freeradius: Security fixes for CVE-2022-41860 CVE-2022-41861

CVE-2022-41860: In freeradius, when an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the internal dictionaries. This lookup will fail, but the SIM code will not check for that failure. Instead, it will dereference a NULL pointer, and cause the server to crash. CVE-2022-41861: A flaw was found in freeradius. A malicious RADIUS client or home server can send a malformed abinary attribute which can cause the server to crash. References: https://nvd.nist.gov/vuln/detail/CVE-2022-41860 https://nvd.nist.gov/vuln/detail/CVE-2022-41861 Patches from: CVE-2022-41860: https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a32e107d4d02f936051c708 CVE-2022-41861: https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e08e4c3464f6b95005821dc559c62 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Yi Zhao <yi.zhao@eng.windriver.com> 2023-02-09 12:02:20 +0800
committer: Armin Kuster <akuster808@gmail.com> 2023-02-11 11:08:44 -0500
commit: cd15081a7c1b556bc97955d55689b25010cad965 (patch)
tree: e268aafa5a15eb1b5d62861a6ecdd26065b4fda7
parent: 7eb1f15de85e7f66e95d2058f955130819b67531 (diff)
download: meta-openembedded-cd15081a7c1b556bc97955d55689b25010cad965.tar.gz
3 files changed, 173 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41860.patch b/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41860.patch
new file mode 100644
index 000000000..4ea519c75
--- /dev/null
+++ b/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41860.patch
@@ -0,0 +1,118 @@
+From f1cdbb33ec61c4a64a32e107d4d02f936051c708 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Mon, 7 Feb 2022 22:26:05 -0500
+Subject: [PATCH] it's probably wrong to be completely retarded.  Let's fix
+ that.
+CVE: CVE-2022-41860
+Upstream-Status: Backport
+[https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a32e107d4d02f936051c708]
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ src/modules/rlm_eap/libeap/eapsimlib.c | 69 +++++++++++++++++++-------
+ 1 file changed, 52 insertions(+), 17 deletions(-)
+diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c
+index cf1e8a7dd9..e438a844ea 100644
+--- a/src/modules/rlm_eap/libeap/eapsimlib.c
+++ b/src/modules/rlm_eap/libeap/eapsimlib.c
+@@ -307,42 +307,77 @@ int unmap_eapsim_basictypes(RADIUS_PACKET *r,
+        newvp->vp_length = 1;
+        fr_pair_add(&(r->vps), newvp);
+ 
+       /*
+        *      EAP-SIM has a 1 octet of subtype, and 2 octets
+        *      reserved.
+        */
+        attr     += 3;
+        attrlen  -= 3;
+ 
+-       /* now, loop processing each attribute that we find */
+-       while(attrlen > 0) {
+       /*
+        *      Loop over each attribute.  The format is:
+        *
+        *      1 octet of type
+        *      1 octet of length (value 1..255)
+        *      ((4 * length) - 2) octets of data.
+        */
+       while (attrlen > 0) {
+                uint8_t *p;
+ 
+-               if(attrlen < 2) {
+               if (attrlen < 2) {
+                        fr_strerror_printf("EAP-Sim attribute %d too short: %d < 2", es_attribute_count, attrlen);
+                        return 0;
+                }
+ 
+               if (!attr[1]) {
+                       fr_strerror_printf("EAP-Sim attribute %d (no.%d) has no data", eapsim_attribute,
+                                          es_attribute_count);
+                       return 0;
+               }
+
+                eapsim_attribute = attr[0];
+                eapsim_len = attr[1] * 4;
+ 
+               /*
+                *      The length includes the 2-byte header.
+                */
+                if (eapsim_len > attrlen) {
+                        fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length longer than data (%d > %d)",
+                                           eapsim_attribute, es_attribute_count, eapsim_len, attrlen);
+                        return 0;
+                }
+ 
+-               if(eapsim_len > MAX_STRING_LEN) {
+-                       eapsim_len = MAX_STRING_LEN;
+-               }
+-               if (eapsim_len < 2) {
+-                       fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length too small", eapsim_attribute,
+-                                          es_attribute_count);
+-                       return 0;
+-               }
+               newvp = fr_pair_afrom_num(r, eapsim_attribute + PW_EAP_SIM_BASE, 0);
+               if (!newvp) {
+                       /*
+                        *      RFC 4186 Section 8.1 says 0..127 are
+                        *      "non-skippable".  If one such
+                        *      attribute is found and we don't
+                        *      understand it, the server has to send:
+                        *
+                        *      EAP-Request/SIM/Notification packet with an
+                        *      (AT_NOTIFICATION code, which implies general failure ("General
+                        *      failure after authentication" (0), or "General failure" (16384),
+                        *      depending on the phase of the exchange), which terminates the
+                        *      authentication exchange.
