* [PATCH 0/1] wpa-supplicant: Fix CVE-2015-8041 @ 2015-11-13 11:08 Hongxu Jia 2015-11-13 11:08 ` [PATCH 1/1] " Hongxu Jia 0 siblings, 1 reply; 7+ messages in thread From: Hongxu Jia @ 2015-11-13 11:08 UTC (permalink / raw) To: openembedded-core, ross.burton The following changes since commit fc45deac89ef63ca1c44e763c38ced7dfd72cbe1: build-appliance-image: Update to jethro head revision (2015-11-03 14:03:03 +0000) are available in the git repository at: git://git.pokylinux.org/poky-contrib hongxu/wpa-supplicant http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=hongxu/wpa-supplicant Hongxu Jia (1): wpa-supplicant: Fix CVE-2015-8041 ...load-length-validation-in-NDEF-record-par.patch | 64 ++++++++++++++++++++++ .../wpa-supplicant/wpa-supplicant_2.4.bb | 1 + 2 files changed, 65 insertions(+) create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch -- 1.9.1 ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/1] wpa-supplicant: Fix CVE-2015-8041 2015-11-13 11:08 [PATCH 0/1] wpa-supplicant: Fix CVE-2015-8041 Hongxu Jia @ 2015-11-13 11:08 ` Hongxu Jia 2015-11-13 12:11 ` Jussi Kukkonen 0 siblings, 1 reply; 7+ messages in thread From: Hongxu Jia @ 2015-11-13 11:08 UTC (permalink / raw) To: openembedded-core, ross.burton Backport patch from http://w1.fi/security/2015-5/ and rebase for wpa-supplicant 2.4 Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> --- ...load-length-validation-in-NDEF-record-par.patch | 64 ++++++++++++++++++++++ .../wpa-supplicant/wpa-supplicant_2.4.bb | 1 + 2 files changed, 65 insertions(+) create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch new file mode 100644 index 0000000..bc1d1e5 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch @@ -0,0 +1,64 @@ +From c13401c723a039971bcd91b3856d76c6041b15f2 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Fri, 13 Nov 2015 05:54:18 -0500 +Subject: [PATCH] NFC: Fix payload length validation in NDEF record parser + +It was possible for the 32-bit record->total_length value to end up +wrapping around due to integer overflow if the longer form of payload +length field is used and record->payload_length gets a value close to +2^32. This could result in ndef_parse_record() accepting a too large +payload length value and the record type filter reading up to about 20 +bytes beyond the end of the buffer and potentially killing the process. +This could also result in an attempt to allocate close to 2^32 bytes of +heap memory and if that were to succeed, a buffer read overflow of the +same length which would most likely result in the process termination. +In case of record->total_length ending up getting the value 0, there +would be no buffer read overflow, but record parsing would result in an +infinite loop in ndef_parse_records(). + +Any of these error cases could potentially be used for denial of service +attacks over NFC by using a malformed NDEF record on an NFC Tag or +sending them during NFC connection handover if the application providing +the NDEF message to hostapd/wpa_supplicant did no validation of the +received records. While such validation is likely done in the NFC stack +that needs to parse the NFC messages before further processing, +hostapd/wpa_supplicant better be prepared for any data being included +here. + +Fix this by validating record->payload_length value in a way that +detects integer overflow. (CID 122668) + +Signed-off-by: Jouni Malinen <j@w1.fi> + +Upstream-Status: Backport [from http://w1.fi/security/2015-5/] +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> +--- + src/wps/ndef.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/wps/ndef.c b/src/wps/ndef.c +index d45dfc8..f7f729b 100644 +--- a/src/wps/ndef.c ++++ b/src/wps/ndef.c +@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *data, u32 size, + if (size < 6) + return -1; + record->payload_length = ntohl(*(u32 *)pos); ++ if (record->payload_length > size - 6) ++ return -1; + pos += sizeof(u32); + } + +@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *data, u32 size, + pos += record->payload_length; + + record->total_length = pos - data; +- if (record->total_length > size) ++ if (record->total_length > size || ++ record->total_length < record->payload_length) + return -1; + return 0; + } +-- +1.9.1 + diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb index a124cf2..6e4d028 100644 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb @@ -32,6 +32,7 @@ SRC_URI = "http://hostap.epitest.fi/releases/wpa_supplicant-${PV}.tar.gz \ file://0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch \ file://0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch \ file://0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch \ + file://0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch \ " SRC_URI[md5sum] = "f0037dbe03897dcaf2ad2722e659095d" SRC_URI[sha256sum] = "058dc832c096139a059e6df814080f50251a8d313c21b13364c54a1e70109122" -- 1.9.