* [PATCH 0/1] wpa-supplicant: Fix CVE-2015-8041
@ 2015-11-13 11:08 Hongxu Jia
2015-11-13 11:08 ` [PATCH 1/1] " Hongxu Jia
0 siblings, 1 reply; 7+ messages in thread
From: Hongxu Jia @ 2015-11-13 11:08 UTC (permalink / raw)
To: openembedded-core, ross.burton
The following changes since commit fc45deac89ef63ca1c44e763c38ced7dfd72cbe1:
build-appliance-image: Update to jethro head revision (2015-11-03 14:03:03 +0000)
are available in the git repository at:
git://git.pokylinux.org/poky-contrib hongxu/wpa-supplicant
http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=hongxu/wpa-supplicant
Hongxu Jia (1):
wpa-supplicant: Fix CVE-2015-8041
...load-length-validation-in-NDEF-record-par.patch | 64 ++++++++++++++++++++++
.../wpa-supplicant/wpa-supplicant_2.4.bb | 1 +
2 files changed, 65 insertions(+)
create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch
--
1.9.1
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/1] wpa-supplicant: Fix CVE-2015-8041
2015-11-13 11:08 [PATCH 0/1] wpa-supplicant: Fix CVE-2015-8041 Hongxu Jia
@ 2015-11-13 11:08 ` Hongxu Jia
2015-11-13 12:11 ` Jussi Kukkonen
0 siblings, 1 reply; 7+ messages in thread
From: Hongxu Jia @ 2015-11-13 11:08 UTC (permalink / raw)
To: openembedded-core, ross.burton
Backport patch from http://w1.fi/security/2015-5/
and rebase for wpa-supplicant 2.4
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
...load-length-validation-in-NDEF-record-par.patch | 64 ++++++++++++++++++++++
.../wpa-supplicant/wpa-supplicant_2.4.bb | 1 +
2 files changed, 65 insertions(+)
create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch
new file mode 100644
index 0000000..bc1d1e5
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch
@@ -0,0 +1,64 @@
+From c13401c723a039971bcd91b3856d76c6041b15f2 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 13 Nov 2015 05:54:18 -0500
+Subject: [PATCH] NFC: Fix payload length validation in NDEF record parser
+
+It was possible for the 32-bit record->total_length value to end up
+wrapping around due to integer overflow if the longer form of payload
+length field is used and record->payload_length gets a value close to
+2^32. This could result in ndef_parse_record() accepting a too large
+payload length value and the record type filter reading up to about 20
+bytes beyond the end of the buffer and potentially killing the process.
+This could also result in an attempt to allocate close to 2^32 bytes of
+heap memory and if that were to succeed, a buffer read overflow of the
+same length which would most likely result in the process termination.
+In case of record->total_length ending up getting the value 0, there
+would be no buffer read overflow, but record parsing would result in an
+infinite loop in ndef_parse_records().
+
+Any of these error cases could potentially be used for denial of service
+attacks over NFC by using a malformed NDEF record on an NFC Tag or
+sending them during NFC connection handover if the application providing
+the NDEF message to hostapd/wpa_supplicant did no validation of the
+received records. While such validation is likely done in the NFC stack
+that needs to parse the NFC messages before further processing,
+hostapd/wpa_supplicant better be prepared for any data being included
+here.
