From 41b11b027314743b56e25f969e1a38aaefd3721b Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Mon, 30 Oct 2017 01:13:51 -0400
Subject: [PATCH] Fully patch against KRACK

---
 .../3.10/{0.patch => 0.patch.disabled}        |  0
 Patches/Linux_CVEs/CVE-2017-13080/ANY/0.patch | 78 +++++++++++++++++++
 .../android_kernel_amazon_hdx-common.sh       |  1 +
 .../android_kernel_fairphone_msm8974.sh       |  1 +
 .../CVE_Patchers/android_kernel_google_msm.sh |  1 +
 .../android_kernel_htc_flounder.sh            |  1 -
 .../android_kernel_lge_hammerhead.sh          |  1 +
 .../android_kernel_motorola_msm8916.sh        |  1 -
 .../android_kernel_motorola_msm8992.sh        |  1 -
 .../android_kernel_oneplus_msm8974.sh         |  1 +
 10 files changed, 83 insertions(+), 3 deletions(-)
 rename Patches/Linux_CVEs/CVE-2017-0794/3.10/{0.patch => 0.patch.disabled} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-13080/ANY/0.patch

diff --git a/Patches/Linux_CVEs/CVE-2017-0794/3.10/0.patch b/Patches/Linux_CVEs/CVE-2017-0794/3.10/0.patch.disabled
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0794/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0794/3.10/0.patch.disabled
diff --git a/Patches/Linux_CVEs/CVE-2017-13080/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-13080/ANY/0.patch
new file mode 100644
index 00000000..f110d56b
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-13080/ANY/0.patch
@@ -0,0 +1,78 @@
+From 6bd7e74005e90ef79402a9c94e1044f845aa49f1 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 5 Sep 2017 14:54:54 +0200
+Subject: [PATCH] mac80211: accept key reinstall without changing anything
+
+When a key is reinstalled we can reset the replay counters
+etc. which can lead to nonce reuse and/or replay detection
+being impossible, breaking security properties, as described
+in the "KRACK attacks".
+
+In particular, CVE-2017-13080 applies to GTK rekeying that
+happened in firmware while the host is in D3, with the second
+part of the attack being done after the host wakes up. In
+this case, the wpa_supplicant mitigation isn't sufficient
+since wpa_supplicant doesn't know the GTK material.
+
+In case this happens, simply silently accept the new key
+coming from userspace but don't take any action on it since
+it's the same key; this keeps the PN replay counters intact.
+
+Change-Id: If973789c12d2afcd9192f796e27bc9598c5dd1c0
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+---
+ net/mac80211/key.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/net/mac80211/key.c b/net/mac80211/key.c
+index 5bb600d93d7..cebe30315d9 100644
+--- a/net/mac80211/key.c
++++ b/net/mac80211/key.c
+@@ -3,6 +3,7 @@
+  * Copyright 2005-2006, Devicescape Software, Inc.
+  * Copyright 2006-2007	Jiri Benc <jbenc@suse.cz>
+  * Copyright 2007-2008	Johannes Berg <johannes@sipsolutions.net>
++ * Copyright 2015-2017	Intel Deutschland GmbH
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 as
+@@ -452,9 +453,6 @@ int ieee80211_key_link(struct ieee80211_key *key,
+ 
+ 	pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE;
+ 	idx = key->conf.keyidx;
+-	key->local = sdata->local;
+-	key->sdata = sdata;
+-	key->sta = sta;
+ 
+ 	if (sta) {
+ 		/*
+@@ -491,6 +489,21 @@ int ieee80211_key_link(struct ieee80211_key *key,
+ 	else
+ 		old_key = key_mtx_dereference(sdata->local, sdata->keys[idx]);
+ 
++	/*
++	 * Silently accept key re-installation without really installing the
++	 * new version of the key to avoid nonce reuse or replay issues.
++	 */
++	if (old_key && key->conf.keylen == old_key->conf.keylen &&
++	    !memcmp(key->conf.key, old_key->conf.key, key->conf.keylen)) {
++		ieee80211_key_free_unused(key);
++		ret = 0;
++		goto out;
++	}
++
++	key->local = sdata->local;
++	key->sdata = sdata;
++	key->sta = sta;
++
+ 	increment_tailroom_need_count(sdata);
+ 
+ 	__ieee80211_key_replace(sdata, sta, pairwise, old_key, key);
+@@ -500,6 +513,7 @@ int ieee80211_key_link(struct ieee80211_key *key,
+ 
+ 	ret = ieee80211_key_enable_hw_accel(key);
+ 
++ out:
+ 	mutex_unlock(&sdata->local->key_mtx);
+ 
+ 	return ret;
diff --git a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_amazon_hdx-common.sh b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_amazon_hdx-common.sh
index 8709e00c..659f114b 100644
--- a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_amazon_hdx-common.sh
+++ b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_amazon_hdx-common.sh
@@ -32,6 +32,7 @@ git apply $cvePatches/CVE-2017-0751/ANY/0.patch
 git apply $cvePatches/CVE-2017-0786/ANY/0.patch
 git apply $cvePatches/CVE-2017-10662/ANY/0.patch
 git apply $cvePatches/CVE-2017-11000/ANY/0.patch
+git apply $cvePatches/CVE-2017-13080/ANY/0.patch
 git apply $cvePatches/CVE-2017-15265/ANY/0.patch
 git apply $cvePatches/CVE-2017-2671/ANY/0.patch
 git apply $cvePatches/CVE-2017-5970/ANY/0.patch
diff --git a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_fairphone_msm8974.sh b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_fairphone_msm8974.sh
