diff options
| author | Peter Marko <peter.marko@siemens.com> | 2024-09-29 14:57:10 +0200 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2024-10-07 05:43:22 -0700 |
| commit | 18329f8b1cf0dbabb8837e48ef91257389813e21 (patch) | |
| tree | 3a57430e7288a50adff87d3208691d5d29aaf804 | |
| parent | 27848b47b86cbdbe342b4f663b949aa43710071d (diff) | |
| download | poky-18329f8b1cf0dbabb8837e48ef91257389813e21.tar.gz | |
wpa-supplicant: Patch security advisory 2024-2
Pick patches according to
http://w1.fi/security/2024-2/sae-h2h-and-incomplete-downgrade-protection-for-group-negotiation.txt
SAE H2E and incomplete downgrade protection for group negotiation
(From OE-Core rev: 58b8ad7e33f47f06409be84430a8c2a22b4dd92f)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
4 files changed, 143 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch new file mode 100644 index 0000000000..5780f27f8b --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch | |||
| @@ -0,0 +1,52 @@ | |||
| 1 | From 364c2da8741f0979dae497551e70b94c0e6c8636 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Jouni Malinen <j@w1.fi> | ||
| 3 | Date: Sun, 7 Jul 2024 11:46:49 +0300 | ||
| 4 | Subject: [PATCH 1/3] SAE: Check for invalid Rejected Groups element length | ||
| 5 | explicitly | ||
| 6 | |||
| 7 | Instead of practically ignoring an odd octet at the end of the element, | ||
| 8 | check for such invalid case explicitly. This is needed to avoid a | ||
| 9 | potential group downgrade attack. | ||
| 10 | |||
| 11 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
| 12 | |||
| 13 | CVE: CVE-2024-3596 | ||
| 14 | Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=364c2da8741f0979dae497551e70b94c0e6c8636] | ||
| 15 | Signed-off-by: Peter Marko <peter.marko@siemens.com> | ||
| 16 | --- | ||
| 17 | src/ap/ieee802_11.c | 12 ++++++++++-- | ||
| 18 | 1 file changed, 10 insertions(+), 2 deletions(-) | ||
| 19 | |||
| 20 | diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c | ||
| 21 | index db4104928..1a62e30cc 100644 | ||
| 22 | --- a/src/ap/ieee802_11.c | ||
| 23 | +++ b/src/ap/ieee802_11.c | ||
| 24 | @@ -1258,7 +1258,7 @@ static int check_sae_rejected_groups(struct hostapd_data *hapd, | ||
| 25 | struct sae_data *sae) | ||
| 26 | { | ||
| 27 | const struct wpabuf *groups; | ||
| 28 | - size_t i, count; | ||
| 29 | + size_t i, count, len; | ||
| 30 | const u8 *pos; | ||
| 31 | |||
| 32 | if (!sae->tmp) | ||
| 33 | @@ -1268,7 +1268,15 @@ static int check_sae_rejected_groups(struct hostapd_data *hapd, | ||
| 34 | return 0; | ||
| 35 | |||
| 36 | pos = wpabuf_head(groups); | ||
| 37 | - count = wpabuf_len(groups) / 2; | ||
| 38 | + len = wpabuf_len(groups); | ||
| 39 | + if (len & 1) { | ||
| 40 | + wpa_printf(MSG_DEBUG, | ||
| 41 | + "SAE: Invalid length of the Rejected Groups element payload: %zu", | ||
| 42 | + len); | ||
| 43 | + return 1; | ||
| 44 | + } | ||
| 45 | + | ||
| 46 | + count = len / 2; | ||
| 47 | for (i = 0; i < count; i++) { | ||
| 48 | int enabled; | ||
| 49 | u16 group; | ||
| 50 | -- | ||
| 51 | 2.30.2 | ||
| 52 | |||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-SAE-Check-for-invalid-Rejected-Groups-element-length.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-SAE-Check-for-invalid-Rejected-Groups-element-length.patch new file mode 100644 index 0000000000..3e96ae9e2e --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-SAE-Check-for-invalid-Rejected-Groups-element-length.patch | |||
| @@ -0,0 +1,50 @@ | |||
| 1 | From 593a7c2f8c93edd6b552f2d42e28164464b4e6ff Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Jouni Malinen <j@w1.fi> | ||
| 3 | Date: Tue, 9 Jul 2024 23:33:38 +0300 | ||
| 4 | Subject: [PATCH 2/3] SAE: Check for invalid Rejected Groups element length | ||
| 5 | explicitly on STA | ||
| 6 | |||
| 7 | Instead of practically ignoring an odd octet at the end of the element, | ||
| 8 | check for such invalid case explicitly. This is needed to avoid a | ||
| 9 | potential group downgrade attack. | ||
| 10 | |||
| 11 | Fixes: 444d76f74f65 ("SAE: Check that peer's rejected groups are not enabled") | ||
| 12 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
| 13 | |||