+
+Fix this by validating record->payload_length value in a way that
+detects integer overflow. (CID 122668)
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+Upstream-Status: Backport [from http://w1.fi/security/2015-5/]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ src/wps/ndef.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/wps/ndef.c b/src/wps/ndef.c
+index d45dfc8..f7f729b 100644
+--- a/src/wps/ndef.c
++++ b/src/wps/ndef.c
+@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *data, u32 size,
+ if (size < 6)
+ return -1;
+ record->payload_length = ntohl(*(u32 *)pos);
++ if (record->payload_length > size - 6)
++ return -1;
+ pos += sizeof(u32);
+ }
+
+@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *data, u32 size,
+ pos += record->payload_length;
+
+ record->total_length = pos - data;
+- if (record->total_length > size)
++ if (record->total_length > size ||
++ record->total_length < record->payload_length)
+ return -1;
+ return 0;
+ }
+--
+1.9.1
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb
index a124cf2..6e4d028 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb
@@ -32,6 +32,7 @@ SRC_URI = "http://hostap.epitest.fi/releases/wpa_supplicant-${PV}.tar.gz \
file://0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch \
file://0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch \
file://0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch \
+ file://0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch \
"
SRC_URI[md5sum] = "f0037dbe03897dcaf2ad2722e659095d"
SRC_URI[sha256sum] = "058dc832c096139a059e6df814080f50251a8d313c21b13364c54a1e70109122"
--
1.9.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] wpa-supplicant: Fix CVE-2015-8041
2015-11-13 11:08 ` [PATCH 1/1] " Hongxu Jia
@ 2015-11-13 12:11 ` Jussi Kukkonen
2015-11-13 12:18 ` Hongxu Jia
0 siblings, 1 reply; 7+ messages in thread
From: Jussi Kukkonen @ 2015-11-13 12:11 UTC (permalink / raw)
To: Hongxu Jia; +Cc: Patches and discussions about the oe-core layer
[-- Attachment #1: Type: text/plain, Size: 5270 bytes --]
On 13 November 2015 at 13:08, Hongxu Jia <hongxu.jia@windriver.com> wrote:
> Backport patch from http://w1.fi/security/2015-5/
> and rebase for wpa-supplicant 2.4
There's a thread about upgrading master to 2.5 (which should fix this)
already.
The patch probably still makes sense for jethro though.
- Jussi
>
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> ---
> ...load-length-validation-in-NDEF-record-par.patch | 64
> ++++++++++++++++++++++
> .../wpa-supplicant/wpa-supplicant_2.4.bb | 1 +
> 2 files changed, 65 insertions(+)
> create mode 100644
> meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch
>
> diff --git
> a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch
> b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch
> new file mode 100644
> index 0000000..bc1d1e5
> --- /dev/null
> +++
> b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch
> @@ -0,0 +1,64 @@
> +From c13401c723a039971bcd91b3856d76c6041b15f2 Mon Sep 17 00:00:00 2001
> +From: Jouni Malinen <j@w1.fi>
> +Date: Fri, 13 Nov 2015 05:54:18 -0500
> +Subject: [PATCH] NFC: Fix payload length validation in NDEF record parser
> +
> +It was possible for the 32-bit record->total_length value to end up
> +wrapping around due to integer overflow if the longer form of payload
> +length field is used and record->payload_length gets a value close to
> +2^32. This could result in ndef_parse_record() accepting a too large
> +payload length value and the record type filter reading up to about 20
> +bytes beyond the end of the buffer and potentially killing the process.
> +This could also result in an attempt to allocate close to 2^32 bytes of
> +heap memory and if that were to succeed, a buffer read overflow of the
> +same length which would most likely result in the process termination.
> +In case of record->total_length ending up getting the value 0, there
> +would be no buffer read overflow, but record parsing would result in an
> +infinite loop in ndef_parse_records().
> +
> +Any of these error cases could potentially be used for denial of service
> +attacks over NFC by using a malformed NDEF record on an NFC Tag or
> +sending them during NFC connection handover if the application providing
> +the NDEF message to hostapd/wpa_supplicant did no validation of the
> +received records. While such validation is likely done in the NFC stack
> +that needs to parse the NFC messages before further processing,
> +hostapd/wpa_supplicant better be prepared for any data being included
> +here.
