[SRU][Trusty][Zesty][PATCH 0/1] Fix for CVE-2017-12153

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[SRU][Trusty][Zesty][PATCH 0/1] Fix for CVE-2017-12153

Kleber Souza
Clean cherry-pick of the fix for Trusty and Zesty, not needed for the other
supported series.

Fix is straightforward, compile tested.

Vladis Dronov (1):
  nl80211: check for the required netlink attributes presence

 net/wireless/nl80211.c | 3 +++
 1 file changed, 3 insertions(+)

--
2.14.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU][Trusty][Zesty][PATCH 1/1] nl80211: check for the required netlink attributes presence

Kleber Souza
From: Vladis Dronov <[hidden email]>

nl80211_set_rekey_data() does not check if the required attributes
NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing
NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by
users with CAP_NET_ADMIN privilege and may result in NULL dereference
and a system crash. Add a check for the required attributes presence.
This patch is based on the patch by bo Zhang.

This fixes CVE-2017-12153.

References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046
Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload")
Cc: <[hidden email]> # v3.1-rc1
Reported-by: bo Zhang <[hidden email]>
Signed-off-by: Vladis Dronov <[hidden email]>
Signed-off-by: Johannes Berg <[hidden email]>

CVE-2017-12153
(cherry picked from commit e785fa0a164aa11001cba931367c7f94ffaff888)
Signed-off-by: Kleber Sacilotto de Souza <[hidden email]>
---
 net/wireless/nl80211.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 0df8023f480b..fbd5593e88cb 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -10903,6 +10903,9 @@ static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
  if (err)
  return err;
 
+ if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
+    !tb[NL80211_REKEY_DATA_KCK])
+ return -EINVAL;
  if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
  return -ERANGE;
  if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
--
2.14.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU][Trusty][Zesty][PATCH 1/1] nl80211: check for the required netlink attributes presence

Stefan Bader-2
On 06.12.2017 09:54, Kleber Sacilotto de Souza wrote:

> From: Vladis Dronov <[hidden email]>
>
> nl80211_set_rekey_data() does not check if the required attributes
> NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing
> NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by
> users with CAP_NET_ADMIN privilege and may result in NULL dereference
> and a system crash. Add a check for the required attributes presence.
> This patch is based on the patch by bo Zhang.
>
> This fixes CVE-2017-12153.
>
> References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046
> Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload")
> Cc: <[hidden email]> # v3.1-rc1
> Reported-by: bo Zhang <[hidden email]>
> Signed-off-by: Vladis Dronov <[hidden email]>
> Signed-off-by: Johannes Berg <[hidden email]>
>
> CVE-2017-12153
> (cherry picked from commit e785fa0a164aa11001cba931367c7f94ffaff888)
> Signed-off-by: Kleber Sacilotto de Souza <[hidden email]>
Acked-by: Stefan Bader <[hidden email]>

> ---
>  net/wireless/nl80211.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
> index 0df8023f480b..fbd5593e88cb 100644
> --- a/net/wireless/nl80211.c
> +++ b/net/wireless/nl80211.c
> @@ -10903,6 +10903,9 @@ static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
>   if (err)
>   return err;
>  
> + if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
> +    !tb[NL80211_REKEY_DATA_KCK])
> + return -EINVAL;
>   if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
>   return -ERANGE;
>   if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU][Trusty][Zesty][PATCH 1/1] nl80211: check for the required netlink attributes presence

Colin Ian King-2
In reply to this post by Kleber Souza
On 06/12/17 09:54, Kleber Sacilotto de Souza wrote:

> From: Vladis Dronov <[hidden email]>
>
> nl80211_set_rekey_data() does not check if the required attributes
> NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing
> NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by
> users with CAP_NET_ADMIN privilege and may result in NULL dereference
> and a system crash. Add a check for the required attributes presence.
> This patch is based on the patch by bo Zhang.
>
> This fixes CVE-2017-12153.
>
> References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046
> Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload")
> Cc: <[hidden email]> # v3.1-rc1
> Reported-by: bo Zhang <[hidden email]>
> Signed-off-by: Vladis Dronov <[hidden email]>
> Signed-off-by: Johannes Berg <[hidden email]>
>
> CVE-2017-12153
> (cherry picked from commit e785fa0a164aa11001cba931367c7f94ffaff888)
> Signed-off-by: Kleber Sacilotto de Souza <[hidden email]>
> ---
>  net/wireless/nl80211.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
> index 0df8023f480b..fbd5593e88cb 100644
> --- a/net/wireless/nl80211.c
> +++ b/net/wireless/nl80211.c
> @@ -10903,6 +10903,9 @@ static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
>   if (err)
>   return err;
>  
> + if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
> +    !tb[NL80211_REKEY_DATA_KCK])
> + return -EINVAL;
>   if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
>   return -ERANGE;
>   if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
>
Clean cherry pick.

Acked-by: Colin Ian King <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [SRU, Trusty, Zesty, 1/1] nl80211: check for the required netlink

Thadeu Lima de Souza Cascardo-3
In reply to this post by Kleber Souza
Applied to trusty and zesty master-next branches.

Thanks.
Cascardo.

Applied-to: trusty/master-next
Applied-to: zesty/master-next

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team