From: akuster808 <akuster808@gmail.com>
To: Andre McCurdy <armccurdy@gmail.com>,
OE Core mailing list <openembedded-core@lists.openembedded.org>
Subject: Re: [morty][PATCH] libnl: fix CVE-2017-0553
Date: Tue, 26 Jun 2018 15:54:52 -0700 [thread overview]
Message-ID: <4356aafe-b1a7-e41c-8bb8-ca703a93c6b5@gmail.com> (raw)
In-Reply-To: <CAJ86T=WUXvABmEMrU2VntSAoeWivquCWpWC6kwG4Xzfyz1-5Og@mail.gmail.com>
On 06/25/2018 12:48 PM, Andre McCurdy wrote:
> On Thu, May 17, 2018 at 3:19 PM, Andre McCurdy <armccurdy@gmail.com> wrote:
>> An elevation of privilege vulnerability in libnl could enable a local
>> malicious application to execute arbitrary code within the context of
>> the Wi-Fi service. This issue is rated as Moderate because it first
>> requires compromising a privileged process and is mitigated by
>> current platform configurations. Product: Android. Versions: 5.0.2,
>> 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-32342065. NOTE: this
>> issue also exists in the upstream libnl before 3.3.0 library.
>>
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0553
>>
>> Backport fix from upstream 3.3.0 release:
>>
>> https://github.com/thom311/libnl/commit/3e18948f17148e6a3c4255bdeaaf01ef6081ceeb
>> http://lists.infradead.org/pipermail/libnl/2017-May/002313.html
> Ping.
Thanks for the reminder. it in morty mut build.
- armin
>
>> Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
>> ---
>> ...eck-for-integer-overflow-in-nlmsg_reserve.patch | 43 ++++++++++++++++++++++
>> meta/recipes-support/libnl/libnl_3.2.28.bb | 1 +
>> 2 files changed, 44 insertions(+)
>> create mode 100644 meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch
>>
>> diff --git a/meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch b/meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch
>> new file mode 100644
>> index 0000000..9e22c40
>> --- /dev/null
>> +++ b/meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch
>> @@ -0,0 +1,43 @@
>> +From 1db543374db3e58faacdfd91e5061a8a595ce505 Mon Sep 17 00:00:00 2001
>> +From: Thomas Haller <thaller@redhat.com>
>> +Date: Mon, 6 Feb 2017 22:23:52 +0100
>> +Subject: [PATCH] lib: check for integer-overflow in nlmsg_reserve()
>> +
>> +In general, libnl functions are not robust against calling with
>> +invalid arguments. Thus, never call libnl functions with invalid
>> +arguments. In case of nlmsg_reserve() this means never provide
>> +a @len argument that causes overflow.
>> +
>> +Still, add an additional safeguard to avoid exploiting such bugs.
>> +
>> +Assume that @pad is a trusted, small integer.
>> +Assume that n->nm_size is a valid number of allocated bytes (and thus
>> +much smaller then SIZE_T_MAX).
>> +Assume, that @len may be set to an untrusted value. Then the patch
>> +avoids an integer overflow resulting in reserving too few bytes.
>> +
>> +Upstream-Status: Backport [https://github.com/thom311/libnl/commit/3e18948f17148e6a3c4255bdeaaf01ef6081ceeb]
>> +CVE: CVE-2017-0553
>> +
>> +Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
>> +---
>> + lib/msg.c | 3 +++
>> + 1 file changed, 3 insertions(+)
>> +
>> +diff --git a/lib/msg.c b/lib/msg.c
>> +index e8a7e99..f30fd2d 100644
>> +--- a/lib/msg.c
>> ++++ b/lib/msg.c
>> +@@ -410,6 +410,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad)
>> + size_t nlmsg_len = n->nm_nlh->nlmsg_len;
>> + size_t tlen;
>> +
>> ++ if (len > n->nm_size)
>> ++ return NULL;
>> ++
>> + tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len;
>> +
>> + if ((tlen + nlmsg_len) > n->nm_size)
>> +--
>> +1.9.1
>> +
>> diff --git a/meta/recipes-support/libnl/libnl_3.2.28.bb b/meta/recipes-support/libnl/libnl_3.2.28.bb
>> index 26982f3..a74b455 100644
>> --- a/meta/recipes-support/libnl/libnl_3.2.28.bb
>> +++ b/meta/recipes-support/libnl/libnl_3.2.28.bb
>> @@ -12,6 +12,7 @@ DEPENDS = "flex-native bison-native"
>> SRC_URI = "https://github.com/thom311/${BPN}/releases/download/${BPN}${@d.getVar('PV', True).replace('.','_')}/${BP}.tar.gz \
>> file://fix-pktloc_syntax_h-race.patch \
>> file://fix-pc-file.patch \
>> + file://lib-check-for-integer-overflow-in-nlmsg_reserve.patch \
>> file://0001-lib-add-utility-function-nl_strerror_l.patch \
>> file://0002-lib-switch-to-using-strerror_l-instead-of-strerror_r.patch \
>> file://0003-src-switch-to-using-strerror_l-instead-of-strerror_r.patch \
>> --
>> 1.9.1
>>
prev parent reply other threads:[~2018-06-26 22:54 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-17 22:19 [morty][PATCH] libnl: fix CVE-2017-0553 Andre McCurdy
2018-06-25 19:48 ` Andre McCurdy
2018-06-26 22:54 ` akuster808 [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4356aafe-b1a7-e41c-8bb8-ca703a93c6b5@gmail.com \
--to=akuster808@gmail.com \
--cc=armccurdy@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox