wpa-supplicant: Fix CVE-2015-8041

Backport patch from http://w1.fi/security/2015-5/ and rebase for wpa-supplicant 2.4 (From OE-Core rev: 4d0ebfd77c07475494665dde962137934dd2194a) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Not needed in master since the upgrade to 2.5 Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Hongxu Jia <hongxu.jia@windriver.com> 2015-11-13 19:08:06 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-03-03 10:38:46 +0000
commit: 6945a4fddea41a4adda125711cbf177f09405462 (patch)
tree: 4ecb7354275faffc38273086713b7e47a32178c9
parent: b1f23d1254682866236bfaeb843c0d8aa332efc2 (diff)
download: poky-6945a4fddea41a4adda125711cbf177f09405462.tar.gz
2 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch
new file mode 100644
index 0000000000..bc1d1e5d26
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch
@@ -0,0 +1,64 @@
+From c13401c723a039971bcd91b3856d76c6041b15f2 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 13 Nov 2015 05:54:18 -0500
+Subject: [PATCH] NFC: Fix payload length validation in NDEF record parser
+It was possible for the 32-bit record->total_length value to end up
+wrapping around due to integer overflow if the longer form of payload
+length field is used and record->payload_length gets a value close to
+2^32. This could result in ndef_parse_record() accepting a too large
+payload length value and the record type filter reading up to about 20
+bytes beyond the end of the buffer and potentially killing the process.
+This could also result in an attempt to allocate close to 2^32 bytes of
+heap memory and if that were to succeed, a buffer read overflow of the
+same length which would most likely result in the process termination.
+In case of record->total_length ending up getting the value 0, there
+would be no buffer read overflow, but record parsing would result in an
+infinite loop in ndef_parse_records().
+Any of these error cases could potentially be used for denial of service
+attacks over NFC by using a malformed NDEF record on an NFC Tag or
+sending them during NFC connection handover if the application providing
+the NDEF message to hostapd/wpa_supplicant did no validation of the
+received records. While such validation is likely done in the NFC stack
+that needs to parse the NFC messages before further processing,
+hostapd/wpa_supplicant better be prepared for any data being included
+here.
+Fix this by validating record->payload_length value in a way that
+detects integer overflow. (CID 122668)
+Signed-off-by: Jouni Malinen <j@w1.fi>
+Upstream-Status: Backport [from http://w1.fi/security/2015-5/]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ src/wps/ndef.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/src/wps/ndef.c b/src/wps/ndef.c
+index d45dfc8..f7f729b 100644
+--- a/src/wps/ndef.c
+++ b/src/wps/ndef.c
+@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *data, u32 size,
+                if (size < 6)
+                        return -1;
+                record->payload_length = ntohl(*(u32 *)pos);
+                if (record->payload_length > size - 6)
+                       return -1;
+                pos += sizeof(u32);
+        }
+ 
+@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *data, u32 size,
+        pos += record->payload_length;
+ 
+        record->total_length = pos - data;
+-       if (record->total_length > size)
+       if (record->total_length > size ||
+           record->total_length < record->payload_length)
+                return -1;
+        return 0;
+ }
+-- 
+1.9.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb
index a124cf21d9..6e4d028112 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb
@@ -32,6 +32,7 @@ SRC_URI = "http://hostap.epitest.fi/releases/wpa_supplicant-${PV}.tar.gz \
           file://0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch \
           file://0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch \
           file://0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch \
+           file://0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch \
          "
 SRC_URI[md5sum] = "f0037dbe03897dcaf2ad2722e659095d"
 SRC_URI[sha256sum] = "058dc832c096139a059e6df814080f50251a8d313c21b13364c54a1e70109122"
author	Hongxu Jia <hongxu.jia@windriver.com>	2015-11-13 19:08:06 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-03-03 10:38:46 +0000
commit	6945a4fddea41a4adda125711cbf177f09405462 (patch)
tree	4ecb7354275faffc38273086713b7e47a32178c9
parent	b1f23d1254682866236bfaeb843c0d8aa332efc2 (diff)
download	poky-6945a4fddea41a4adda125711cbf177f09405462.tar.gz

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch new file mode 100644 index 0000000000..bc1d1e5d26 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch
@@ -0,0 +1,64 @@
		1	From c13401c723a039971bcd91b3856d76c6041b15f2 Mon Sep 17 00:00:00 2001
		2	From: Jouni Malinen <j@w1.fi>
		3	Date: Fri, 13 Nov 2015 05:54:18 -0500
		4	Subject: [PATCH] NFC: Fix payload length validation in NDEF record parser
		5
		6	It was possible for the 32-bit record->total_length value to end up
		7	wrapping around due to integer overflow if the longer form of payload
		8	length field is used and record->payload_length gets a value close to
		9	2^32. This could result in ndef_parse_record() accepting a too large
		10	payload length value and the record type filter reading up to about 20
		11	bytes beyond the end of the buffer and potentially killing the process.
		12	This could also result in an attempt to allocate close to 2^32 bytes of
		13	heap memory and if that were to succeed, a buffer read overflow of the
		14	same length which would most likely result in the process termination.
		15	In case of record->total_length ending up getting the value 0, there
		16	would be no buffer read overflow, but record parsing would result in an
		17	infinite loop in ndef_parse_records().
		18
		19	Any of these error cases could potentially be used for denial of service
		20	attacks over NFC by using a malformed NDEF record on an NFC Tag or
		21	sending them during NFC connection handover if the application providing
		22	the NDEF message to hostapd/wpa_supplicant did no validation of the
		23	received records. While such validation is likely done in the NFC stack
		24	that needs to parse the NFC messages before further processing,
		25	hostapd/wpa_supplicant better be prepared for any data being included
		26	here.
		27
		28	Fix this by validating record->payload_length value in a way that
		29	detects integer overflow. (CID 122668)
		30
		31	Signed-off-by: Jouni Malinen <j@w1.fi>
		32
		33	Upstream-Status: Backport [from http://w1.fi/security/2015-5/]
		34	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
		35	---
		36	src/wps/ndef.c \| 5 ++++-
		37	1 file changed, 4 insertions(+), 1 deletion(-)
		38
		39	diff --git a/src/wps/ndef.c b/src/wps/ndef.c
		40	index d45dfc8..f7f729b 100644
		41	--- a/src/wps/ndef.c
		42	+++ b/src/wps/ndef.c
		43	@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *data, u32 size,
		44	if (size < 6)
		45	return -1;
		46	record->payload_length = ntohl((u32 )pos);
		47	+ if (record->payload_length > size - 6)
		48	+ return -1;
		49	pos += sizeof(u32);
		50	}
		51
		52	@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *data, u32 size,
		53	pos += record->payload_length;
		54
		55	record->total_length = pos - data;
		56	- if (record->total_length > size)
		57	+ if (record->total_length > size \|\|
		58	+ record->total_length < record->payload_length)
		59	return -1;
		60	return 0;
		61	}
		62	--
		63	1.9.1
		64


diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb index a124cf21d9..6e4d028112 100644 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb
@@ -32,6 +32,7 @@ SRC_URI = "http://hostap.epitest.fi/releases/wpa_supplicant-${PV}.tar.gz \
32	file://0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch \	32	file://0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch \
33	file://0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch \	33	file://0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch \
34	file://0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch \	34	file://0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch \
		35	file://0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch \
35	"	36	"
36	SRC_URI[md5sum] = "f0037dbe03897dcaf2ad2722e659095d"	37	SRC_URI[md5sum] = "f0037dbe03897dcaf2ad2722e659095d"
37	SRC_URI[sha256sum] = "058dc832c096139a059e6df814080f50251a8d313c21b13364c54a1e70109122"	38	SRC_URI[sha256sum] = "058dc832c096139a059e6df814080f50251a8d313c21b13364c54a1e70109122"