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] wpa-supplicant: Fix CVE-2015-8041 2015-11-13 11:08 ` [PATCH 1/1] " Hongxu Jia @ 2015-11-13 12:11 ` Jussi Kukkonen 2015-11-13 12:18 ` Hongxu Jia 0 siblings, 1 reply; 7+ messages in thread From: Jussi Kukkonen @ 2015-11-13 12:11 UTC (permalink / raw) To: Hongxu Jia; +Cc: Patches and discussions about the oe-core layer [-- Attachment #1: Type: text/plain, Size: 5270 bytes --] On 13 November 2015 at 13:08, Hongxu Jia <hongxu.jia@windriver.com> wrote: > Backport patch from http://w1.fi/security/2015-5/ > and rebase for wpa-supplicant 2.4 There's a thread about upgrading master to 2.5 (which should fix this) already. The patch probably still makes sense for jethro though. - Jussi > Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> > --- > ...load-length-validation-in-NDEF-record-par.patch | 64 > ++++++++++++++++++++++ > .../wpa-supplicant/wpa-supplicant_2.4.bb | 1 + > 2 files changed, 65 insertions(+) > create mode 100644 > meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch > > diff --git > a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch > b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch > new file mode 100644 > index 0000000..bc1d1e5 > --- /dev/null > +++ > b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch > @@ -0,0 +1,64 @@ > +From c13401c723a039971bcd91b3856d76c6041b15f2 Mon Sep 17 00:00:00 2001 > +From: Jouni Malinen <j@w1.fi> > +Date: Fri, 13 Nov 2015 05:54:18 -0500 > +Subject: [PATCH] NFC: Fix payload length validation in NDEF record parser > + > +It was possible for the 32-bit record->total_length value to end up > +wrapping around due to integer overflow if the longer form of payload > +length field is used and record->payload_length gets a value close to > +2^32. This could result in ndef_parse_record() accepting a too large > +payload length value and the record type filter reading up to about 20 > +bytes beyond the end of the buffer and potentially killing the process. > +This could also result in an attempt to allocate close to 2^32 bytes of > +heap memory and if that were to succeed, a buffer read overflow of the > +same length which would most likely result in the process termination. > +In case of record->total_length ending up getting the value 0, there > +would be no buffer read overflow, but record parsing would result in an > +infinite loop in ndef_parse_records(). > + > +Any of these error cases could potentially be used for denial of service > +attacks over NFC by using a malformed NDEF record on an NFC Tag or > +sending them during NFC connection handover if the application providing > +the NDEF message to hostapd/wpa_supplicant did no validation of the > +received records. While such validation is likely done in the NFC stack > +that needs to parse the NFC messages before further processing, > +hostapd/wpa_supplicant better be prepared for any data being included > +here. > + > +Fix this by validating record->payload_length value in a way that > +detects integer overflow. (CID 122668) > + > +Signed-off-by: Jouni Malinen <j@w1.fi> > + > +Upstream-Status: Backport [from http://w1.fi/security/2015-5/] > +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> > +--- > + src/wps/ndef.c | 5 ++++- > + 1 file changed, 4 insertions(+), 1 deletion(-) > + > +diff --git a/src/wps/ndef.c b/src/wps/ndef.c > +index d45dfc8..f7f729b 100644 > +--- a/src/wps/ndef.c > ++++ b/src/wps/ndef.c > +@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *data, u32 size, > + if (size < 6) > + return -1; > + record->payload_length = ntohl(*(u32 *)pos); > ++ if (record->payload_length > size - 6) > ++ return -1; > + pos += sizeof(u32); > + } > + > +@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *data, u32 size, > + pos += record->payload_length; > + > + record->total_length = pos - data; > +- if (record->total_length > size) > ++ if (record->total_length > size || > ++ record->total_length < record->payload_length) > + return -1; > + return 0; > + } > +-- > +1.9.1 > + > diff --git a/meta/recipes-connectivity/wpa-supplicant/ > wpa-supplicant_2.4.bb b/meta/recipes-connectivity/wpa-supplicant/ > wpa-supplicant_2.4.bb > index a124cf2..6e4d028 100644 > --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb > +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb > @@ -32,6 +32,7 @@ SRC_URI = " > http://hostap.epitest.fi/releases/wpa_supplicant-${PV}.tar.gz \ > > file://0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch \ > > file://0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch \ > > file://0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch \ > + > file://0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch \ > " > SRC_URI[md5sum] = "f0037dbe03897dcaf2ad2722e659095d" > SRC_URI[sha256sum] = > "058dc832c096139a059e6df814080f50251a8d313c21b13364c54a1e70109122" > -- > 1.9.1 > > -- > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core > [-- Attachment #2: Type: text/html, Size: 7362 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] wpa-supplicant: Fix CVE-2015-8041 2015-11-13 12:11 ` Jussi Kukkonen @ 2015-11-13 12:18 ` Hongxu Jia 2016-02-22 4:15 ` Paul Eggleton 0 siblings, 1 reply; 7+ messages in thread From: Hongxu Jia @ 2015-11-13 12:18 UTC (permalink / raw) To: Jussi Kukkonen; +Cc: Patches and discussions about the oe-core layer [-- Attachment #1: Type: text/plain, Size: 6443 bytes --] On 11/13/2015 08:11 PM, Jussi Kukkonen wrote: > On 13 November 2015 at 13:08, Hongxu Jia <hongxu.jia@windriver.com > <mailto:hongxu.jia@windriver.com>> wrote: > > Backport patch from http://w1.fi/security/2015-5/ > and rebase for wpa-supplicant 2.4 > > > There's a thread about upgrading master to 2.5 (which should fix this) > already. > The patch probably still makes sense for jethro though. > Yes, you are right, the 2.5 don't need this, it makes sense for jethro. //Hongxu > - Jussi > > > > Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com > <mailto:hongxu.jia@windriver.com>> > --- > ...load-length-validation-in-NDEF-record-par.patch | 64 > ++++++++++++++++++++++ > .../wpa-supplicant/wpa-supplicant_2.4.bb > <http://wpa-supplicant_2.4.bb> | 1 + > 2 files changed, 65 insertions(+) > create mode 100644 > meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch > > diff --git > a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch > b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch > new file mode 100644 > index 0000000..bc1d1e5 > --- /dev/null > +++ > b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch > @@ -0,0 +1,64 @@ > +From c13401c723a039971bcd91b3856d76c6041b15f2 Mon Sep 17 00:00:00 > 2001 > +From: Jouni Malinen <j@w1.fi <mailto:j@w1.fi>> > +Date: Fri, 13 Nov 2015 05:54:18 -0500 > +Subject: [PATCH] NFC: Fix payload length validation in NDEF > record parser > + > +It was possible for the 32-bit record->total_length value to end up > +wrapping around due to integer overflow if the longer form of payload > +length field is used and record->payload_length gets a value close to > +2^32. This could result in ndef_parse_record() accepting a too large > +payload length value and the record type filter reading up to > about 20 > +bytes beyond the end of the buffer and potentially killing the > process. > +This could also result in an attempt to allocate close to 2^32 > bytes of > +heap memory and if that were to succeed, a buffer read overflow > of the > +same length which would most likely result in the process > termination. > +In case of record->total_length ending up getting the value 0, there > +would be no buffer read overflow, but record parsing would result > in an > +infinite loop in ndef_parse_records(). > + > +Any of these error cases could potentially be used for denial of > service > +attacks over NFC by using a malformed NDEF record on an NFC Tag or > +sending them during NFC connection handover if the application > providing > +the NDEF message to hostapd/wpa_supplicant did no validation of the > +received records. While such validation is likely done in the NFC > stack > +that needs to parse the NFC messages before further processing, > +hostapd/wpa_supplicant better be prepared for any data being included > +here. > + > +Fix this by validating record->payload_length value in a way that > +detects integer overflow. (CID 122668) > + > +Signed-off-by: Jouni Malinen <j@w1.fi <mailto:j@w1.fi>> > + > +Upstream-Status: Backport [from http://w1.fi/security/2015-5/] > +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com > <mailto:hongxu.jia@windriver.com>> > +--- > + src/wps/ndef.c | 5 ++++- > + 1 file changed, 4 insertions(+), 1 deletion(-) > + > +diff --git a/src/wps/ndef.c b/src/wps/ndef.c > +index d45dfc8..f7f729b 100644 > +--- a/src/wps/ndef.c > ++++ b/src/wps/ndef.c > +@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *data, > u32 size, > + if (size < 6) > + return -1; > + record->payload_length = ntohl(*(u32 *)pos); > ++ if (record->payload_length > size - 6) > ++ return -1; > + pos += sizeof(u32); > + } > + > +@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *data, > u32 size, > + pos += record->payload_length; > + > + record->total_length = pos - data; > +- if (record->total_length > size) > ++ if (record->total_length > size || > ++ record->total_length < record->payload_length) > + return -1; > + return 0; > + } > +-- > +1.9.1 > + > diff --git > a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb > <http://wpa-supplicant_2.4.bb> > b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb > <http://wpa-supplicant_2.4.bb> > index a124cf2..6e4d028 100644 > --- > a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb > <http://wpa-supplicant_2.4.bb> > +++ > b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb > <http://wpa-supplicant_2.4.bb> > @@ -32,6 +32,7 @@ SRC_URI = > "http://hostap.epitest.fi/releases/wpa_supplicant-${PV}.tar.gz > <http://hostap.epitest.fi/releases/wpa_supplicant-$%7BPV%7D.tar.gz> \ > file://0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch > \ > file://0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch > \ > file://0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch \ > + > file://0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch > \ > " > SRC_URI[md5sum] = "f0037dbe03897dcaf2ad2722e659095d" > SRC_URI[sha256sum] = > "058dc832c096139a059e6df814080f50251a8d313c21b13364c54a1e70109122" > -- > 1.9.1 > > -- > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > <mailto:Openembedded-core@lists.openembedded.org> > http://lists.openembedded.org/mailman/listinfo/openembedded-core > > [-- Attachment #2: Type: text/html, Size: 12018 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] wpa-supplicant: Fix CVE-2015-8041 2015-11-13 12:18 ` Hongxu Jia @ 2016-02-22 4:15 ` Paul Eggleton 2016-02-22 5:43 ` Robert Yang 2016-02-29 15:12 ` Joshua G Lock 0 siblings, 2 replies; 7+ messages in thread From: Paul Eggleton @ 2016-02-22 4:15 UTC (permalink / raw) To: Robert Yang, Joshua Lock; +Cc: openembedded-core Hi Robert, I just noticed this never got merged into jethro. Could you take care of that? The original patch is here: http://patchwork.openembedded.org/patch/107625/ Joshua, looks like we could use this one in fido as well. Thanks, Paul On Fri, 13 Nov 2015 20:18:09 Hongxu Jia wrote: > On 11/13/2015 08:11 PM, Jussi Kukkonen wrote: > > On 13 November 2015 at 13:08, Hongxu Jia <hongxu.jia@windriver.com > > > > <mailto:hongxu.jia@windriver.com>> wrote: > > Backport patch from http://w1.fi/security/2015-5/ > > and rebase for wpa-supplicant 2.4 > > > > There's a thread about upgrading master to 2.5 (which should fix this) > > already. > > The patch probably still makes sense for jethro though. > > Yes, you are right, the 2.5 don't need this, it makes sense for jethro. > > //Hongxu > > > - Jussi > > > > Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com > > <mailto:hongxu.jia@windriver.com>> > > --- > > > > ...load-length-validation-in-NDEF-record-par.patch | 64 > > > > ++++++++++++++++++++++ > > > > .../wpa-supplicant/wpa-supplicant_2.4.bb > > > > <http://wpa-supplicant_2.4.bb> | 1 + > > > > 2 files changed, 65 insertions(+) > > create mode 100644 > > > > meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-p > > ayload-length-validation-in-NDEF-record-par.patch > > > > diff --git > > a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix > > -payload-length-validation-in-NDEF-record-par.patch > > b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fi > > x-payload-length-validation-in-NDEF-record-par.patch new file mode > > 100644 > > index 0000000..bc1d1e5 > > --- /dev/null > > +++ > > b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix > > -payload-length-validation-in-NDEF-record-par.patch @@ -0,0 +1,64 @@ > > +From c13401c723a039971bcd91b3856d76c6041b15f2 Mon Sep 17 00:00:00 > > 2001 > > +From: Jouni Malinen <j@w1.fi <mailto:j@w1.fi>> > > +Date: Fri, 13 Nov 2015 05:54:18 -0500 > > +Subject: [PATCH] NFC: Fix payload length validation in NDEF > > record parser > > + > > +It was possible for the 32-bit record->total_length value to end up > > +wrapping around due to integer overflow if the longer form of payload > > +length field is used and record->payload_length gets a value close to > > +2^32. This could result in ndef_parse_record() accepting a too large > > +payload length value and the record type filter reading up to > > about 20 > > +bytes beyond the end of the buffer and potentially killing the > > process. > > +This could also result in an attempt to allocate close to 2^32 > > bytes of > > +heap memory and if that were to succeed, a buffer read overflow > > of the > > +same length which would most likely result in the process > > termination. > > +In case of record->total_length ending up getting the value 0, there > > +would be no buffer read overflow, but record parsing would result > > in an > > +infinite loop in ndef_parse_records(). > > + > > +Any of these error cases could potentially be used for denial of > > service > > +attacks over NFC by using a malformed NDEF record on an NFC Tag or > > +sending them during NFC connection handover if the application > > providing > > +the NDEF message to hostapd/wpa_supplicant did no validation of the > > +received records. While such validation is likely done in the NFC > > stack > > +that needs to parse the NFC messages before further processing, > > +hostapd/wpa_supplicant better be prepared for any data being included > > +here. > > + > > +Fix this by validating record->payload_length value in a way that > > +detects integer overflow. (CID 122668) > > + > > +Signed-off-by: Jouni Malinen <j@w1.fi <mailto:j@w1.fi>> > > + > > +Upstream-Status: Backport [from http://w1.fi/security/2015-5/] > > +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com > > <mailto:hongxu.jia@windriver.com>> > > +--- > > + src/wps/ndef.c | 5 ++++- > > + 1 file changed, 4 insertions(+), 1 deletion(-) > > + > > +diff --git a/src/wps/ndef.c b/src/wps/ndef.c > > +index d45dfc8..f7f729b 100644 > > +--- a/src/wps/ndef.c > > ++++ b/src/wps/ndef.c > > +@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *data, > > u32 size, > > + if (size < 6) > > + return -1; > > + record->payload_length = ntohl(*(u32 *)pos); > > ++ if (record->payload_length > size - 6) > > ++ return -1; > > + pos += sizeof(u32); > > + } > > + > > +@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *data, > > u32 size, > > + pos += record->payload_length; > > + > > + record->total_length = pos - data; > > +- if (record->total_length > size) > > ++ if (record->total_length > size || > > ++ record->total_length < record->payload_length) > > + return -1; > > + return 0; > > + } > > +-- > > +1.9.1 > > + > > diff --git > > a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb > > <http://wpa-supplicant_2.4.bb> > > b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb > > <http://wpa-supplicant_2.4.bb> > > index a124cf2..6e4d028 100644 > > --- > > a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb > > <http://wpa-supplicant_2.4.bb> > > +++ > > b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb > > <http://wpa-supplicant_2.4.bb> > > @@ -32,6 +32,7 @@ SRC_URI = > > "http://hostap.epitest.fi/releases/wpa_supplicant-${PV}.tar.gz > > <http://hostap.epitest.fi/releases/wpa_supplicant-$%7BPV%7D.tar.gz> \ > > file://0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch > > \ > > file://0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch > > \ > > file://0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch \ > > + > > > > file://0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patc > > h > > > > \ > > > > " > > > > SRC_URI[md5sum] = "f0037dbe03897dcaf2ad2722e659095d" > > SRC_URI[sha256sum] = > > > > "058dc832c096139a059e6df814080f50251a8d313c21b13364c54a1e70109122" > > -- > > 1.9.1 > > > > -- > > _______________________________________________ > > Openembedded-core mailing list > > Openembedded-core@lists.openembedded.org > > <mailto:Openembedded-core@lists.openembedded.org> > > http://lists.openembedded.org/mailman/listinfo/openembedded-core -- Paul Eggleton Intel Open Source Technology Centre ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] wpa-supplicant: Fix CVE-2015-8041 2016-02-22 4:15 ` Paul Eggleton @ 2016-02-22 5:43 ` Robert Yang 2016-02-29 15:12 ` Joshua G Lock 1 sibling, 0 replies; 7+ messages in thread From: Robert Yang @ 2016-02-22 5:43 UTC (permalink / raw) To: Paul Eggleton, Joshua Lock; +Cc: openembedded-core On 02/22/2016 12:15 PM, Paul Eggleton wrote: > Hi Robert, > > I just noticed this never got merged into jethro. Could you take care of that? > The original patch is here: Got it, thanks. // Robert > > http://patchwork.openembedded.org/patch/107625/ > > Joshua, looks like we could use this one in fido as well. > > Thanks, > Paul > > On Fri, 13 Nov 2015 20:18:09 Hongxu Jia wrote: >> On 11/13/2015 08:11 PM, Jussi Kukkonen wrote: >>> On 13 November 2015 at 13:08, Hongxu Jia <hongxu.jia@windriver.com >>> >>> <mailto:hongxu.jia@windriver.com>> wrote: >>> Backport patch from http://w1.fi/security/2015-5/ >>> and rebase for wpa-supplicant 2.4 >>> >>> There's a thread about upgrading master to 2.5 (which should fix this) >>> already. >>> The patch probably still makes sense for jethro though. >> >> Yes, you are right, the 2.5 don't need this, it makes sense for jethro. >> >> //Hongxu >> >>> - Jussi >>> >>> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com >>> <mailto:hongxu.jia@windriver.com>> >>> --- >>> >>> ...load-length-validation-in-NDEF-record-par.patch | 64 >>> >>> ++++++++++++++++++++++ >>> >>> .../wpa-supplicant/wpa-supplicant_2.4.bb >>> >>> <http://wpa-supplicant_2.4.bb> | 1 + >>> >>> 2 files changed, 65 insertions(+) >>> create mode 100644 >>> >>> meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-p >>> ayload-length-validation-in-NDEF-record-par.patch >>> >>> diff --git >>> a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix >>> -payload-length-validation-in-NDEF-record-par.patch >>> b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fi >>> x-payload-length-validation-in-NDEF-record-par.patch new file mode >>> 100644 >>> index 0000000..bc1d1e5 >>> --- /dev/null >>> +++ >>> b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix >>> -payload-length-validation-in-NDEF-record-par.patch @@ -0,0 +1,64 @@ >>> +From c13401c723a039971bcd91b3856d76c6041b15f2 Mon Sep 17 00:00:00 >>> 2001 >>> +From: Jouni Malinen <j@w1.fi <mailto:j@w1.fi>> >>> +Date: Fri, 13 Nov 2015 05:54:18 -0500 >>> +Subject: [PATCH] NFC: Fix payload length validation in NDEF >>> record parser >>> + >>> +It was possible for the 32-bit record->total_length value to end up >>> +wrapping around due to integer overflow if the longer form of payload >>> +length field is used and record->payload_length gets a value close to >>> +2^32. This could result in ndef_parse_record() accepting a too large >>> +payload length value and the record type filter reading up to >>> about 20 >>> +bytes beyond the end of the buffer and potentially killing the >>> process. >>> +This could also result in an attempt to allocate close to 2^32 >>> bytes of >>> +heap memory and if that were to succeed, a buffer read overflow >>> of the >>> +same length which would most likely result in the process >>> termination. >>> +In case of record->total_length ending up getting the value 0, there >>> +would be no buffer read overflow, but record parsing would result >>> in an >>> +infinite loop in ndef_parse_records(). >>> + >>> +Any of these error cases could potentially be used for denial of >>> service >>> +attacks over NFC by using a malformed NDEF record on an NFC Tag or >>> +sending them during NFC connection handover if the