| 14 | Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=593a7c2f8c93edd6b552f2d42e28164464b4e6ff] | ||
| 15 | Signed-off-by: Peter Marko <peter.marko@siemens.com> | ||
| 16 | --- | ||
| 17 | wpa_supplicant/sme.c | 11 +++++++++-- | ||
| 18 | 1 file changed, 9 insertions(+), 2 deletions(-) | ||
| 19 | |||
| 20 | diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c | ||
| 21 | index 7f43216c6..c7289f6a8 100644 | ||
| 22 | --- a/wpa_supplicant/sme.c | ||
| 23 | +++ b/wpa_supplicant/sme.c | ||
| 24 | @@ -1222,14 +1222,21 @@ static int sme_sae_is_group_enabled(struct wpa_supplicant *wpa_s, int group) | ||
| 25 | static int sme_check_sae_rejected_groups(struct wpa_supplicant *wpa_s, | ||
| 26 | const struct wpabuf *groups) | ||
| 27 | { | ||
| 28 | - size_t i, count; | ||
| 29 | + size_t i, count, len; | ||
| 30 | const u8 *pos; | ||
| 31 | |||
| 32 | if (!groups) | ||
| 33 | return 0; | ||
| 34 | |||
| 35 | pos = wpabuf_head(groups); | ||
| 36 | - count = wpabuf_len(groups) / 2; | ||
| 37 | + len = wpabuf_len(groups); | ||
| 38 | + if (len & 1) { | ||
| 39 | + wpa_printf(MSG_DEBUG, | ||
| 40 | + "SAE: Invalid length of the Rejected Groups element payload: %zu", | ||
| 41 | + len); | ||
| 42 | + return 1; | ||
| 43 | + } | ||
| 44 | + count = len / 2; | ||
| 45 | for (i = 0; i < count; i++) { | ||
| 46 | int enabled; | ||
| 47 | u16 group; | ||
| 48 | -- | ||
| 49 | 2.30.2 | ||
| 50 | |||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch new file mode 100644 index 0000000000..5e9e8bc01d --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch | |||
| @@ -0,0 +1,38 @@ | |||
| 1 | From 9716bf1160beb677e965d9e6475d6c9e162e8374 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Jouni Malinen <j@w1.fi> | ||
| 3 | Date: Tue, 9 Jul 2024 23:34:34 +0300 | ||
| 4 | Subject: [PATCH 3/3] SAE: Reject invalid Rejected Groups element in the parser | ||
| 5 | |||
| 6 | There is no need to depend on all uses (i.e., both hostapd and | ||
| 7 | wpa_supplicant) to verify that the length of the Rejected Groups field | ||
| 8 | in the Rejected Groups element is valid (i.e., a multiple of two octets) | ||
| 9 | since the common parser can reject the message when detecting this. | ||
| 10 | |||
| 11 | Signed-off-by: Jouni Malinen <j@w1.fi> | ||
| 12 | |||
| 13 | Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=9716bf1160beb677e965d9e6475d6c9e162e8374] | ||
| 14 | Signed-off-by: Peter Marko <peter.marko@siemens.com> | ||
| 15 | --- | ||
| 16 | src/common/sae.c | 6 ++++++ | ||
| 17 | 1 file changed, 6 insertions(+) | ||
| 18 | |||
| 19 | diff --git a/src/common/sae.c b/src/common/sae.c | ||
| 20 | index c0f154e91..620bdf753 100644 | ||
| 21 | --- a/src/common/sae.c | ||
| 22 | +++ b/src/common/sae.c | ||
| 23 | @@ -2076,6 +2076,12 @@ static int sae_parse_rejected_groups(struct sae_data *sae, | ||
| 24 | return WLAN_STATUS_UNSPECIFIED_FAILURE; | ||
| 25 | epos++; /* skip ext ID */ | ||
| 26 | len--; | ||
| 27 | + if (len & 1) { | ||
| 28 | + wpa_printf(MSG_DEBUG, | ||
| 29 | + "SAE: Invalid length of the Rejected Groups element payload: %u", | ||
| 30 | + len); | ||
| 31 | + return WLAN_STATUS_UNSPECIFIED_FAILURE; | ||
| 32 | + } | ||
| 33 | |||
| 34 | wpabuf_free(sae->tmp->peer_rejected_groups); | ||
| 35 | sae->tmp->peer_rejected_groups = wpabuf_alloc(len); | ||
| 36 | -- | ||
| 37 | 2.30.2 | ||
| 38 | |||
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb index f5e9dce17c..459039d01e 100644 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb | |||
| @@ -35,6 +35,9 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ | |||
| 35 | file://CVE-2024-3596_06.patch \ | 35 | file://CVE-2024-3596_06.patch \ |
| 36 | file://CVE-2024-3596_07.patch \ | 36 | file://CVE-2024-3596_07.patch \ |
| 37 | file://CVE-2024-3596_08.patch \ | 37 | file://CVE-2024-3596_08.patch \ |
| 38 | file://0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch \ | ||
| 39 | file://0002-SAE-Check-for-invalid-Rejected-Groups-element-length.patch \ | ||
| 40 | file://0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch \ | ||
| 38 | " | 41 | " |
| 39 | SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f" | 42 | SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f" |
| 40 | 43 | ||