> +
> +Fix this by validating record->payload_length value in a way that
> +detects integer overflow. (CID 122668)
> +
> +Signed-off-by: Jouni Malinen <j@w1.fi>
> +
> +Upstream-Status: Backport [from http://w1.fi/security/2015-5/]
> +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> +---
> + src/wps/ndef.c | 5 ++++-
> + 1 file changed, 4 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/wps/ndef.c b/src/wps/ndef.c
> +index d45dfc8..f7f729b 100644
> +--- a/src/wps/ndef.c
> ++++ b/src/wps/ndef.c
> +@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *data, u32 size,
> + if (size < 6)
> + return -1;
> + record->payload_length = ntohl(*(u32 *)pos);
> ++ if (record->payload_length > size - 6)
> ++ return -1;
> + pos += sizeof(u32);
> + }
> +
> +@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *data, u32 size,
> + pos += record->payload_length;
> +
> + record->total_length = pos - data;
> +- if (record->total_length > size)
> ++ if (record->total_length > size ||
> ++ record->total_length < record->payload_length)
> + return -1;
> + return 0;
> + }
> +--
> +1.9.1
> +
> diff --git a/meta/recipes-connectivity/wpa-supplicant/
> wpa-supplicant_2.4.bb b/meta/recipes-connectivity/wpa-supplicant/
> wpa-supplicant_2.4.bb
> index a124cf2..6e4d028 100644
> --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb
> +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb
> @@ -32,6 +32,7 @@ SRC_URI = "
> http://hostap.epitest.fi/releases/wpa_supplicant-${PV}.tar.gz \
>
> file://0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch \
>
> file://0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch \
>
> file://0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch \
> +
> file://0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch \
> "
> SRC_URI[md5sum] = "f0037dbe03897dcaf2ad2722e659095d"
> SRC_URI[sha256sum] =
> "058dc832c096139a059e6df814080f50251a8d313c21b13364c54a1e70109122"
> --
> 1.9.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
[-- Attachment #2: Type: text/html, Size: 7362 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] wpa-supplicant: Fix CVE-2015-8041
2015-11-13 12:11 ` Jussi Kukkonen
@ 2015-11-13 12:18 ` Hongxu Jia
2016-02-22 4:15 ` Paul Eggleton
0 siblings, 1 reply; 7+ messages in thread
From: Hongxu Jia @ 2015-11-13 12:18 UTC (permalink / raw)
To: Jussi Kukkonen; +Cc: Patches and discussions about the oe-core layer
[-- Attachment #1: Type: text/plain, Size: 6443 bytes --]
On 11/13/2015 08:11 PM, Jussi Kukkonen wrote:
> On 13 November 2015 at 13:08, Hongxu Jia <hongxu.jia@windriver.com
> <mailto:hongxu.jia@windriver.com>> wrote:
>
> Backport patch from http://w1.fi/security/2015-5/
> and rebase for wpa-supplicant 2.4
>
>
> There's a thread about upgrading master to 2.5 (which should fix this)
> already.
> The patch probably still makes sense for jethro though.
>
Yes, you are right, the 2.5 don't need this, it makes sense for jethro.
//Hongxu
> - Jussi
>
>
>
> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com
> <mailto:hongxu.jia@windriver.com>>
> ---
> ...load-length-validation-in-NDEF-record-par.patch | 64
> ++++++++++++++++++++++
> .../wpa-supplicant/wpa-supplicant_2.4.bb
> <http://wpa-supplicant_2.4.bb> | 1 +
> 2 files changed, 65 insertions(+)
> create mode 100644
> meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch
>
> diff --git
> a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch
> b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch
> new file mode 100644
> index 0000000..bc1d1e5
> --- /dev/null
> +++
> b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch
> @@ -0,0 +1,64 @@
> +From c13401c723a039971bcd91b3856d76c6041b15f2 Mon Sep 17 00:00:00
> 2001
> +From: Jouni Malinen <j@w1.fi <mailto:j@w1.fi>>
> +Date: Fri, 13 Nov 2015 05:54:18 -0500
> +Subject: [PATCH] NFC: Fix payload length validation in NDEF
> record parser
> +
> +It was possible for the 32-bit record->total_length value to end up
> +wrapping around due to integer overflow if the longer form of payload
> +length field is used and record->payload_length gets a value close to
> +2^32. This could result in ndef_parse_record() accepting a too large
> +payload length value and the record type filter reading up to
> about 20
> +bytes beyond the end of the buffer and potentially killing the
> process.
