This fixes the following security problems:
* CVE-2018-0732: Client DoS due to large DH parameter
* CVE-2018-0737: Cache timing vulnerability in RSA Key Generation
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The following patch was integrated upstream:
* target/linux/generic/backport-4.9/500-ext4-fix-check-to-prevent-initializing-reserved-inod.patch
This fixes tries to work around the following security problems:
* CVE-2018-3620 L1 Terminal Fault OS, SMM related aspects
* CVE-2018-3646 L1 Terminal Fault Virtualization related aspects
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The following patches were integrated upstream:
* target/linux/ipq40xx/patches-4.14/050-0006-mtd-nand-qcom-Add-a-NULL-check-for-devm_kasprintf.patch
* target/linux/mediatek/patches-4.14/0177-phy-phy-mtk-tphy-use-auto-instead-of-force-to-bypass.patch
This fixes tries to work around the following security problems:
* CVE-2018-3620 L1 Terminal Fault OS, SMM related aspects
* CVE-2018-3646 L1 Terminal Fault Virtualization related aspects
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Use the orange led by default to match the bootloader/stock firmware
behaviour. Turn on the green power led after boot to indicate a
finished boot and the orange one off.
Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
[reword commit message, keep orange power led enabled during early
kernel boot]
Signed-off-by: Mathias Kresin <dev@kresin.me>
Use the orange led by default to match the bootloader/stock firmware
behaviour. Turn on the blue power led after boot to indicate a finished
boot and the orange one off.
Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
[reword commit message, keep orange power led enabled during early
kernel boot]
Signed-off-by: Mathias Kresin <dev@kresin.me>
Use diag.sh version used for apm821xx, ipq40xx and ipq806x, which
supports different leds for the different boot states.
The existing led sequences should be the same as before.
Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
[reword commit message]
Signed-off-by: Mathias Kresin <dev@kresin.me>
The DWR-118-A2 Wireless Router is based on the MT7620A SoC.
Specification:
- MediaTek MT7620A (580 Mhz)
- 128 MB of RAM
- 16 MB of FLASH
- 1x 802.11bgn radio
- 1x 802.11ac radio (MT7612EN)
- 4x 10/100 Mbps Ethernet (1 WAN and 3 LAN)
- 1x 10/100/1000 Mbps Marvell Ethernet PHY (1 LAN)
- 2x external, non-detachable antennas
- 1x USB 2.0
- UART (J1) header on PCB (57600 8n1)
- 7x LED (5x GPIO-controlled), 2x button
- JBOOT bootloader
Known issues:
- GELAN not working
- flash is very slow
The status led has been assigned to the dwr-118-a2:green:internet led.
At the end of the boot it is switched off and is available for other
operation. Work correctly also during sysupgrade operation.
Installation:
Apply factory image via http web-gui or JBOOT recovery page
How to revert to OEM firmware:
- push the reset button and turn on the power. Wait until LED start
blinking (~10sec.)
- upload original factory image via JBOOT http (IP: 192.168.123.254)
Signed-off-by: Cezary Jackiewicz <cezary@eko.one.pl>
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
HiWiFi "Gee Enjoy1200" HC5861B is a dual-band router based on MediaTek MT7628AN
https://www.hiwifi.com/enjoy-view
Specifications:
- MediaTek MT7628AN 580MHz
- 128 MB DDR2 RAM
- 16 MB SPI Flash
- 2.4G MT7628AN 802.11bgn 2T2R 300Mbps
- 5G MT7612EN 802.11ac 2T2R 867Mbps
- 5x 10/100 Mbps Ethernet
Flash instruction:
1. Get SSH access to the router
2. SSH to router with `ssh -p 1022 root@192.168.199.1`, The SSH password is the same as the webconfig one
3. Upload OpenWrt sysupgrade firmware into the router's `/tmp` folder with SCP
4. Run `mtd write /tmp/<filename> firmware`
5. reboot
Everything is working
Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
Move the alias node of the TP-Link WR841v9 and rename the phandle of
the qss led to qss_led in preparation for adding the very similar
TP-Link WR841v11.
Signed-off-by: Johann Neuhauser <johann@it-neuhauser.de>
Remove SUPPORTED_DEVICES from wr841-v9 because it´s not needed and
for consistency rename everything to tl-wr841-v9.
Signed-off-by: Johann Neuhauser <johann@it-neuhauser.de>
Add ath9k wifi capabilities to WNDR3700 family.
* use kmod-owl-loader to load firmware from "art"
* add wifi to DTS
* add wifi LEDs
Avoid using the same MAC for eth0 LAN and wlan0 by
toggling the eth0 MAC into a locally administered MAC.
That is currently done by in user-space by adding a
uci config item into /etc/config/network
(More elegant solution might be setting it already in
preinit phase.)
Known issues:
* wifi firmware file may not get created on the first boot
after flashing on time to bring wifi normally up. Likely
the overlay jffs2 is not yet ready for creating the
firmware file. "wifi up" may still bring wifi up.
Wifi will work normally at subsequent boots.
* phy0 and phy1 may get assigned mixed, so that phy0 may
be the 5GHz radio instead of the normal 2.4GHz, and vice
versa for phy1. Does not happen always, but may happen.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
[fix the wifi unit address in the dts]
Signed-off-by: Mathias Kresin <dev@kresin.me>
Pisen WMM003N (sold under the name of Cloud Easy Power) is an
AR9331-based router and power bank combo device. The device uses a
stock firmware modified from OpenWRT for TP-Link TL-WR703N; however
some GPIO definition is different on this device with TL-WR703N. An
AXP202 PMIC (connected to a 5000mAh battery) and a SD slot are also
added, and the stock Flash/RAM configuration is 8MiB/64MiB.
The stock firmware is an old and heavily modified OpenWRT-based
firmware, which has telnetd defaultly open, and the root password is
"ifconfig" (quotation marks not included). The factory image format is
not known yet, however the stock firmware ships the OpenWRT's sysupgrade
command, and it can be used to install a newer firmware.
Due to the lack of the access to the STM8 embedded controller, the SD
slot is currently not usable (because it's muxed with the on-board USB
port) and the AXP PMIC cannot be monitored.
Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
12a7cf9 Add support for DSCP matches and target
06fa692 defaults: use a generic check_kmod() function
1c4d5bc defaults: fix check_kmod() function
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
This target is on 4.9 currently.
It seems the support for this old kernel never got dropped.
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
This router is called RE450 and the tl prefix was used to identify it
as a TP-Link device. Drop the tl prefix since we now have tplink in
dts and device name.
Signed-off-by: Peter Lundkvist <peter.lundkvist@gmail.com>
The WD My Net Range Extender stores the MAC addresses inside the
nvram partition. This utility can extract it, but it's currently
not avilable on the ath79 target. Hence, this patch adds the
necessary target declaration, so it can be built.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
In "brcm47xx: rework model detection" the file 01_detect was moved
to 01_network, therefore also update the warning message in case
everything fails.
Signed-off-by: Paul Wassi <p.wassi@gmx.at>
PLL for eth0 internal clock on ar913x is at 0x18050014
and AR913X_ETH0_PLL_SHIFT is 20 instead of 17
Signed-off-by: Chuanhong Guo <gch981213@gmail.com>
Add support for WNDR3700 and WNDR3700v2.
They share most things with WNDR3800.
Only device IDs and partition structure needs to be set.
Note: WNDR3700 (v1) has no NETGEAR_HW_ID, but has
also the NA version of the factory image.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Prepare for addition of WNDR3700 and WNDR3700v2 by
separating the common parts into wndr3700.dtsi and
leaving just the device-specific things into wndr3800.dts
The three routers are identical except
* device IDs
* WNDR3700 (v1) has only 8 MB flash, while others have 16 MB.
Partition structure needs to be defined for each device.
* (WNDR3800 has 128 MB RAM, but RAM size is not in DTS)
Also separate the common parts of the image recipe.