+                        */
+                       if (eapsim_attribute <= 127) {
+                               fr_strerror_printf("Unknown mandatory attribute %d, failing",
+                                                  eapsim_attribute);
+                               return 0;
+                       }
+ 
+-               newvp = fr_pair_afrom_num(r, eapsim_attribute+PW_EAP_SIM_BASE, 0);
+-               newvp->vp_length = eapsim_len-2;
+-               newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
+-               memcpy(p, &attr[2], eapsim_len-2);
+-               fr_pair_add(&(r->vps), newvp);
+-               newvp = NULL;
+               } else {
+                       /*
+                        *      It's known, ccount for header, and
+                        *      copy the value over.
+                        */
+                       newvp->vp_length = eapsim_len - 2;
+
+                       newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
+                       memcpy(p, &attr[2], newvp->vp_length);
+                       fr_pair_add(&(r->vps), newvp);
+               }
+ 
+                /* advance pointers, decrement length */
+                attr += eapsim_len;
+-- 
+2.25.1
diff --git a/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41861.patch b/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41861.patch
new file mode 100644
index 000000000..352c02137
--- /dev/null
+++ b/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41861.patch
@@ -0,0 +1,53 @@
+From 0ec2b39d260e08e4c3464f6b95005821dc559c62 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Mon, 28 Feb 2022 10:34:15 -0500
+Subject: [PATCH] manual port of commit 5906bfa1
+CVE: CVE-2022-41861
+Upstream-Status: Backport
+[https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e08e4c3464f6b95005821dc559c62]
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ src/lib/filters.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+diff --git a/src/lib/filters.c b/src/lib/filters.c
+index 4868cd385d..3f3b63daee 100644
+--- a/src/lib/filters.c
+++ b/src/lib/filters.c
+@@ -1205,13 +1205,19 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
+                        }
+                }
+        } else if (filter->type == RAD_FILTER_GENERIC) {
+-               int count;
+               size_t count, masklen;
+
+               masklen = ntohs(filter->u.generic.len);
+               if (masklen >= sizeof(filter->u.generic.mask)) {
+                       *p = '\0';
+                       return;
+               }
+ 
+                i = snprintf(p, outlen, " %u ", (unsigned int) ntohs(filter->u.generic.offset));
+                p += i;
+ 
+                /* show the mask */
+-               for (count = 0; count < ntohs(filter->u.generic.len); count++) {
+               for (count = 0; count < masklen; count++) {
+                        i = snprintf(p, outlen, "%02x", filter->u.generic.mask[count]);
+                        p += i;
+                        outlen -= i;
+@@ -1222,7 +1228,7 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
+                outlen--;
+ 
+                /* show the value */
+-               for (count = 0; count < ntohs(filter->u.generic.len); count++) {
+               for (count = 0; count < masklen; count++) {
+                        i = snprintf(p, outlen, "%02x", filter->u.generic.value[count]);
+                        p += i;
+                        outlen -= i;
+-- 
+2.25.1
diff --git a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb
index b459412e0..d18c38779 100644
--- a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb
+++ b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb
@@ -33,6 +33,8 @@ SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.0.x;lfs=0
    file://radiusd-volatiles.conf \
    file://check-openssl-cmds-in-script-bootstrap.patch \
    file://0001-version.c-don-t-print-build-flags.patch \
+    file://CVE-2022-41860.patch \
+    file://CVE-2022-41861.patch \
 "
 raddbdir="${sysconfdir}/${MLPREFIX}raddb"
author	Yi Zhao <yi.zhao@eng.windriver.com>	2023-02-09 12:02:20 +0800
committer	Armin Kuster <akuster808@gmail.com>	2023-02-11 11:08:44 -0500
commit	cd15081a7c1b556bc97955d55689b25010cad965 (patch)
tree	e268aafa5a15eb1b5d62861a6ecdd26065b4fda7
parent	7eb1f15de85e7f66e95d2058f955130819b67531 (diff)
download	meta-openembedded-cd15081a7c1b556bc97955d55689b25010cad965.tar.gz

diff --git a/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41860.patch b/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41860.patch new file mode 100644 index 000000000..4ea519c75 --- /dev/null +++ b/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41860.patch
@@ -0,0 +1,118 @@
		1	From f1cdbb33ec61c4a64a32e107d4d02f936051c708 Mon Sep 17 00:00:00 2001
		2	From: "Alan T. DeKok" <aland@freeradius.org>
		3	Date: Mon, 7 Feb 2022 22:26:05 -0500
		4	Subject: [PATCH] it's probably wrong to be completely retarded. Let's fix
		5	that.