> +This could also result in an attempt to allocate close to 2^32
> bytes of
> +heap memory and if that were to succeed, a buffer read overflow
> of the
> +same length which would most likely result in the process
> termination.
> +In case of record->total_length ending up getting the value 0, there
> +would be no buffer read overflow, but record parsing would result
> in an
> +infinite loop in ndef_parse_records().
> +
> +Any of these error cases could potentially be used for denial of
> service
> +attacks over NFC by using a malformed NDEF record on an NFC Tag or
> +sending them during NFC connection handover if the application
> providing
> +the NDEF message to hostapd/wpa_supplicant did no validation of the
> +received records. While such validation is likely done in the NFC
> stack
> +that needs to parse the NFC messages before further processing,
> +hostapd/wpa_supplicant better be prepared for any data being included
> +here.
> +
> +Fix this by validating record->payload_length value in a way that
> +detects integer overflow. (CID 122668)
> +
> +Signed-off-by: Jouni Malinen <j@w1.fi <mailto:j@w1.fi>>
> +
> +Upstream-Status: Backport [from http://w1.fi/security/2015-5/]
> +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com
> <mailto:hongxu.jia@windriver.com>>
> +---
> + src/wps/ndef.c | 5 ++++-
> + 1 file changed, 4 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/wps/ndef.c b/src/wps/ndef.c
> +index d45dfc8..f7f729b 100644
> +--- a/src/wps/ndef.c
> ++++ b/src/wps/ndef.c
> +@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *data,
> u32 size,
> + if (size < 6)
> + return -1;
> + record->payload_length = ntohl(*(u32 *)pos);
> ++ if (record->payload_length > size - 6)
> ++ return -1;
> + pos += sizeof(u32);
> + }
> +
> +@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *data,
> u32 size,
> + pos += record->payload_length;
> +
> + record->total_length = pos - data;
> +- if (record->total_length > size)
> ++ if (record->total_length > size ||
> ++ record->total_length < record->payload_length)
> + return -1;
> + return 0;
> + }
> +--
> +1.9.1
> +
> diff --git
> a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb
> <http://wpa-supplicant_2.4.bb>
> b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb
> <http://wpa-supplicant_2.4.bb>
> index a124cf2..6e4d028 100644
> ---
> a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb
> <http://wpa-supplicant_2.4.bb>
> +++
> b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb
> <http://wpa-supplicant_2.4.bb>
> @@ -32,6 +32,7 @@ SRC_URI =
> "http://hostap.epitest.fi/releases/wpa_supplicant-${PV}.tar.gz
> <http://hostap.epitest.fi/releases/wpa_supplicant-$%7BPV%7D.tar.gz> \
> file://0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch
> \
> file://0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch
> \
> file://0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch \
> +
> file://0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch
> \
> "
> SRC_URI[md5sum] = "f0037dbe03897dcaf2ad2722e659095d"
> SRC_URI[sha256sum] =
> "058dc832c096139a059e6df814080f50251a8d313c21b13364c54a1e70109122"
> --
> 1.9.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> <mailto:Openembedded-core@lists.openembedded.org>
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
>
[-- Attachment #2: Type: text/html, Size: 12018 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] wpa-supplicant: Fix CVE-2015-8041
2015-11-13 12:18 ` Hongxu Jia
@ 2016-02-22 4:15 ` Paul Eggleton
2016-02-22 5:43 ` Robert Yang
2016-02-29 15:12 ` Joshua G Lock
0 siblings, 2 replies; 7+ messages in thread
From: Paul Eggleton @ 2016-02-22 4:15 UTC (permalink / raw)
To: Robert Yang, Joshua Lock; +Cc: openembedded-core
Hi Robert,
I just noticed this never got merged into jethro. Could you take care of that?