(Drop also the initramfs recipe.)
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
The wholesale changes introduced in commit f9b8328 missed this DTS file
because it hadn't been merged yet. This patch brings it in line to match
the other mt7620a devices' DTS files.
Additionally, the Internet LED is now labeled correctly and set to unused
by default, since the WAN interface is not known in every configuration.
Using sysupgrade between images before and after this commit will require
the -F flag.
Tested-by: Rohan Murch <rohan.murch@gmail.com>
Signed-off-by: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us>
[drop internet led default setting]
Signed-off-by: Mathias Kresin <dev@kresin.me>
This patch adds support for the Netgear R6120, aka Netgear AC1200.
Specification:
- SoC: MediaTek MT7628 (580 MHz)
- Flash: 16 MiB
- RAM: 64 MiB
- Wireless: 2.4Ghz(builtin) and 5Ghz (MT7612E)
- LAN speed: 10/100
- LAN ports: 4
- WAN speed: 10/100
- WAN ports: 1
- Serial baud rate of Bootloader and factory firmware: 57600
To flash use nmrpflash with the provided factory.img.
Flashing via webinterface will not work, for now.
Signed-off-by: Ludwig Thomeczek <ledesrc@wxorx.net>
This adds a tool to generate a firmware file accepted
by Netgear or sercomm devices.
They use a zip-packed rootfs with header and a custom
checksum. The generated Image can be flashed via the
nmrpflash tool or the webinterface of the router.
Signed-off-by: Ludwig Thomeczek <ledesrc@wxorx.net>
* send: switch handshake stamp to an atomic
Rather than abusing the handshake lock, we're much better off just using
a boring atomic64 for this. It's simpler and performs better. Also, while
we're at it, we set the handshake stamp both before and after the
calculations, in case the calculations block for a really long time waiting
for the RNG to initialize.
* compat: better atomic acquire/release backport
This should fix compilation and correctness on several platforms.
* crypto: move simd context to specific type
This was a suggestion from Andy Lutomirski on LKML.
* chacha20poly1305: selftest: use arrays for test vectors
We no longer have lines so long that they're rejected by SMTP servers.
* qemu: add easy git harness
This makes it a bit easier to use our qemu harness for testing our mainline
integration tree.
* curve25519-x86_64: avoid use of r12
This causes problems with RAP and KERNEXEC for PaX, as r12 is a
reserved register.
* chacha20: use memmove in case buffers overlap
A small correctness fix that we never actually hit in WireGuard but is
important especially for moving this into a general purpose library.
* curve25519-hacl64: simplify u64_eq_mask
* curve25519-hacl64: correct u64_gte_mask
Two bitmath fixes from Samuel, which come complete with a z3 script proving
their correctness.
* timers: include header in right file
This fixes compilation in some environments.
* netlink: don't start over iteration on multipart non-first allowedips
Matt Layher found a bug where a netlink dump of peers would never terminate in
some circumstances, causing wg(8) to keep trying forever. We now have a fix as
well as a unit test to mitigate this, and we'll be looking to create a fuzzer
out of Matt's nice library.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
The kernel image of the at91-q5xr5 is getting too bing now and this is
breaking the build. Remove the image for the at91-q5xr5 from the build
to at least build images for the other devices.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
I-O DATA WN-AC1600DGR2 is a 2.4/5 GHz band 11ac router, based on
Qualcomm Atheros QCA9557.
Specification:
- Qualcomm Atheros QCA9557
- 128 MB of RAM
- 16 MB of Flash
- 2.4/5 GHz wifi
- 2.4 GHz: 2T2R (SoC internal)
- 5 GHz: 3T3R (QCA9880)
- 5x 10/100/1000 Mbps Ethernet
- 6x LEDs, 6x keys (4x buttons, 1x slide switch)
- UART header on PCB
- Vcc, GND, TX, RX from ethernet port side
- 115200n8
Flash instruction using factory image:
1. Connect the computer to the LAN port of WN-AC1600DGR2
2. Connect power cable to WN-AC1600DGR2 and turn on it
3. Access to "http://192.168.0.1/" and open firmware update page
("ファームウェア")
4. Select the OpenWrt factory image and click update ("更新") button
5. Wait ~150 seconds to complete flashing
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
This patch copies over the MAC patching helper functions from lantiq's
target/linux/lantiq/base-files/etc/hotplug.d/firmware/12-ath9k-eeprom
file.
