wpa-supplicant: fix CVE-2021-27803

A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. References: https://nvd.nist.gov/vuln/detail/CVE-2021-27803 Upstream patches: https://w1.fi/cgit/hostap/commit/?id=8460e3230988ef2ec13ce6b69b687e941f6cdb32 (From OE-Core rev: 81e4260b83c52558c320fd7d1c1eafcb312ad6be) Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Stefan Ghinea <stefan.ghinea@windriver.com> 2021-03-03 20:53:08 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-03-06 22:39:03 +0000
commit: 5623cf33c13358df3ed34882ceed9ca79965fde2 (patch)
tree: 47c68c8ae497a3691c8aa981b71c7982bf375472
parent: ca1382756c0a26b1ff7b46a61079704d4b11c57c (diff)
download: poky-5623cf33c13358df3ed34882ceed9ca79965fde2.tar.gz
2 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch
new file mode 100644
index 0000000000..004b1dbd19
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch
@@ -0,0 +1,58 @@
+From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 8 Dec 2020 23:52:50 +0200
+Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request
+p2p_add_device() may remove the oldest entry if there is no room in the
+peer table for a new peer. This would result in any pointer to that
+removed entry becoming stale. A corner case with an invalid PD Request
+frame could result in such a case ending up using (read+write) freed
+memory. This could only by triggered when the peer table has reached its
+maximum size and the PD Request frame is received from the P2P Device
+Address of the oldest remaining entry and the frame has incorrect P2P
+Device Address in the payload.
+Fix this by fetching the dev pointer again after having called
+p2p_add_device() so that the stale pointer cannot be used.
+Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request")
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Upstream-Status: Backport
+CVE: CVE-2021-27803
+Reference to upstream patch:
+[https://w1.fi/cgit/hostap/commit/?id=8460e3230988ef2ec13ce6b69b687e941f6cdb32]
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ src/p2p/p2p_pd.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c
+index 3994ec0..05fd593 100644
+--- a/src/p2p/p2p_pd.c
+++ b/src/p2p/p2p_pd.c
+@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa,
+                        goto out;
+                }
+ 
+               dev = p2p_get_device(p2p, sa);
+                if (!dev) {
+-                       dev = p2p_get_device(p2p, sa);
+-                       if (!dev) {
+-                               p2p_dbg(p2p,
+-                                       "Provision Discovery device not found "
+-                                       MACSTR, MAC2STR(sa));
+-                               goto out;
+-                       }
+                       p2p_dbg(p2p,
+                               "Provision Discovery device not found "
+                               MACSTR, MAC2STR(sa));
+                       goto out;
+                }
+        } else if (msg.wfd_subelems) {
+                wpabuf_free(dev->info.wfd_subelems);
+-- 
+2.17.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
index caa6018ce8..357c28634a 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
@@ -31,6 +31,7 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz  \
           file://0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \
           file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \
           file://CVE-2021-0326.patch \
+           file://CVE-2021-27803.patch \
          "
 SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190"
 SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17"
author	Stefan Ghinea <stefan.ghinea@windriver.com>	2021-03-03 20:53:08 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-03-06 22:39:03 +0000
commit	5623cf33c13358df3ed34882ceed9ca79965fde2 (patch)
tree	47c68c8ae497a3691c8aa981b71c7982bf375472
parent	ca1382756c0a26b1ff7b46a61079704d4b11c57c (diff)
download	poky-5623cf33c13358df3ed34882ceed9ca79965fde2.tar.gz

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch new file mode 100644 index 0000000000..004b1dbd19 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch
@@ -0,0 +1,58 @@
		1	From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001
		2	From: Jouni Malinen <jouni@codeaurora.org>
		3	Date: Tue, 8 Dec 2020 23:52:50 +0200
		4	Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request
		5
		6	p2p_add_device() may remove the oldest entry if there is no room in the
		7	peer table for a new peer. This would result in any pointer to that
		8	removed entry becoming stale. A corner case with an invalid PD Request
		9	frame could result in such a case ending up using (read+write) freed
		10	memory. This could only by triggered when the peer table has reached its
		11	maximum size and the PD Request frame is received from the P2P Device
		12	Address of the oldest remaining entry and the frame has incorrect P2P
		13	Device Address in the payload.
		14
		15	Fix this by fetching the dev pointer again after having called
		16	p2p_add_device() so that the stale pointer cannot be used.
		17
		18	Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request")
		19	Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
		20
		21	Upstream-Status: Backport
		22	CVE: CVE-2021-27803
		23
		24	Reference to upstream patch:
		25	[https://w1.fi/cgit/hostap/commit/?id=8460e3230988ef2ec13ce6b69b687e941f6cdb32]
		26
		27	Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
		28	---
		29	src/p2p/p2p_pd.c \| 12 +++++-------
		30	1 file changed, 5 insertions(+), 7 deletions(-)
		31
		32	diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c
		33	index 3994ec0..05fd593 100644
		34	--- a/src/p2p/p2p_pd.c
		35	+++ b/src/p2p/p2p_pd.c
		36	@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data p2p, const u8 sa,
		37	goto out;
		38	}
		39
		40	+ dev = p2p_get_device(p2p, sa);
		41	if (!dev) {
		42	- dev = p2p_get_device(p2p, sa);
		43	- if (!dev) {
		44	- p2p_dbg(p2p,
		45	- "Provision Discovery device not found "
		46	- MACSTR, MAC2STR(sa));
		47	- goto out;
		48	- }
		49	+ p2p_dbg(p2p,
		50	+ "Provision Discovery device not found "
		51	+ MACSTR, MAC2STR(sa));
		52	+ goto out;
		53	}
		54	} else if (msg.wfd_subelems) {
		55	wpabuf_free(dev->info.wfd_subelems);
		56	--
		57	2.17.1
		58


diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb index caa6018ce8..357c28634a 100644 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
@@ -31,6 +31,7 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
31	file://0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \	31	file://0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \
32	file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \	32	file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \
33	file://CVE-2021-0326.patch \	33	file://CVE-2021-0326.patch \
		34	file://CVE-2021-27803.patch \
34	"	35	"
35	SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190"	36	SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190"
36	SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17"	37	SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17"