The original patch is here:
http://patchwork.openembedded.org/patch/107625/
Joshua, looks like we could use this one in fido as well.
Thanks,
Paul
On Fri, 13 Nov 2015 20:18:09 Hongxu Jia wrote:
> On 11/13/2015 08:11 PM, Jussi Kukkonen wrote:
> > On 13 November 2015 at 13:08, Hongxu Jia <hongxu.jia@windriver.com
> >
> > <mailto:hongxu.jia@windriver.com>> wrote:
> > Backport patch from http://w1.fi/security/2015-5/
> > and rebase for wpa-supplicant 2.4
> >
> > There's a thread about upgrading master to 2.5 (which should fix this)
> > already.
> > The patch probably still makes sense for jethro though.
>
> Yes, you are right, the 2.5 don't need this, it makes sense for jethro.
>
> //Hongxu
>
> > - Jussi
> >
> > Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com
> > <mailto:hongxu.jia@windriver.com>>
> > ---
> >
> > ...load-length-validation-in-NDEF-record-par.patch | 64
> >
> > ++++++++++++++++++++++
> >
> > .../wpa-supplicant/wpa-supplicant_2.4.bb
> >
> > <http://wpa-supplicant_2.4.bb> | 1 +
> >
> > 2 files changed, 65 insertions(+)
> > create mode 100644
> >
> > meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-p
> > ayload-length-validation-in-NDEF-record-par.patch
> >
> > diff --git
> > a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix
> > -payload-length-validation-in-NDEF-record-par.patch
> > b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fi
> > x-payload-length-validation-in-NDEF-record-par.patch new file mode
> > 100644
> > index 0000000..bc1d1e5
> > --- /dev/null
> > +++
> > b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix
> > -payload-length-validation-in-NDEF-record-par.patch @@ -0,0 +1,64 @@
> > +From c13401c723a039971bcd91b3856d76c6041b15f2 Mon Sep 17 00:00:00
> > 2001
> > +From: Jouni Malinen <j@w1.fi <mailto:j@w1.fi>>
> > +Date: Fri, 13 Nov 2015 05:54:18 -0500
> > +Subject: [PATCH] NFC: Fix payload length validation in NDEF
> > record parser
> > +
> > +It was possible for the 32-bit record->total_length value to end up
> > +wrapping around due to integer overflow if the longer form of payload
> > +length field is used and record->payload_length gets a value close to
> > +2^32. This could result in ndef_parse_record() accepting a too large
> > +payload length value and the record type filter reading up to
> > about 20
> > +bytes beyond the end of the buffer and potentially killing the
> > process.
> > +This could also result in an attempt to allocate close to 2^32
> > bytes of
> > +heap memory and if that were to succeed, a buffer read overflow
> > of the
> > +same length which would most likely result in the process
> > termination.
> > +In case of record->total_length ending up getting the value 0, there
> > +would be no buffer read overflow, but record parsing would result
> > in an
> > +infinite loop in ndef_parse_records().
> > +
> > +Any of these error cases could potentially be used for denial of
> > service
> > +attacks over NFC by using a malformed NDEF record on an NFC Tag or
> > +sending them during NFC connection handover if the application
> > providing
> > +the NDEF message to hostapd/wpa_supplicant did no validation of the
> > +received records. While such validation is likely done in the NFC
> > stack
> > +that needs to parse the NFC messages before further processing,
> > +hostapd/wpa_supplicant better be prepared for any data being included
> > +here.
> > +
> > +Fix this by validating record->payload_length value in a way that
> > +detects integer overflow. (CID 122668)
> > +
> > +Signed-off-by: Jouni Malinen <j@w1.fi <mailto:j@w1.fi>>
> > +
> > +Upstream-Status: Backport [from http://w1.fi/security/2015-5/]
> > +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com
> > <mailto:hongxu.jia@windriver.com>>
> > +---
> > + src/wps/ndef.c | 5 ++++-
> > + 1 file changed, 4 insertions(+), 1 deletion(-)
> > +
> > +diff --git a/src/wps/ndef.c b/src/wps/ndef.c
> > +index d45dfc8..f7f729b 100644
> > +--- a/src/wps/ndef.c
> > ++++ b/src/wps/ndef.c
> > +@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *data,
> > u32 size,
> > + if (size < 6)
> > + return -1;
> > + record->payload_length = ntohl(*(u32 *)pos);
> > ++ if (record->payload_length > size - 6)
> > ++ return -1;
> > + pos += sizeof(u32);
> > + }
> > +
> > +@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *data,
> > u32 size,
> > + pos += record->payload_length;
> > +
> > + record->total_length = pos - data;
> > +- if (record->total_length > size)
> > ++ if (record->total_length > size ||
> > ++ record->total_length < record->payload_length)
> > + return -1;
> > + return 0;
> > + }
> > +--
> > +1.9.1
> > +
> > diff --git
> > a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb
> > <http://wpa-supplicant_2.4.bb>
> > b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb
> > <http://wpa-supplicant_2.4.bb>
> > index a124cf2..6e4d028 100644
> > ---
> > a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb
> > <http://wpa-supplicant_2.4.bb>
> > +++
> > b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb
> > <http://wpa-supplicant_2.4.bb>
> > @@ -32,6 +32,7 @@ SRC_URI =
> > "http://hostap.epitest.fi/releases/wpa_supplicant-${PV}.tar.gz
> > <http://hostap.epitest.fi/releases/wpa_supplicant-$%7BPV%7D.tar.gz> \
> > file://0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch
> > \
> > file://0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch
> > \
> > file://0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch \
> > +
> >
> > file://0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patc
> > h
> >
> > \
> >
> > "
> >
> > SRC_URI[md5sum] = "f0037dbe03897dcaf2ad2722e659095d"
> > SRC_URI[sha256sum] =
> >
> > "058dc832c096139a059e6df814080f50251a8d313c21b13364c54a1e70109122"
> > --
> > 1.9.1
> >
> > --
> > _______________________________________________
> > Openembedded-core mailing list
> > Openembedded-core@lists.openembedded.org
> > <mailto:Openembedded-core@lists.openembedded.org>
> > http://lists.openembedded.org/mailman/listinfo/openembedded-core
--
Paul Eggleton
Intel Open Source Technology Centre
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] wpa-supplicant: Fix CVE-2015-8041
2016-02-22 4:15 ` Paul Eggleton
@ 2016-02-22 5:43 ` Robert Yang
2016-02-29 15:12 ` Joshua G Lock
1 sibling, 0 replies; 7+ messages in thread
From: Robert Yang @ 2016-02-22 5:43 UTC (permalink / raw)
To: Paul Eggleton, Joshua Lock; +Cc: openembedded-core
On 02/22/2016 12:15 PM, Paul Eggleton wrote:
> Hi Robert,
>
> I just noticed this never got merged into jethro. Could you take care of that?
> The original patch is here:
Got it, thanks.
// Robert
>
> http://patchwork.openembedded.org/patch/107625/
>
> Joshua, looks like we could use this one in fido as well.
>
> Thanks,
> Paul
>
> On Fri, 13 Nov 2015 20:18:09 Hongxu Jia wrote:
>> On 11/13/2015 08:11 PM, Jussi Kukkonen wrote:
>>> On 13 November 2015 at 13:08, Hongxu Jia <hongxu.jia@windriver.com
>>>
>>> <mailto:hongxu.jia@windriver.com>> wrote:
>>> Backport patch from http://w1.fi/security/2015-5/
>>> and rebase for wpa-supplicant 2.4
>>>
>>> There's a thread about upgrading master to 2.5 (which should fix this)
>>> already.
