wpa-supplicant: fix CVE-2021-0326

In p2p_copy_client_info of p2p.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution if the target device is performing a Wi-Fi Direct search, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9 Android ID: A-172937525 References: https://nvd.nist.gov/vuln/detail/CVE-2021-0326 Upstream patches: https://w1.fi/cgit/hostap/commit/?id=947272febe24a8f0ea828b5b2f35f13c3821901e<links_for_CVE_patches> (From OE-Core rev: 869d88ef4de52e0f9928de1dadf60dbbb0486ea5) Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit b7940edabe100512e8f558cc37f9da836feae74d) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Stefan Ghinea <stefan.ghinea@windriver.com> 2021-02-23 21:20:28 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-03-10 00:24:26 +0000
commit: edb299e2ba5c9d8d0e3f26cd89e9d7a0c3e6bfe6 (patch)
tree: 75fdda5b98aaa45f7fabcb5d4ab66484e44e70fd /meta
parent: 8b9b189c2e673e3714d2f3defd1f9169f2fafaf4 (diff)
download: poky-edb299e2ba5c9d8d0e3f26cd89e9d7a0c3e6bfe6.tar.gz
2 files changed, 46 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch
new file mode 100644
index 0000000000..8c90fa3421
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch
@@ -0,0 +1,45 @@
+From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Mon, 9 Nov 2020 11:43:12 +0200
+Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group
+ client
+Parsing and copying of WPS secondary device types list was verifying
+that the contents is not too long for the internal maximum in the case
+of WPS messages, but similar validation was missing from the case of P2P
+group information which encodes this information in a different
+attribute. This could result in writing beyond the memory area assigned
+for these entries and corrupting memory within an instance of struct
+p2p_device. This could result in invalid operations and unexpected
+behavior when trying to free pointers from that corrupted memory.
+Upstream-Status: Backport
+CVE: CVE-2021-0326
+Reference to upstream patch:
+[https://w1.fi/cgit/hostap/commit/?id=947272febe24a8f0ea828b5b2f35f13c3821901e]
+Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269
+Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers")
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ src/p2p/p2p.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
+index a08ba02..079270f 100644
+--- a/src/p2p/p2p.c
+++ b/src/p2p/p2p.c
+@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev,
+        dev->info.config_methods = cli->config_methods;
+        os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8);
+        dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types;
+       if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN)
+               dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN;
+        os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types,
+                  dev->info.wps_sec_dev_type_list_len);
+ }
+-- 
+2.17.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
index 7cc03fef7d..85ac28d881 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz  \
           file://0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch \
           file://0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \
           file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \
+           file://CVE-2021-0326.patch \
          "
 SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190"
 SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17"
author	Stefan Ghinea <stefan.ghinea@windriver.com>	2021-02-23 21:20:28 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-03-10 00:24:26 +0000
commit	edb299e2ba5c9d8d0e3f26cd89e9d7a0c3e6bfe6 (patch)
tree	75fdda5b98aaa45f7fabcb5d4ab66484e44e70fd /meta
parent	8b9b189c2e673e3714d2f3defd1f9169f2fafaf4 (diff)
download	poky-edb299e2ba5c9d8d0e3f26cd89e9d7a0c3e6bfe6.tar.gz

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch new file mode 100644 index 0000000000..8c90fa3421 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch
@@ -0,0 +1,45 @@
		1	From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001
		2	From: Jouni Malinen <jouni@codeaurora.org>
		3	Date: Mon, 9 Nov 2020 11:43:12 +0200
		4	Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group
		5	client
		6
		7	Parsing and copying of WPS secondary device types list was verifying
		8	that the contents is not too long for the internal maximum in the case
		9	of WPS messages, but similar validation was missing from the case of P2P
		10	group information which encodes this information in a different
		11	attribute. This could result in writing beyond the memory area assigned
		12	for these entries and corrupting memory within an instance of struct
		13	p2p_device. This could result in invalid operations and unexpected
		14	behavior when trying to free pointers from that corrupted memory.
		15
		16	Upstream-Status: Backport
		17	CVE: CVE-2021-0326
		18
		19	Reference to upstream patch:
		20	[https://w1.fi/cgit/hostap/commit/?id=947272febe24a8f0ea828b5b2f35f13c3821901e]
		21
		22	Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269
		23	Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers")
		24	Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
		25	Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
		26	---
		27	src/p2p/p2p.c \| 2 ++
		28	1 file changed, 2 insertions(+)
		29
		30	diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
		31	index a08ba02..079270f 100644
		32	--- a/src/p2p/p2p.c
		33	+++ b/src/p2p/p2p.c
		34	@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev,
		35	dev->info.config_methods = cli->config_methods;
		36	os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8);
		37	dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types;
		38	+ if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN)
		39	+ dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN;
		40	os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types,
		41	dev->info.wps_sec_dev_type_list_len);
		42	}
		43	--
		44	2.17.1
		45


diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb index 7cc03fef7d..85ac28d881 100644 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
29	file://0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch \	29	file://0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch \
30	file://0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \	30	file://0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \
31	file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \	31	file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \
		32	file://CVE-2021-0326.patch \
32	"	33	"
33	SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190"	34	SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190"
34	SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17"	35	SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17"