Message ID | 20171206095458.30821-2-kleber.souza@canonical.com |
---|---|
State | New |
Headers | show |
Series | Fix for CVE-2017-12153 | expand |
On 06.12.2017 09:54, Kleber Sacilotto de Souza wrote: > From: Vladis Dronov <vdronov@redhat.com> > > nl80211_set_rekey_data() does not check if the required attributes > NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing > NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by > users with CAP_NET_ADMIN privilege and may result in NULL dereference > and a system crash. Add a check for the required attributes presence. > This patch is based on the patch by bo Zhang. > > This fixes CVE-2017-12153. > > References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046 > Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload") > Cc: <stable@vger.kernel.org> # v3.1-rc1 > Reported-by: bo Zhang <zhangbo5891001@gmail.com> > Signed-off-by: Vladis Dronov <vdronov@redhat.com> > Signed-off-by: Johannes Berg <johannes.berg@intel.com> > > CVE-2017-12153 > (cherry picked from commit e785fa0a164aa11001cba931367c7f94ffaff888) > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > net/wireless/nl80211.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c > index 0df8023f480b..fbd5593e88cb 100644 > --- a/net/wireless/nl80211.c > +++ b/net/wireless/nl80211.c > @@ -10903,6 +10903,9 @@ static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info) > if (err) > return err; > > + if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] || > + !tb[NL80211_REKEY_DATA_KCK]) > + return -EINVAL; > if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN) > return -ERANGE; > if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN) >
On 06/12/17 09:54, Kleber Sacilotto de Souza wrote: > From: Vladis Dronov <vdronov@redhat.com> > > nl80211_set_rekey_data() does not check if the required attributes > NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing > NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by > users with CAP_NET_ADMIN privilege and may result in NULL dereference > and a system crash. Add a check for the required attributes presence. > This patch is based on the patch by bo Zhang. > > This fixes CVE-2017-12153. > > References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046 > Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload") > Cc: <stable@vger.kernel.org> # v3.1-rc1 > Reported-by: bo Zhang <zhangbo5891001@gmail.com> > Signed-off-by: Vladis Dronov <vdronov@redhat.com> > Signed-off-by: Johannes Berg <johannes.berg@intel.com> > > CVE-2017-12153 > (cherry picked from commit e785fa0a164aa11001cba931367c7f94ffaff888) > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > net/wireless/nl80211.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c > index 0df8023f480b..fbd5593e88cb 100644 > --- a/net/wireless/nl80211.c > +++ b/net/wireless/nl80211.c > @@ -10903,6 +10903,9 @@ static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info) > if (err) > return err; > > + if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] || > + !tb[NL80211_REKEY_DATA_KCK]) > + return -EINVAL; > if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN) > return -ERANGE; > if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN) > Clean cherry pick. Acked-by: Colin Ian King <colin.king@canonical.com>
Applied to trusty and zesty master-next branches. Thanks. Cascardo. Applied-to: trusty/master-next Applied-to: zesty/master-next
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 0df8023f480b..fbd5593e88cb 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -10903,6 +10903,9 @@ static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info) if (err) return err; + if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] || + !tb[NL80211_REKEY_DATA_KCK]) + return -EINVAL; if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN) return -ERANGE; if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)