		6
		7	CVE: CVE-2022-41860
		8
		9	Upstream-Status: Backport
		10	[https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a32e107d4d02f936051c708]
		11
		12	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		13	---
		14	src/modules/rlm_eap/libeap/eapsimlib.c \| 69 +++++++++++++++++++-------
		15	1 file changed, 52 insertions(+), 17 deletions(-)
		16
		17	diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c
		18	index cf1e8a7dd9..e438a844ea 100644
		19	--- a/src/modules/rlm_eap/libeap/eapsimlib.c
		20	+++ b/src/modules/rlm_eap/libeap/eapsimlib.c
		21	@@ -307,42 +307,77 @@ int unmap_eapsim_basictypes(RADIUS_PACKET *r,
		22	newvp->vp_length = 1;
		23	fr_pair_add(&(r->vps), newvp);
		24
		25	+ /*
		26	+ * EAP-SIM has a 1 octet of subtype, and 2 octets
		27	+ * reserved.
		28	+ */
		29	attr += 3;
		30	attrlen -= 3;
		31
		32	- /* now, loop processing each attribute that we find */
		33	- while(attrlen > 0) {
		34	+ /*
		35	+ * Loop over each attribute. The format is:
		36	+ *
		37	+ * 1 octet of type
		38	+ * 1 octet of length (value 1..255)
		39	+ * ((4 * length) - 2) octets of data.
		40	+ */
		41	+ while (attrlen > 0) {
		42	uint8_t *p;
		43
		44	- if(attrlen < 2) {
		45	+ if (attrlen < 2) {
		46	fr_strerror_printf("EAP-Sim attribute %d too short: %d < 2", es_attribute_count, attrlen);
		47	return 0;
		48	}
		49
		50	+ if (!attr[1]) {
		51	+ fr_strerror_printf("EAP-Sim attribute %d (no.%d) has no data", eapsim_attribute,
		52	+ es_attribute_count);
		53	+ return 0;
		54	+ }
		55	+
		56	eapsim_attribute = attr[0];
		57	eapsim_len = attr[1] * 4;
		58
		59	+ /*
		60	+ * The length includes the 2-byte header.
		61	+ */
		62	if (eapsim_len > attrlen) {
		63	fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length longer than data (%d > %d)",
		64	eapsim_attribute, es_attribute_count, eapsim_len, attrlen);
		65	return 0;
		66	}
		67
		68	- if(eapsim_len > MAX_STRING_LEN) {
		69	- eapsim_len = MAX_STRING_LEN;
		70	- }
		71	- if (eapsim_len < 2) {
		72	- fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length too small", eapsim_attribute,
		73	- es_attribute_count);
		74	- return 0;
		75	- }
		76	+ newvp = fr_pair_afrom_num(r, eapsim_attribute + PW_EAP_SIM_BASE, 0);
		77	+ if (!newvp) {
		78	+ /*
		79	+ * RFC 4186 Section 8.1 says 0..127 are
		80	+ * "non-skippable". If one such
		81	+ * attribute is found and we don't
		82	+ * understand it, the server has to send:
		83	+ *
		84	+ * EAP-Request/SIM/Notification packet with an
		85	+ * (AT_NOTIFICATION code, which implies general failure ("General
		86	+ * failure after authentication" (0), or "General failure" (16384),
		87	+ * depending on the phase of the exchange), which terminates the
		88	+ * authentication exchange.