index b6e8e875..7c75133c 100644
--- a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_fairphone_msm8974.sh
+++ b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_fairphone_msm8974.sh
@@ -4,6 +4,7 @@ git apply $cvePatches/CVE-2016-3672/ANY/0.patch
 git apply $cvePatches/CVE-2017-0430/ANY/0.patch
 git apply $cvePatches/CVE-2017-0750/ANY/0.patch
 git apply $cvePatches/CVE-2017-0786/ANY/0.patch
+git apply $cvePatches/CVE-2017-13080/ANY/0.patch
 git apply $cvePatches/CVE-2017-15265/ANY/0.patch
 git apply $cvePatches/CVE-2017-6348/ANY/0.patch
 cd $base
diff --git a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_google_msm.sh b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_google_msm.sh
index 2f3e16dc..7ce179a6 100644
--- a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_google_msm.sh
+++ b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_google_msm.sh
@@ -10,5 +10,6 @@ git apply $cvePatches/CVE-2017-0710/ANY/0.patch
 git apply $cvePatches/CVE-2017-0750/ANY/0.patch
 git apply $cvePatches/CVE-2017-0751/ANY/0.patch
 git apply $cvePatches/CVE-2017-0786/ANY/0.patch
+git apply $cvePatches/CVE-2017-13080/ANY/0.patch
 git apply $cvePatches/CVE-2017-15265/ANY/0.patch
 cd $base
diff --git a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_htc_flounder.sh b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_htc_flounder.sh
index 8fa81b48..c9f5934a 100644
--- a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_htc_flounder.sh
+++ b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_htc_flounder.sh
@@ -13,7 +13,6 @@ git apply $cvePatches/CVE-2016-9604/ANY/0.patch
 git apply $cvePatches/CVE-2017-0449/ANY/0.patch
 git apply $cvePatches/CVE-2017-0537/ANY/0.patch
 git apply $cvePatches/CVE-2017-0750/ANY/0.patch
-#git apply $cvePatches/CVE-2017-0794/3.10/0.patch
 git apply $cvePatches/CVE-2017-1000365/3.10/0.patch
 git apply $cvePatches/CVE-2017-10996/ANY/0.patch
 git apply $cvePatches/CVE-2017-15265/ANY/0.patch
diff --git a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_lge_hammerhead.sh b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_lge_hammerhead.sh
index dc1386d5..043a11a7 100644
--- a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_lge_hammerhead.sh
+++ b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_lge_hammerhead.sh
@@ -9,6 +9,7 @@ git apply $cvePatches/CVE-2017-0710/ANY/0.patch
 git apply $cvePatches/CVE-2017-0750/ANY/0.patch
 git apply $cvePatches/CVE-2017-0751/ANY/0.patch
 git apply $cvePatches/CVE-2017-0786/ANY/0.patch
+git apply $cvePatches/CVE-2017-13080/ANY/0.patch
 git apply $cvePatches/CVE-2017-15265/ANY/0.patch
 git apply $cvePatches/CVE-2017-2671/ANY/0.patch
 git apply $cvePatches/CVE-2017-5970/ANY/0.patch
diff --git a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_motorola_msm8916.sh b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_motorola_msm8916.sh
index c31c754d..6c3a94ec 100644
--- a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_motorola_msm8916.sh
+++ b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_motorola_msm8916.sh
@@ -20,7 +20,6 @@ git apply $cvePatches/CVE-2017-0457/3.10/0.patch
 git apply $cvePatches/CVE-2017-0457/3.10/1.patch
 git apply $cvePatches/CVE-2017-0648/ANY/0.patch
 git apply $cvePatches/CVE-2017-0750/ANY/0.patch
-#git apply $cvePatches/CVE-2017-0794/3.10/0.patch
 git apply $cvePatches/CVE-2017-15265/ANY/0.patch
 git apply $cvePatches/CVE-2017-6348/ANY/0.patch
 git apply $cvePatches/LVT-2017-0003/3.10/0.patch
diff --git a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_motorola_msm8992.sh b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_motorola_msm8992.sh
index 6e762c03..7626d776 100644
--- a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_motorola_msm8992.sh
+++ b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_motorola_msm8992.sh
@@ -56,7 +56,6 @@ git apply $cvePatches/CVE-2017-0746/ANY/0.patch
 git apply $cvePatches/CVE-2017-0748/ANY/0.patch
 git apply $cvePatches/CVE-2017-0750/ANY/0.patch
 git apply $cvePatches/CVE-2017-0751/ANY/0.patch
-#git apply $cvePatches/CVE-2017-0794/3.10/0.patch
 git apply $cvePatches/CVE-2017-1000365/3.10/0.patch
 git apply $cvePatches/CVE-2017-10997/ANY/0.patch
 git apply $cvePatches/CVE-2017-10998/3.10/0.patch
diff --git a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_oneplus_msm8974.sh b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_oneplus_msm8974.sh
index ef0205b8..a54c3ff4 100644
--- a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_oneplus_msm8974.sh
+++ b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_oneplus_msm8974.sh
@@ -13,6 +13,7 @@ git apply $cvePatches/CVE-2017-0750/ANY/0.patch
 git apply $cvePatches/CVE-2017-0751/ANY/0.patch
 git apply $cvePatches/CVE-2017-0786/ANY/0.patch
 git apply $cvePatches/CVE-2017-11000/ANY/0.patch
+git apply $cvePatches/CVE-2017-13080/ANY/0.patch
 git apply $cvePatches/CVE-2017-15265/ANY/0.patch
 git apply $cvePatches/CVE-2017-7487/ANY/0.patch
 git apply $cvePatches/CVE-2017-8247/ANY/0.patch