From patchwork Wed Jan 31 13:14:55 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?b?UmFmYcWCIE1pxYJlY2tp?= <rafal@milecki.pl>
X-Patchwork-Id: 10194045
X-Patchwork-Delegate: kvalo@adurom.com
Return-Path: <linux-wireless-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	4F11160383 for <patchwork-linux-wireless@patchwork.kernel.org>;
	Wed, 31 Jan 2018 13:53:29 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2C75328643
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Wed, 31 Jan 2018 13:53:29 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 20DBA28649; Wed, 31 Jan 2018 13:53:29 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3AAE828643
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Wed, 31 Jan 2018 13:53:27 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751842AbeAaNxZ (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Wed, 31 Jan 2018 08:53:25 -0500
Received: from 2.mo68.mail-out.ovh.net ([46.105.52.162]:45194 "EHLO
	2.mo68.mail-out.ovh.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751581AbeAaNxY (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Wed, 31 Jan 2018 08:53:24 -0500
X-Greylist: delayed 1818 seconds by postgrey-1.27 at vger.kernel.org;
	Wed, 31 Jan 2018 08:53:23 EST
Received: from player763.ha.ovh.net (b9.ovh.net [213.186.33.59])
	by mo68.mail-out.ovh.net (Postfix) with ESMTP id 44495BE90E
	for <linux-wireless@vger.kernel.org>;
	Wed, 31 Jan 2018 14:15:07 +0100 (CET)
Received: from RCM-ns3045101.ip-176-31-235.eu
	(ip-194-187-74-233.konfederacka.maverick.com.pl [194.187.74.233])
	(Authenticated sender: rafal@milecki.pl)
	by player763.ha.ovh.net (Postfix) with ESMTPSA id 2DE423C00AA;
	Wed, 31 Jan 2018 14:14:55 +0100 (CET)
Received: from ip-194-187-74-233.konfederacka.maverick.com.pl
	([194.187.74.233]) by mail.ovh.net
	with HTTP (HTTP/1.1 POST); Wed, 31 Jan 2018 14:14:55 +0100
MIME-Version: 1.0
Date: Wed, 31 Jan 2018 14:14:55 +0100
From: =?UTF-8?Q?Rafa=C5=82_Mi=C5=82ecki?= <rafal@milecki.pl>
To: Arend van Spriel <arend.vanspriel@broadcom.com>
Cc: =?UTF-8?Q?Rafa=C5=82_Mi=C5=82ecki?= <zajec5@gmail.com>,
	Kalle Valo <kvalo@codeaurora.org>, Franky Lin <franky.lin@broadcom.com>,
	Hante Meuleman <hante.meuleman@broadcom.com>,
	Chi-Hsien Lin <chi-hsien.lin@cypress.com>,
	Wright Feng <wright.feng@cypress.com>,
	Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>,
	linux-wireless@vger.kernel.org,
	brcm80211-dev-list.pdl@broadcom.com, brcm80211-dev-list@cypress.com
Subject: Re: [PATCH] brcmfmac: detect & reject faked packet generated by a
	firmware
In-Reply-To: <5A705B5E.5070906@broadcom.com>
References: <20180130090922.30346-1-zajec5@gmail.com>
	<5A705B5E.5070906@broadcom.com>
Message-ID: <e6719fcc4080afc43d62d370ad9cfd34@milecki.pl>
X-Sender: rafal@milecki.pl
User-Agent: Roundcube Webmail/1.3.4
X-Originating-IP: 194.187.74.233
X-Webmail-UserID: rafal@milecki.pl
X-Ovh-Tracer-Id: 13932448400186117760
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: -100
X-VR-SPAMCAUSE: 
 gggruggvucftvghtrhhoucdtuddrgedtfedrtddvgdeflecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

On 2018-01-30 12:47, Arend van Spriel wrote:
> On 1/30/2018 10:09 AM, Rafał Miłecki wrote:
>> From: Rafał Miłecki <rafal@milecki.pl>
>> 
>> When using 4366b1 and 4366c0 chipsets with more recent firmwares
>> 1) 10.10 (TOB) (r663589)
>> 2) 10.10.122.20 (r683106)
>> respectively, it is impossible to use brcmfmac with interface in AP
>> mode. With the AP interface bridged and multicast used, no STA will be
>> able to associate; the STA will be immediately disassociated when
>> attempting to associate.
>> 
>> Debugging revealed this to be caused by a "faked" packet (generated by
>> firmware), that is passed to the networking subsystem and then back to
>> the firmware. Fortunately this packet is easily identified and can be
>> detected and ignored as a workaround for misbehaving firmware.
> 
> I am actually wondering what this packet is. Have you checked in
> brcmf_msgbuf_process_rx_complete(). I am curious what buflen is there
> and what eth_type_trans() will do to the packet, ie. what protocol. As
> everything should be 802.3 we could/should add a length check of 14
> bytes.

Did you find anything?

I got some debugging info, hopefully this is what you expected

[  144.356648] brcmfmac: [brcmf_msgbuf_process_rx_complete] msg.msgtype: 
        0x12
[  144.363559] brcmfmac: [brcmf_msgbuf_process_rx_complete] msg.ifidx:   
        0x00
[  144.370374] brcmfmac: [brcmf_msgbuf_process_rx_complete] msg.flags:   
        0x80
[  144.377179] brcmfmac: [brcmf_msgbuf_process_rx_complete] msg.rsvd0:   
        0x00
[  144.383986] brcmfmac: [brcmf_msgbuf_process_rx_complete] 
msg.request_id:     0x00000041
[  144.391661] brcmfmac: [brcmf_msgbuf_process_rx_complete] 
compl_hdr.status:   0x0000
[  144.399156] brcmfmac: [brcmf_msgbuf_process_rx_complete] 
compl_hdr.flow_ring_id:     0x0000
[  144.407179] brcmfmac: [brcmf_msgbuf_process_rx_complete] 
metadata_len:       0x0000
[  144.414334] brcmfmac: [brcmf_msgbuf_process_rx_complete] data_len:    
        0x0014
[  144.421227] brcmfmac: [brcmf_msgbuf_process_rx_complete] data_offset: 
        0x0000
[  144.428288] brcmfmac: [brcmf_msgbuf_process_rx_complete] flags:       
        0x0001
[  144.434918] brcmfmac: [brcmf_msgbuf_process_rx_complete] rx_status_0: 
        0x00000000
[  144.442334] brcmfmac: [brcmf_msgbuf_process_rx_complete] rx_status_1: 
        0x00000000
[  144.449750] brcmfmac: [brcmf_msgbuf_process_rx_complete] rsvd0:       
        0x00000001
[  144.456724] brcmfmac: [brcmf_msgbuf_process_rx_complete] skb->data:   
        ff ff ff ff  ff ff ec 10  7b 5f ?? ??  00 06 00 01  af 81 01 00
[  144.467883] brcmfmac: [brcmf_msgbuf_process_rx_complete] 
skb->protocol:      0x0400

(just masked 2 bytes of my MAC)


+			if (i % 4 == 3)
+				pr_cont(" ");
+		}
+		pr_cont("\n");
+	}
+
  	skb->protocol = eth_type_trans(skb, ifp->ndev);
+
+	if (skb->len == 6) {
+		pr_info("[%s] skb->protocol:\t0x%04x\n", __func__, skb->protocol);
+	}
+
  	brcmf_netif_rx(ifp, skb);
  }

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c 
b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
index 1bd4b96..08cdcaf 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
@@ -1172,7 +1172,43 @@ brcmf_msgbuf_process_rx_complete(struct 
brcmf_msgbuf *msgbuf, void *buf)
  		return;
  	}

+	if (skb->len == ETH_HLEN + 6) {
+		uint8_t *data;
+		int i;
+
+		pr_info("[%s] msg.msgtype:\t0x%02x\n", __func__, 
rx_complete->msg.msgtype);
+		pr_info("[%s] msg.ifidx:\t\t0x%02x\n", __func__, 
rx_complete->msg.ifidx);
+		pr_info("[%s] msg.flags:\t\t0x%02x\n", __func__, 
rx_complete->msg.flags);
+		pr_info("[%s] msg.rsvd0:\t\t0x%02x\n", __func__, 
rx_complete->msg.rsvd0);
+		pr_info("[%s] msg.request_id:\t0x%08x\n", __func__, 
le32_to_cpu(rx_complete->msg.request_id));
+
+		pr_info("[%s] compl_hdr.status:\t0x%04x\n", __func__, 
le16_to_cpu(rx_complete->compl_hdr.status));
+		pr_info("[%s] compl_hdr.flow_ring_id:\t0x%04x\n", __func__, 
le16_to_cpu(rx_complete->compl_hdr.flow_ring_id));
+
+		pr_info("[%s] metadata_len:\t0x%04x\n", __func__, 
le16_to_cpu(rx_complete->metadata_len));
+		pr_info("[%s] data_len:\t\t0x%04x\n", __func__, 
le16_to_cpu(rx_complete->data_len));
+		pr_info("[%s] data_offset:\t0x%04x\n", __func__, 
le16_to_cpu(rx_complete->data_offset));
+		pr_info("[%s] flags:\t\t0x%04x\n", __func__, 
le16_to_cpu(rx_complete->flags));
+		pr_info("[%s] rx_status_0:\t0x%08x\n", __func__, 
le32_to_cpu(rx_complete->rx_status_0));
+		pr_info("[%s] rx_status_1:\t0x%08x\n", __func__, 
le32_to_cpu(rx_complete->rx_status_1));
+		pr_info("[%s] rsvd0:\t\t0x%08x\n", __func__, 
le32_to_cpu(rx_complete->rsvd0));
+
+		data = skb->data;
+		pr_info("[%s] skb->data:\t\t", __func__);
+		for (i = 0; i < 32 && i < skb->len; i++) {
+			pr_cont("%02x ", data[i]);