From: fan.xin <fan.xin@jp.fujitsu.com>
To: "Burton, Ross" <ross.burton@intel.com>
Cc: OE-core <openembedded-core@lists.openembedded.org>
Subject: Re: [PATCH v2] wpa-supplicant: Fix CVE-2015-4142
Date: Mon, 29 Jun 2015 17:11:11 +0900 [thread overview]
Message-ID: <5590FD9F.9090204@jp.fujitsu.com> (raw)
In-Reply-To: <CAJTo0LYdeaZMRkEMmd+k4Qy91aMC1fYSRcQGBBfzgqKXt79pqw@mail.gmail.com>
wpa-supplicant: Fix CVE-2015-4142
wpa-supplicant has a vulnerability aka CVE-2015-4142.
This patch fixes CVE-2015-4142.
Description on [1] and patch taken from [2].
[1]https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4142
[2]http://w1.fi/security/2015-3/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
Upstream-Status: Backport
Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
---
...integer-underflow-in-WMM-Action-frame-par.patch | 41 ++++++++++++++++++++++
.../wpa-supplicant/wpa-supplicant_2.4.bb | 1 +
2 files changed, 42 insertions(+)
create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
new file mode 100644
index 0000000..79c5af8
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
@@ -0,0 +1,41 @@
+From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Wed, 29 Apr 2015 02:21:53 +0300
+Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser
+
+The length of the WMM Action frame was not properly validated and the
+length of the information elements (int left) could end up being
+negative. This would result in reading significantly past the stack
+buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
+so, resulting in segmentation fault.
+
+This can result in an invalid frame being used for a denial of service
+attack (hostapd process killed) against an AP with a driver that uses
+hostapd for management frame processing (e.g., all mac80211-based
+drivers).
+
+Thanks to Kostya Kortchinsky of Google security team for discovering and
+reporting this issue.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/ap/wmm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/ap/wmm.c b/src/ap/wmm.c
+index 6d4177c..314e244 100644
+--- a/src/ap/wmm.c
++++ b/src/ap/wmm.c
+@@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_data *hapd,
+ return;
+ }
+
++ if (left < 0)
++ return; /* not a valid WMM Action frame */
++
+ /* extract the tspec info element */
+ if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) {
+ hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
+--
+1.9.1
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb
index ebae239..fee8384 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb
@@ -25,6 +25,7 @@ SRC_URI = "http://hostap.epitest.fi/releases/wpa_supplicant-${PV}.tar.gz \
file://wpa_supplicant.conf-sane \
file://99_wpa_supplicant \
file://0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch \
+ file://0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch \
"
SRC_URI[md5sum] = "f0037dbe03897dcaf2ad2722e659095d"
SRC_URI[sha256sum] = "058dc832c096139a059e6df814080f50251a8d313c21b13364c54a1e70109122"
--
1.8.4.2
On 2015年06月27日 00:19, Burton, Ross wrote:
>
> On 26 June 2015 at 09:05, fan.xin <fan.xin@jp.fujitsu.com <mailto:fan.xin@jp.fujitsu.com>> wrote:
>
> +From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001
> +From: Jouni Malinen <j@w1.fi <mailto:j@w1.fi>>
> +Date: Wed, 29 Apr 2015 02:21:53 +0300
> +Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser
> +
> +The length of the WMM Action frame was not properly validated and the
> +length of the information elements (int left) could end up being
> +negative. This would result in reading significantly past the stack
> +buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
> +so, resulting in segmentation fault.
> +
> +This can result in an invalid frame being used for a denial of service
> +attack (hostapd process killed) against an AP with a driver that uses
> +hostapd for management frame processing (e.g., all mac80211-based
> +drivers).
> +
> +Thanks to Kostya Kortchinsky of Google security team for discovering and
> +reporting this issue.
> +
> +Signed-off-by: Jouni Malinen <j@w1.fi <mailto:j@w1.fi>>
>
>
> This patch needs an Upstream-Status (backport?) and Signed-off-by in the patch header.
>
> Ross
next prev parent reply other threads:[~2015-06-29 8:24 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-26 8:05 [PATCH] wpa-supplicant: Fix CVE-2015-4142 fan.xin
2015-06-26 15:19 ` Burton, Ross
2015-06-29 8:11 ` fan.xin [this message]
2015-06-29 11:43 ` [PATCH v2] " Burton, Ross
2015-06-30 2:21 ` [PATCH v3] " fan.xin
-- strict thread matches above, loose matches on Subject: below --
2015-08-10 19:08 [PATCH v2] " Otavio Salvador
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5590FD9F.9090204@jp.fujitsu.com \
--to=fan.xin@jp.fujitsu.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=ross.burton@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox