summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStefan Ghinea <stefan.ghinea@windriver.com>2021-03-03 20:53:08 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2021-03-06 22:39:03 +0000
commit5623cf33c13358df3ed34882ceed9ca79965fde2 (patch)
tree47c68c8ae497a3691c8aa981b71c7982bf375472
parentca1382756c0a26b1ff7b46a61079704d4b11c57c (diff)
downloadpoky-5623cf33c13358df3ed34882ceed9ca79965fde2.tar.gz
wpa-supplicant: fix CVE-2021-27803
A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. References: https://nvd.nist.gov/vuln/detail/CVE-2021-27803 Upstream patches: https://w1.fi/cgit/hostap/commit/?id=8460e3230988ef2ec13ce6b69b687e941f6cdb32 (From OE-Core rev: 81e4260b83c52558c320fd7d1c1eafcb312ad6be) Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch58
-rw-r--r--meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb1
2 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch
new file mode 100644
index 0000000000..004b1dbd19
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch
@@ -0,0 +1,58 @@
1From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001
2From: Jouni Malinen <jouni@codeaurora.org>
3Date: Tue, 8 Dec 2020 23:52:50 +0200
4Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request
5
6p2p_add_device() may remove the oldest entry if there is no room in the
7peer table for a new peer. This would result in any pointer to that
8removed entry becoming stale. A corner case with an invalid PD Request
9frame could result in such a case ending up using (read+write) freed
10memory. This could only by triggered when the peer table has reached its
11maximum size and the PD Request frame is received from the P2P Device
12Address of the oldest remaining entry and the frame has incorrect P2P
13Device Address in the payload.
14
15Fix this by fetching the dev pointer again after having called
16p2p_add_device() so that the stale pointer cannot be used.
17
18Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request")
19Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
20
21Upstream-Status: Backport
22CVE: CVE-2021-27803
23
24Reference to upstream patch:
25[https://w1.fi/cgit/hostap/commit/?id=8460e3230988ef2ec13ce6b69b687e941f6cdb32]
26
27Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
28---
29 src/p2p/p2p_pd.c | 12 +++++-------
30 1 file changed, 5 insertions(+), 7 deletions(-)
31
32diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c
33index 3994ec0..05fd593 100644
34--- a/src/p2p/p2p_pd.c
35+++ b/src/p2p/p2p_pd.c
36@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa,
37 goto out;
38 }
39
40+ dev = p2p_get_device(p2p, sa);
41 if (!dev) {
42- dev = p2p_get_device(p2p, sa);
43- if (!dev) {
44- p2p_dbg(p2p,
45- "Provision Discovery device not found "
46- MACSTR, MAC2STR(sa));
47- goto out;
48- }
49+ p2p_dbg(p2p,
50+ "Provision Discovery device not found "
51+ MACSTR, MAC2STR(sa));
52+ goto out;
53 }
54 } else if (msg.wfd_subelems) {
55 wpabuf_free(dev->info.wfd_subelems);
56--
572.17.1
58
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
index caa6018ce8..357c28634a 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
@@ -31,6 +31,7 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
31 file://0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \ 31 file://0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \
32 file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \ 32 file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \
33 file://CVE-2021-0326.patch \ 33 file://CVE-2021-0326.patch \
34 file://CVE-2021-27803.patch \
34 " 35 "
35SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190" 36SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190"
36SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17" 37SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17"