		89	+ */
		90	+ if (eapsim_attribute <= 127) {
		91	+ fr_strerror_printf("Unknown mandatory attribute %d, failing",
		92	+ eapsim_attribute);
		93	+ return 0;
		94	+ }
		95
		96	- newvp = fr_pair_afrom_num(r, eapsim_attribute+PW_EAP_SIM_BASE, 0);
		97	- newvp->vp_length = eapsim_len-2;
		98	- newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
		99	- memcpy(p, &attr[2], eapsim_len-2);
		100	- fr_pair_add(&(r->vps), newvp);
		101	- newvp = NULL;
		102	+ } else {
		103	+ /*
		104	+ * It's known, ccount for header, and
		105	+ * copy the value over.
		106	+ */
		107	+ newvp->vp_length = eapsim_len - 2;
		108	+
		109	+ newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
		110	+ memcpy(p, &attr[2], newvp->vp_length);
		111	+ fr_pair_add(&(r->vps), newvp);
		112	+ }
		113
		114	/* advance pointers, decrement length */
		115	attr += eapsim_len;
		116	--
		117	2.25.1
		118


diff --git a/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41861.patch b/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41861.patch new file mode 100644 index 000000000..352c02137 --- /dev/null +++ b/meta-networking/recipes-connectivity/freeradius/files/CVE-2022-41861.patch
@@ -0,0 +1,53 @@
		1	From 0ec2b39d260e08e4c3464f6b95005821dc559c62 Mon Sep 17 00:00:00 2001
		2	From: "Alan T. DeKok" <aland@freeradius.org>
		3	Date: Mon, 28 Feb 2022 10:34:15 -0500
		4	Subject: [PATCH] manual port of commit 5906bfa1
		5
		6	CVE: CVE-2022-41861
		7
		8	Upstream-Status: Backport
		9	[https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e08e4c3464f6b95005821dc559c62]
		10
		11	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		12	---
		13	src/lib/filters.c \| 12 +++++++++---
		14	1 file changed, 9 insertions(+), 3 deletions(-)
		15
		16	diff --git a/src/lib/filters.c b/src/lib/filters.c
		17	index 4868cd385d..3f3b63daee 100644
		18	--- a/src/lib/filters.c
		19	+++ b/src/lib/filters.c
		20	@@ -1205,13 +1205,19 @@ void print_abinary(char out, size_t outlen, uint8_t const data, size_t len, in
		21	}
		22	}
		23	} else if (filter->type == RAD_FILTER_GENERIC) {
		24	- int count;
		25	+ size_t count, masklen;
		26	+
		27	+ masklen = ntohs(filter->u.generic.len);
		28	+ if (masklen >= sizeof(filter->u.generic.mask)) {
		29	+ *p = '\0';
		30	+ return;
		31	+ }
		32
		33	i = snprintf(p, outlen, " %u ", (unsigned int) ntohs(filter->u.generic.offset));
		34	p += i;
		35
		36	/* show the mask */
		37	- for (count = 0; count < ntohs(filter->u.generic.len); count++) {
		38	+ for (count = 0; count < masklen; count++) {
		39	i = snprintf(p, outlen, "%02x", filter->u.generic.mask[count]);
		40	p += i;
		41	outlen -= i;
		42	@@ -1222,7 +1228,7 @@ void print_abinary(char out, size_t outlen, uint8_t const data, size_t len, in
		43	outlen--;
		44
		45	/* show the value */
		46	- for (count = 0; count < ntohs(filter->u.generic.len); count++) {
		47	+ for (count = 0; count < masklen; count++) {
		48	i = snprintf(p, outlen, "%02x", filter->u.generic.value[count]);
		49	p += i;
		50	outlen -= i;
		51	--
		52	2.25.1
		53


diff --git a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb index b459412e0..d18c38779 100644 --- a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb +++ b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb
@@ -33,6 +33,8 @@ SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.0.x;lfs=0
33	file://radiusd-volatiles.conf \	33	file://radiusd-volatiles.conf \
34	file://check-openssl-cmds-in-script-bootstrap.patch \	34	file://check-openssl-cmds-in-script-bootstrap.patch \
35	file://0001-version.c-don-t-print-build-flags.patch \	35	file://0001-version.c-don-t-print-build-flags.patch \
		36	file://CVE-2022-41860.patch \
		37	file://CVE-2022-41861.patch \
36	"	38	"
37		39
38	raddbdir="${sysconfdir}/${MLPREFIX}raddb"	40	raddbdir="${sysconfdir}/${MLPREFIX}raddb"