='https://github.com/anthraxx/linux-hardened' @@ -21,7 +21,6 @@ https://github.com/anthraxx/${pkgbase}/releases/download/${pkgver}/${pkgbase}-${pkgver}.patch{,.sig} config # the main kernel config file sphinx-workaround.patch - mac80211-fix-regression-where-EAPOL-frames-were-sent-in-plaintext.patch ) validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds @@ -29,13 +28,12 @@ '65EEFE022108E2B708CBFCF7F9E712E59AF5F22A' # Daniel Micay 'E240B57E2C4630BA768E2F26FC1B547C8D8172C8' # Levente Polyak ) -sha256sums=('6cc182fe19a8f3958c24d453f4ab68eb73fb5cfb8af4c95b02f3db049e655370' +sha256sums=('dea843ecac95c8780fba92005fec360e0491cb1aacc18097bcd9b169e91869b7' 'SKIP' - '7676a79e0a0f1f990e9b6637e456454f5d96436b3473bbaa93e27b70d79445c0' + '841ad13232835eb4aee9fea67630210c8d9eb6fa44c8f2b04a043a3f9ace64e9' 'SKIP' - '7ee9ebfa9ccd1391808a3d387be8a8db7e335f8b448ec41f9148d3665eac56d1' - '8cb21e0b3411327b627a9dd15b8eb773295a0d2782b1a41b2a8839d1b2f5778c' - 'ce35d788ec6bbcb04ddb826a946fb155f9a69b62e4518092bf0530f2d2d2b151') + '69060a0aeba96971b503905de7c71fd0f9718875693f3349df8fd7983fae9132' + '8cb21e0b3411327b627a9dd15b8eb773295a0d2782b1a41b2a8839d1b2f5778c') export KBUILD_BUILD_HOST=archlinux export KBUILD_BUILD_USER=$pkgbase Modified: config =================================================================== --- config 2020-11-10 19:11:04 UTC (rev 400111) +++ config 2020-11-10 19:25:28 UTC (rev 400112) @@ -1,11 +1,11 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 5.9.6 Kernel Configuration +# Linux/x86 5.9.7 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 10.2.0" CONFIG_CC_IS_GCC=y CONFIG_GCC_VERSION=100200 -CONFIG_LD_VERSION=235000000 +CONFIG_LD_VERSION=235010000 CONFIG_CLANG_VERSION=0 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y Deleted: mac80211-fix-regression-where-EAPOL-frames-were-sent-in-plaintext.patch =================================================================== --- mac80211-fix-regression-where-EAPOL-frames-were-sent-in-plaintext.patch 2020-11-10 19:11:04 UTC (rev 400111) +++ mac80211-fix-regression-where-EAPOL-frames-were-sent-in-plaintext.patch 2020-11-10 19:25:28 UTC (rev 400112) @@ -1,48 +0,0 @@ -From d30a6f983b360a08f962f5b3199b733df2e02418 Mon Sep 17 00:00:00 2001 -From: Mathy Vanhoef <mathy.vanh...@kuleuven.be> -Date: Sat, 17 Oct 2020 23:08:18 +0400 -Subject: mac80211: fix regression where EAPOL frames were sent in plaintext - -When sending EAPOL frames via NL80211 they are treated as injected -frames in mac80211. Due to commit 1df2bdba528b ("mac80211: never drop -injected frames even if normally not allowed") these injected frames -were not assigned a sta context in the function ieee80211_tx_dequeue, -causing certain wireless network cards to always send EAPOL frames in -plaintext. This may cause compatibility issues with some clients or -APs, which for instance can cause the group key handshake to fail and -in turn would cause the station to get disconnected. - -This commit fixes this regression by assigning a sta context in -ieee80211_tx_dequeue to injected frames as well. - -Note that sending EAPOL frames in plaintext is not a security issue -since they contain their own encryption and authentication protection. - -Fixes: 1df2bdba528b ("mac80211: never drop injected frames even if normally not allowed") ---- - net/mac80211/tx.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c -index 282b0bc201ee..aa486e202a57 100644 ---- a/net/mac80211/tx.c -+++ b/net/mac80211/tx.c -@@ -3613,13 +3613,14 @@ begin: - tx.skb = skb; - tx.sdata = vif_to_sdata(info->control.vif); - -- if (txq->sta && !(info->flags & IEEE80211_TX_CTL_INJECTED)) { -+ if (txq->sta) { - tx.sta = container_of(txq->sta, struct sta_info, sta); - /* - * Drop unicast frames to unauthorised stations unless they are -- * EAPOL frames from the local station. -+ * injected frames or EAPOL frames from the local station. - */ -- if (unlikely(ieee80211_is_data(hdr->frame_control) && -+ if (unlikely(!(info->flags & IEEE80211_TX_CTL_INJECTED) && -+ ieee80211_is_data(hdr->frame_control) && - !ieee80211_vif_is_mesh(&tx.sdata->vif) && - tx.sdata->vif.type != NL80211_IFTYPE_OCB && - !is_multicast_ether_addr(hdr->addr1) && ---