>>> The patch probably still makes sense for jethro though.
>>
>> Yes, you are right, the 2.5 don't need this, it makes sense for jethro.
>>
>> //Hongxu
>>
>>> - Jussi
>>>
>>> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com
>>> <mailto:hongxu.jia@windriver.com>>
>>> ---
>>>
>>> ...load-length-validation-in-NDEF-record-par.patch | 64
>>>
>>> ++++++++++++++++++++++
>>>
>>> .../wpa-supplicant/wpa-supplicant_2.4.bb
>>>
>>> <http://wpa-supplicant_2.4.bb> | 1 +
>>>
>>> 2 files changed, 65 insertions(+)
>>> create mode 100644
>>>
>>> meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix-p
>>> ayload-length-validation-in-NDEF-record-par.patch
>>>
>>> diff --git
>>> a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix
>>> -payload-length-validation-in-NDEF-record-par.patch
>>> b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fi
>>> x-payload-length-validation-in-NDEF-record-par.patch new file mode
>>> 100644
>>> index 0000000..bc1d1e5
>>> --- /dev/null
>>> +++
>>> b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-NFC-Fix
>>> -payload-length-validation-in-NDEF-record-par.patch @@ -0,0 +1,64 @@
>>> +From c13401c723a039971bcd91b3856d76c6041b15f2 Mon Sep 17 00:00:00
>>> 2001
>>> +From: Jouni Malinen <j@w1.fi <mailto:j@w1.fi>>
>>> +Date: Fri, 13 Nov 2015 05:54:18 -0500
>>> +Subject: [PATCH] NFC: Fix payload length validation in NDEF
>>> record parser
>>> +
>>> +It was possible for the 32-bit record->total_length value to end up
>>> +wrapping around due to integer overflow if the longer form of payload
>>> +length field is used and record->payload_length gets a value close to
>>> +2^32. This could result in ndef_parse_record() accepting a too large
>>> +payload length value and the record type filter reading up to
>>> about 20
>>> +bytes beyond the end of the buffer and potentially killing the
>>> process.
>>> +This could also result in an attempt to allocate close to 2^32
>>> bytes of
>>> +heap memory and if that were to succeed, a buffer read overflow
>>> of the
>>> +same length which would most likely result in the process
>>> termination.
>>> +In case of record->total_length ending up getting the value 0, there
>>> +would be no buffer read overflow, but record parsing would result
>>> in an
>>> +infinite loop in ndef_parse_records().
>>> +
>>> +Any of these error cases could potentially be used for denial of
>>> service
>>> +attacks over NFC by using a malformed NDEF record on an NFC Tag or
>>> +sending them during NFC connection handover if the application
>>> providing
>>> +the NDEF message to hostapd/wpa_supplicant did no validation of the
>>> +received records. While such validation is likely done in the NFC
>>> stack
>>> +that needs to parse the NFC messages before further processing,
>>> +hostapd/wpa_supplicant better be prepared for any data being included
>>> +here.