Not all vendors bothered to write the correct MAC addresses for the
ath9k wifi into the calibration data. And while ath9k does have some
special dt-properties to extract the addresses from a fixed position,
there are still devices that require userspace to edit or modify
the caldata.
In my case, the MAC address for the Wi-Fi device is stored in an
unsorted key-value based "nvram" database and there's an existing
userspace tool to extract the data.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Add a function to get a mac stored as text from flash. The octets of
the mac address need to be separated by any separator supported by
macaddr_canonicalize().
Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
Signed-off-by: Mathias Kresin <dev@kresin.me>
Add the opening bracket right after the function name, to do it the
same way for all functions in this file.
Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
Signed-off-by: Mathias Kresin <dev@kresin.me>
Unauthenticated EAPOL-Key decryption in wpa_supplicant
Published: August 8, 2018
Identifiers:
- CVE-2018-14526
Latest version available from: https://w1.fi/security/2018-1/
Vulnerability
A vulnerability was found in how wpa_supplicant processes EAPOL-Key
frames. It is possible for an attacker to modify the frame in a way that
makes wpa_supplicant decrypt the Key Data field without requiring a
valid MIC value in the frame, i.e., without the frame being
authenticated. This has a potential issue in the case where WPA2/RSN
style of EAPOL-Key construction is used with TKIP negotiated as the
pairwise cipher. It should be noted that WPA2 is not supposed to be used
with TKIP as the pairwise cipher. Instead, CCMP is expected to be used
and with that pairwise cipher, this vulnerability is not applicable in
practice.
When TKIP is negotiated as the pairwise cipher, the EAPOL-Key Key Data
field is encrypted using RC4. This vulnerability allows unauthenticated
EAPOL-Key frames to be processed and due to the RC4 design, this makes
it possible for an attacker to modify the plaintext version of the Key
Data field with bitwise XOR operations without knowing the contents.
This can be used to cause a denial of service attack by modifying
GTK/IGTK on the station (without the attacker learning any of the keys)
which would prevent the station from accepting received group-addressed
frames. Furthermore, this might be abused by making wpa_supplicant act
as a decryption oracle to try to recover some of the Key Data payload
(GTK/IGTK) to get knowledge of the group encryption keys.
Full recovery of the group encryption keys requires multiple attempts
(128 connection attempts per octet) and each attempt results in
disconnection due to a failure to complete the 4-way handshake. These
failures can result in the AP/network getting disabled temporarily or
even permanently (requiring user action to re-enable) which may make it
impractical to perform the attack to recover the keys before the AP has
already changes the group keys. By default, wpa_supplicant is enforcing
at minimum a ten second wait time between each failed connection
attempt, i.e., over 20 minutes waiting to recover each octet while
hostapd AP implementation uses 10 minute default for GTK rekeying when
using TKIP. With such timing behavior, practical attack would need large
number of impacted stations to be trying to connect to the same AP to be
able to recover sufficient information from the GTK to be able to
determine the key before it gets changed.
Vulnerable versions/configurations
All wpa_supplicant versions.
Acknowledgments
Thanks to Mathy Vanhoef of the imec-DistriNet research group of KU
Leuven for discovering and reporting this issue.
Possible mitigation steps
- Remove TKIP as an allowed pairwise cipher in RSN/WPA2 networks. This
can be done also on the AP side.
- Merge the following commits to wpa_supplicant and rebuild:
WPA: Ignore unauthenticated encrypted EAPOL-Key data
This patch is available from https://w1.fi/security/2018-1/
- Update to wpa_supplicant v2.7 or newer, once available
Signed-off-by: John Crispin <john@phrozen.org>