From patchwork Wed Dec 6 09:54:58 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kleber Sacilotto de Souza X-Patchwork-Id: 845088 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3ysDW33KVpz9rxl; Wed, 6 Dec 2017 20:55:11 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1eMWPz-0006oq-NO; Wed, 06 Dec 2017 09:55:07 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1eMWPw-0006ns-FZ for kernel-team@lists.ubuntu.com; Wed, 06 Dec 2017 09:55:04 +0000 Received: from mail-wr0-f197.google.com ([209.85.128.197]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1eMWPw-0002UQ-7q for kernel-team@lists.ubuntu.com; Wed, 06 Dec 2017 09:55:04 +0000 Received: by mail-wr0-f197.google.com with SMTP id y15so1786166wrc.6 for ; Wed, 06 Dec 2017 01:55:04 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=P69STx225X6tAi8kmXPQnM+rZ4x5hxfHplWKXEPy37A=; b=UFRO7Xf+FlS65KBaMIpYtQ5in+R+SOmiIxrebZ2gpEcUN19YC1rN3COphRb95XA8+l FVgyrUv7hbrT+5gPXNwv6vI40gvtGUDYkh2Ld+BL9dSdEJMhSyyepkZ/4ka4NUQ07JDE cMY9A/jKcQbxPOQWNQReLAAuV0zBCeBQ2PyFa8Toi797MAbmx8xDMMKK8+DObQKBz+1Q 62PBoxuCeW9FOMfQYA2PBDDYObNGGMe9TnlQrd7oeRG0SmajJfubrwfaFujOYCyikj8F kDMqDFJ7P4syEbCcGb1+d8pjM3w+XanZ1eBNL3aKlrkTFlfyG7wMSANfnkhHz68yq2bg n5Iw== X-Gm-Message-State: AJaThX7hLGWn6Az28fsQm2ND5C0sfA+mdh9WZkglaIelYrgtksi0C2Es BpNTi1UJY4K2+uuPxFEshlzTL++Ct3oS4LlR8wiYOXPGi4KjTd8RPfF+SR2gOt6MzHJcccp1G50 2/4PmN9MIKq/A/3bOYLKET7Yjwar0S1j/xqTgGyKxQQ== X-Received: by 10.80.170.24 with SMTP id o24mr40830052edc.40.1512554103611; Wed, 06 Dec 2017 01:55:03 -0800 (PST) X-Google-Smtp-Source: AGs4zMZX+SaE79F6Mu9KEOkIEqHzH6IImBExgv8frciMCamLgdIRe8afjpyQFmS2K8slgQM4J0bPtg== X-Received: by 10.80.170.24 with SMTP id o24mr40830030edc.40.1512554103386; Wed, 06 Dec 2017 01:55:03 -0800 (PST) Received: from localhost ([2a02:8109:98c0:1604:b972:f7ea:7fbe:5583]) by smtp.gmail.com with ESMTPSA id v15sm1044728edb.41.2017.12.06.01.55.02 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 06 Dec 2017 01:55:02 -0800 (PST) From: Kleber Sacilotto de Souza To: kernel-team@lists.ubuntu.com Subject: [SRU][Trusty][Zesty][PATCH 1/1] nl80211: check for the required netlink attributes presence Date: Wed, 6 Dec 2017 10:54:58 +0100 Message-Id: <20171206095458.30821-2-kleber.souza@canonical.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20171206095458.30821-1-kleber.souza@canonical.com> References: <20171206095458.30821-1-kleber.souza@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Vladis Dronov nl80211_set_rekey_data() does not check if the required attributes NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by users with CAP_NET_ADMIN privilege and may result in NULL dereference and a system crash. Add a check for the required attributes presence. This patch is based on the patch by bo Zhang. This fixes CVE-2017-12153. References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046 Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload") Cc: # v3.1-rc1 Reported-by: bo Zhang Signed-off-by: Vladis Dronov Signed-off-by: Johannes Berg CVE-2017-12153 (cherry picked from commit e785fa0a164aa11001cba931367c7f94ffaff888) Signed-off-by: Kleber Sacilotto de Souza Acked-by: Stefan Bader Acked-by: Colin Ian King --- net/wireless/nl80211.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 0df8023f480b..fbd5593e88cb 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -10903,6 +10903,9 @@ static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info) if (err) return err; + if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] || + !tb[NL80211_REKEY_DATA_KCK]) + return -EINVAL; if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN) return -ERANGE; if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)