>>> +
>>> +Fix this by validating record->payload_length value in a way that
>>> +detects integer overflow. (CID 122668)
>>> +
>>> +Signed-off-by: Jouni Malinen <j@w1.fi <mailto:j@w1.fi>>
>>> +
>>> +Upstream-Status: Backport [from http://w1.fi/security/2015-5/]
>>> +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com
>>> <mailto:hongxu.jia@windriver.com>>
>>> +---
>>> + src/wps/ndef.c | 5 ++++-
>>> + 1 file changed, 4 insertions(+), 1 deletion(-)
>>> +
>>> +diff --git a/src/wps/ndef.c b/src/wps/ndef.c
>>> +index d45dfc8..f7f729b 100644
>>> +--- a/src/wps/ndef.c
>>> ++++ b/src/wps/ndef.c
>>> +@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *data,
>>> u32 size,
>>> + if (size < 6)
>>> + return -1;
>>> + record->payload_length = ntohl(*(u32 *)pos);
>>> ++ if (record->payload_length > size - 6)
>>> ++ return -1;
>>> + pos += sizeof(u32);
>>> + }
>>> +
>>> +@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *data,
>>> u32 size,
>>> + pos += record->payload_length;
>>> +
>>> + record->total_length = pos - data;
>>> +- if (record->total_length > size)
>>> ++ if (record->total_length > size ||
>>> ++ record->total_length < record->payload_length)
>>> + return -1;
>>> + return 0;
>>> + }
>>> +--
>>> +1.9.1
>>> +
>>> diff --git
>>> a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb
>>> <http://wpa-supplicant_2.4.bb>
>>> b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb
>>> <http://wpa-supplicant_2.4.bb>
>>> index a124cf2..6e4d028 100644
>>> ---
>>> a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb
>>> <http://wpa-supplicant_2.4.bb>
>>> +++
>>> b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.4.bb
>>> <http://wpa-supplicant_2.4.bb>
>>> @@ -32,6 +32,7 @@ SRC_URI =
>>> "http://hostap.epitest.fi/releases/wpa_supplicant-${PV}.tar.gz
>>> <http://hostap.epitest.fi/releases/wpa_supplicant-$%7BPV%7D.tar.gz> \
>>> file://0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch
>>> \
>>> file://0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch
>>> \
>>> file://0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch \
>>> +
>>>
>>> file://0001-NFC-Fix-payload-length-validation-in-NDEF-record-par.patc
>>> h
>>>
>>> \
>>>
>>> "
>>>
>>> SRC_URI[md5sum] = "f0037dbe03897dcaf2ad2722e659095d"
>>> SRC_URI[sha256sum] =
>>>
>>> "058dc832c096139a059e6df814080f50251a8d313c21b13364c54a1e70109122"
>>> --
>>> 1.9.1
>>>
>>> --
>>> _______________________________________________
>>> Openembedded-core mailing list
>>> Openembedded-core@lists.openembedded.org
>>> <mailto:Openembedded-core@lists.openembedded.org>
>>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] wpa-supplicant: Fix CVE-2015-8041
2016-02-22 4:15 ` Paul Eggleton
2016-02-22 5:43 ` Robert Yang
@ 2016-02-29 15:12 ` Joshua G Lock
1 sibling, 0 replies; 7+ messages in thread
From: Joshua G Lock @ 2016-02-29 15:12 UTC (permalink / raw)
To: Paul Eggleton, Robert Yang; +Cc: openembedded-core
On Mon, 2016-02-22 at 17:15 +1300, Paul Eggleton wrote:
> Hi Robert,
>
> I just noticed this never got merged into jethro. Could you take care
> of that?
> The original patch is here:
>
> http://patchwork.openembedded.org/patch/107625/
>
> Joshua, looks like we could use this one in fido as well.
I was hoping to backport this from Jethro but I haven't seen it land
there yet, I've queued it for fido so I don't forget.
Robert, I have a branch for jethro with this patch included — should I
submit it?
Regards,
Joshua
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-02-29 15:32 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-11-13 11:08 [PATCH 0/1] wpa-supplicant: Fix CVE-2015-8041 Hongxu Jia
2015-11-13 11:08 ` [PATCH 1/1] " Hongxu Jia
2015-11-13 12:11 ` Jussi Kukkonen
2015-11-13 12:18 ` Hongxu Jia
2016-02-22 4:15 ` Paul Eggleton
2016-02-22 5:43 ` Robert Yang
2016-02-29 15:12 ` Joshua G Lock
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox