summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorAndre McCurdy <armccurdy@gmail.com>2018-05-11 16:52:03 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-05-23 17:43:00 +0100
commit38d3bba4828ea84783bb5f868ad787b7363d3404 (patch)
tree3da2525eea66b13ee816d35cd075018e45df267e /meta
parente662f466bc29b6495eac96219f3963268d96e5d6 (diff)
downloadpoky-38d3bba4828ea84783bb5f868ad787b7363d3404.tar.gz
libnl: fix CVE-2017-0553
An elevation of privilege vulnerability in libnl could enable a local malicious application to execute arbitrary code within the context of the Wi-Fi service. This issue is rated as Moderate because it first requires compromising a privileged process and is mitigated by current platform configurations. Product: Android. Versions: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-32342065. NOTE: this issue also exists in the upstream libnl before 3.3.0 library. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0553 Backport fix from upstream libnl 3.3.0 release: https://github.com/thom311/libnl/commit/3e18948f17148e6a3c4255bdeaaf01ef6081ceeb http://lists.infradead.org/pipermail/libnl/2017-May/002313.html (From OE-Core rev: f452fbc5d2ffb9c1417079574bed0dfcdc44787a) Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch43
-rw-r--r--meta/recipes-support/libnl/libnl_3.2.29.bb2
2 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch b/meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch
new file mode 100644
index 0000000000..594dd0616a
--- /dev/null
+++ b/meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch
@@ -0,0 +1,43 @@
1From 3e18948f17148e6a3c4255bdeaaf01ef6081ceeb Mon Sep 17 00:00:00 2001
2From: Thomas Haller <thaller@redhat.com>
3Date: Mon, 6 Feb 2017 22:23:52 +0100
4Subject: [PATCH] lib: check for integer-overflow in nlmsg_reserve()
5
6In general, libnl functions are not robust against calling with
7invalid arguments. Thus, never call libnl functions with invalid
8arguments. In case of nlmsg_reserve() this means never provide
9a @len argument that causes overflow.
10
11Still, add an additional safeguard to avoid exploiting such bugs.
12
13Assume that @pad is a trusted, small integer.
14Assume that n->nm_size is a valid number of allocated bytes (and thus
15much smaller then SIZE_T_MAX).
16Assume, that @len may be set to an untrusted value. Then the patch
17avoids an integer overflow resulting in reserving too few bytes.
18
19Upstream-Status: Backport [https://github.com/thom311/libnl/commit/3e18948f17148e6a3c4255bdeaaf01ef6081ceeb]
20CVE: CVE-2017-0553
21
22Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
23---
24 lib/msg.c | 3 +++
25 1 file changed, 3 insertions(+)
26
27diff --git a/lib/msg.c b/lib/msg.c
28index 9af3f3a..3e27d4e 100644
29--- a/lib/msg.c
30+++ b/lib/msg.c
31@@ -411,6 +411,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad)
32 size_t nlmsg_len = n->nm_nlh->nlmsg_len;
33 size_t tlen;
34
35+ if (len > n->nm_size)
36+ return NULL;
37+
38 tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len;
39
40 if ((tlen + nlmsg_len) > n->nm_size)
41--
421.9.1
43
diff --git a/meta/recipes-support/libnl/libnl_3.2.29.bb b/meta/recipes-support/libnl/libnl_3.2.29.bb
index 7d4839ba50..4ce80e871b 100644
--- a/meta/recipes-support/libnl/libnl_3.2.29.bb
+++ b/meta/recipes-support/libnl/libnl_3.2.29.bb
@@ -12,7 +12,9 @@ DEPENDS = "flex-native bison-native"
12SRC_URI = "https://github.com/thom311/${BPN}/releases/download/${BPN}${@d.getVar('PV').replace('.','_')}/${BP}.tar.gz \ 12SRC_URI = "https://github.com/thom311/${BPN}/releases/download/${BPN}${@d.getVar('PV').replace('.','_')}/${BP}.tar.gz \
13 file://fix-pktloc_syntax_h-race.patch \ 13 file://fix-pktloc_syntax_h-race.patch \
14 file://fix-pc-file.patch \ 14 file://fix-pc-file.patch \
15 file://lib-check-for-integer-overflow-in-nlmsg_reserve.patch \
15" 16"
17
16UPSTREAM_CHECK_URI = "https://github.com/thom311/${BPN}/releases" 18UPSTREAM_CHECK_URI = "https://github.com/thom311/${BPN}/releases"
17 19
18SRC_URI[md5sum] = "a8ba62a5c4f883f4e493a46d1f3733fe" 20SRC_URI[md5sum] = "a8ba62a5c4f883f4e493a46d1f3733fe"