application >>> providing >>> +the NDEF message to hostapd/wpa_supplicant did no validation of the >>> +received records. While such validation is likely done in the NFC >>> stack >>> +that needs to parse the NFC messages before further processing, >>> +hostapd/wpa_supplicant better be prepared for any data being included >>> +here. >>> + >>> +Fix this by validating record->payload_length value in a way that >>> +detects integer overflow. (CID 122668) >>> + >>> +Signed-off-by: Jouni Malinen <j@w1.fi <mailto:j@w1.fi>> >>> + >>> +Upstream-Status: Backport [from http://w1.fi/security/2015-5/] >>> +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com >>> <mailto:hongxu.jia@windriver.com>> >>> +--- >>> + src/wps/ndef.c | 5 ++++- >>> + 1 file changed, 4 insertions(+), 1 deletion(-) >>> + >>> +diff --git a/src/wps/ndef.c b/src/wps/ndef.c >>> +index d45dfc8..f7f729b 100644 >>> +--- a/src/wps/ndef.c >>> ++++ b/src/wps/ndef.c >>> +@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *data, >>> u32 size, >>> + if (size < 6) >>> + return -1; >>> + record->payload_length = ntohl(*(u32 *)pos); >>> ++ if (record->payload_length > size - 6) >>> ++ return -1; >>> + pos += sizeof(u32); >>> + } >>> + >>> +@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *data, >>> u32 size, >>> + pos += record->payload_length; >>> + >>> + record->total_length = pos - data; >>> +- if (record->total_length > size) >>> ++ if (record->total_length > size || >>> ++ record->total_length < record->payload_length) >>> + return -1; >>> + return 0; >>> + } >>> +-- >>> +1.9.1 >>> + >>> diff --git >>> a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb >>> <http://wpa-supplicant_2.4.bb> >>> b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb >>> <http://wpa-supplicant_2.4.bb> >>> index a124cf2..6e4d028 100644 >>> --- >>> a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb >>> <http://wpa-supplicant_2.4.bb> >>> +++ >>> b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb >>> <http://wpa-supplicant_2.4.bb> >>> @@ -32,6 +32,7 @@ SRC_URI = >>> "http://hostap.epitest.fi/releases/wpa_supplicant-${PV}.tar.gz >>> <http://hostap.epitest.fi/releases/wpa_supplicant-$%7BPV%7D.tar.gz> \ >>> file://0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch >>> \ >>> file://0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch >>> \ >>> file://0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch \ >>> + >>> >>> file://0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patc >>> h >>> >>> \ >>> >>> " >>> >>> SRC_URI[md5sum] = "f0037dbe03897dcaf2ad2722e659095d" >>> SRC_URI[sha256sum] = >>> >>> "058dc832c096139a059e6df814080f50251a8d313c21b13364c54a1e70109122" >>> -- >>> 1.9.1 >>> >>> -- >>> _______________________________________________ >>> Openembedded-core mailing list >>> Openembedded-core@lists.openembedded.org >>> <mailto:Openembedded-core@lists.openembedded.org> >>> http://lists.openembedded.org/mailman/listinfo/openembedded-core > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] wpa-supplicant: Fix CVE-2015-8041 2016-02-22 4:15 ` Paul Eggleton 2016-02-22 5:43 ` Robert Yang @ 2016-02-29 15:12 ` Joshua G Lock 1 sibling, 0 replies; 7+ messages in thread From: Joshua G Lock @ 2016-02-29 15:12 UTC (permalink / raw) To: Paul Eggleton, Robert Yang; +Cc: openembedded-core On Mon, 2016-02-22 at 17:15 +1300, Paul Eggleton wrote: > Hi Robert, > > I just noticed this never got merged into jethro. Could you take care > of that? > The original patch is here: > > http://patchwork.openembedded.org/patch/107625/ > > Joshua, looks like we could use this one in fido as well. I was hoping to backport this from Jethro but I haven't seen it land there yet, I've queued it for fido so I don't forget. Robert, I have a branch for jethro with this patch included — should I submit it? Regards, Joshua ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-02-29 15:32 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-11-13 11:08 [PATCH 0/1] wpa-supplicant: Fix CVE-2015-8041 Hongxu Jia 2015-11-13 11:08 ` [PATCH 1/1] " Hongxu Jia 2015-11-13 12:11 ` Jussi Kukkonen 2015-11-13 12:18 ` Hongxu Jia 2016-02-22 4:15 ` Paul Eggleton 2016-02-22 5:43 ` Robert Yang 2016-02-29 15:12 ` Joshua G Lock
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox