fix CVE-2021-27803

2021-03-11 16:47:03 +08:00 · 2021-03-11 16:47:03 +08:00 · 2fd837fb71
commit 2fd837fb71
parent 78d8e617d1
2 changed files with 141 additions and 88 deletions
--- a/CVE-2021-27803.patch
+++ b/CVE-2021-27803.patch
@ -0,0 +1,50 @@
+From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 8 Dec 2020 23:52:50 +0200
+Subject: P2P: Fix a corner case in peer addition based on PD Request
+
+p2p_add_device() may remove the oldest entry if there is no room in the
+peer table for a new peer. This would result in any pointer to that
+removed entry becoming stale. A corner case with an invalid PD Request
+frame could result in such a case ending up using (read+write) freed
+memory. This could only by triggered when the peer table has reached its
+maximum size and the PD Request frame is received from the P2P Device
+Address of the oldest remaining entry and the frame has incorrect P2P
+Device Address in the payload.
+
+Fix this by fetching the dev pointer again after having called
+p2p_add_device() so that the stale pointer cannot be used.
+
+Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request")
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/p2p/p2p_pd.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c
+index 3994ec0..05fd593 100644
+--- a/src/p2p/p2p_pd.c
+++ b/src/p2p/p2p_pd.c
+@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa,
+ 			goto out;
+ 		}
+ 
+		dev = p2p_get_device(p2p, sa);
+ 		if (!dev) {
+-			dev = p2p_get_device(p2p, sa);
+-			if (!dev) {
+-				p2p_dbg(p2p,
+-					"Provision Discovery device not found "
+-					MACSTR, MAC2STR(sa));
+-				goto out;
+-			}
+			p2p_dbg(p2p,
+				"Provision Discovery device not found "
+				MACSTR, MAC2STR(sa));
+			goto out;
+ 		}
+ 	} else if (msg.wfd_subelems) {
+ 		wpabuf_free(dev->info.wfd_subelems);
+-- 
+cgit v0.12
+
--- a/wpa_supplicant.spec
+++ b/wpa_supplicant.spec
@ -1,9 +1,9 @@
 Name:          wpa_supplicant
 Epoch:         1
 Version:       2.6
-Release:       27
+Release:       28
 Summary:       A WPA Supplicant with support for WPA and WPA2 (IEEE 802.11i / RSN)
-License:       BSD
+License:       BSD or GPLv2
 Url:           https://w1.fi/wpa_supplicant/
 Source0:       http://w1.fi/releases/%{name}-%{version}.tar.gz
 Source1:       build-config
@ -13,92 +13,92 @@ Source5:       %{name}.logrotate

 #patches number ranging between [0,6000) are from fedora/redhat upstream
 #patches number ranging between [6000,9000) are backport from higher versions, including some CVE fixes
-Patch6000:     macsec-0001-mka-Move-structs-transmit-receive-_-sa-sc-to-a-commo.patch
-Patch6001:     macsec-0002-mka-Pass-full-structures-down-to-macsec-drivers-pack.patch
-Patch6002:     macsec-0003-mka-Pass-full-structures-down-to-macsec-drivers-tran.patch
-Patch6003:     macsec-0004-mka-Pass-full-structures-down-to-macsec-drivers-rece.patch
-Patch6004:     macsec-0005-mka-Pass-full-structures-down-to-macsec-drivers-tran.patch
-Patch6005:     macsec-0006-mka-Pass-full-structures-down-to-macsec-drivers-rece.patch
-Patch6006:     macsec-0007-mka-Add-driver-op-to-get-macsec-capabilities.patch
-Patch6007:     macsec-0008-mka-Remove-channel-hacks-from-the-stack-and-the-macs.patch
-Patch6008:     macsec-0009-mka-Sync-structs-definitions-with-IEEE-Std-802.1X-20.patch
-Patch6009:     macsec-0010-mka-Add-support-for-removing-SAs.patch
-Patch6010:     macsec-0011-mka-Implement-reference-counting-on-data_key.patch
-Patch6011:     macsec-0012-mka-Fix-getting-capabilities-from-the-driver.patch
-Patch6012:     macsec-0013-wpa_supplicant-Allow-pre-shared-CAK-CKN-pair-for-MKA.patch
-Patch6013:     macsec-0014-mka-Disable-peer-detection-timeout-for-PSK-mode.patch
-Patch6014:     macsec-0015-wpa_supplicant-Add-macsec_integ_only-setting-for-MKA.patch
-Patch6015:     macsec-0016-mka-Add-enable_encrypt-op-and-call-it-from-CP-state-.patch
-Patch6016:     macsec-0017-wpa_supplicant-Allow-configuring-the-MACsec-port-for.patch
-Patch6017:     macsec-0018-drivers-Move-common-definitions-for-wired-drivers-ou.patch
-Patch6018:     macsec-0019-drivers-Move-wired_multicast_membership-to-a-common-.patch
-Patch6019:     macsec-0020-drivers-Move-driver_wired_multi-to-a-common-file.patch
-Patch6020:     macsec-0021-drivers-Move-driver_wired_get_ifflags-to-a-common-fi.patch
-Patch6021:     macsec-0022-drivers-Move-driver_wired_set_ifflags-to-a-common-fi.patch
-Patch6022:     macsec-0023-drivers-Move-driver_wired_get_ifstatus-to-a-common-f.patch
-Patch6023:     macsec-0024-drivers-Move-driver_wired_init_common-to-a-common-fi.patch
-Patch6024:     macsec-0025-drivers-Move-driver_wired_deinit_common-to-a-common-.patch
-Patch6025:     macsec-0026-drivers-Move-driver_wired_get_capa-to-a-common-file.patch
-Patch6026:     macsec-0027-drivers-Move-driver_wired_get_bssid-to-a-common-file.patch
-Patch6027:     macsec-0028-drivers-Move-driver_wired_get_ssid-to-a-common-file.patch
-Patch6028:     macsec-0029-macsec_linux-Add-a-driver-for-macsec-on-Linux-kernel.patch
-Patch6029:     macsec-0030-mka-Remove-references-to-macsec_qca-from-wpa_supplic.patch
-Patch6030:     macsec-0031-PAE-Make-KaY-specific-details-available-via-control-.patch
-Patch6031:     macsec-0032-mka-Make-MKA-actor-priority-configurable.patch
-Patch6032:     macsec-0033-mka-Fix-an-incorrect-update-of-participant-to_use_sa.patch
-Patch6033:     macsec-0034-mka-Some-bug-fixes-for-MACsec-in-PSK-mode.patch
-Patch6034:     macsec-0035-mka-Send-MKPDUs-forever-if-mode-is-PSK.patch
-Patch6035:     macsec-0036-mka-Fix-the-order-of-operations-in-secure-channel-de.patch
-Patch6036:     macsec-0037-mka-Fix-use-after-free-when-receive-secure-channels-.patch
-Patch6037:     macsec-0038-mka-Fix-use-after-free-when-transmit-secure-channels.patch
-Patch6038:     macsec-0039-macsec_linux-Fix-NULL-pointer-dereference-on-error-c.patch
-Patch6039:     rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
-Patch6040:     rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
-Patch6041:     rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
-Patch6042:     rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch
-Patch6043:     rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
-Patch6044:     rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch
-Patch6045:     rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
-Patch6046:     rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
-Patch6047:     rh1451834-nl80211-Fix-race-condition-in-detecting-MAC-change.patch
-Patch6048:     rh1462262-use-system-openssl-ciphers.patch
-Patch6049:     rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch
-Patch6050:     rh1497640-mka-add-error-handling-for-secy_init_macsec.patch
-Patch6051:     rh1497640-pae-validate-input-before-pointer.patch
-Patch6052:     rh1567474-0002-D-Bus-Add-pmf-to-global-capabilities.patch
-Patch6053:     rh1570903-nl80211-Fix-NL80211_ATTR_SMPS_MODE-encoding.patch
-Patch6054:     CVE-2019-9496-SAE-Fix-confirm-message-validation-in-error-cases.patch
-Patch6055:     CVE-2019-9494-1.patch
-Patch6056:     CVE-2019-9494-2.patch
-Patch6057:     CVE-2019-9494-3.patch
-Patch6058:     CVE-2019-9494-4.patch
-Patch6059:     CVE-2019-9494-5.patch
-Patch6060:     CVE-2019-9494-6.patch
-Patch6061:     CVE-2019-9494-7.patch
-Patch6062:     CVE-2019-9494-8.patch
-Patch6063:     CVE-2019-16275.patch
-Patch6064:     CVE-2019-9497.patch
-Patch6065:     CVE-2019-9498-and-CVE-2019-9499.patch
-Patch6066:     CVE-2019-11555-1.patch
-Patch6067:     CVE-2019-11555-2.patch
-Patch6068:     rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
-Patch6069:     CVE-2019-9499.patch
-Patch6070:     CVE-2019-9495-pre1.patch
-Patch6071:     CVE-2019-9495-pre2.patch
-Patch6072:     CVE-2019-9495-pre3.patch
-Patch6073:     CVE-2019-9495.patch
-Patch6074:     CVE-2019-13377-1.patch
-Patch6075:     CVE-2019-13377-2-pre1.patch
-Patch6076:     CVE-2019-13377-2-pre.patch
-Patch6077:     CVE-2019-13377-2.patch
-Patch6078:     CVE-2019-13377-3.patch
-Patch6079:     CVE-2019-13377-4.patch
-Patch60710:    CVE-2019-13377-5.patch
-Patch60711:    CVE-2019-13377-6-pre.patch
-Patch60712:    CVE-2019-13377-6.patch
-
-Patch9000:     add-options-of-wpa_supplicant-service.patch
-Patch9001:     allow-to-override-names-of-qt4-tools.patch
+Patch0:        macsec-0001-mka-Move-structs-transmit-receive-_-sa-sc-to-a-commo.patch
+Patch1:        macsec-0002-mka-Pass-full-structures-down-to-macsec-drivers-pack.patch
+Patch2:        macsec-0003-mka-Pass-full-structures-down-to-macsec-drivers-tran.patch
+Patch3:        macsec-0004-mka-Pass-full-structures-down-to-macsec-drivers-rece.patch
+Patch4:        macsec-0005-mka-Pass-full-structures-down-to-macsec-drivers-tran.patch
+Patch5:        macsec-0006-mka-Pass-full-structures-down-to-macsec-drivers-rece.patch
+Patch6:        macsec-0007-mka-Add-driver-op-to-get-macsec-capabilities.patch
+Patch7:        macsec-0008-mka-Remove-channel-hacks-from-the-stack-and-the-macs.patch
+Patch8:        macsec-0009-mka-Sync-structs-definitions-with-IEEE-Std-802.1X-20.patch
+Patch9:        macsec-0010-mka-Add-support-for-removing-SAs.patch
+Patch10:       macsec-0011-mka-Implement-reference-counting-on-data_key.patch
+Patch11:       macsec-0012-mka-Fix-getting-capabilities-from-the-driver.patch
+Patch12:       macsec-0013-wpa_supplicant-Allow-pre-shared-CAK-CKN-pair-for-MKA.patch
+Patch13:       macsec-0014-mka-Disable-peer-detection-timeout-for-PSK-mode.patch
+Patch14:       macsec-0015-wpa_supplicant-Add-macsec_integ_only-setting-for-MKA.patch
+Patch15:       macsec-0016-mka-Add-enable_encrypt-op-and-call-it-from-CP-state-.patch
+Patch16:       macsec-0017-wpa_supplicant-Allow-configuring-the-MACsec-port-for.patch
+Patch17:       macsec-0018-drivers-Move-common-definitions-for-wired-drivers-ou.patch
+Patch18:       macsec-0019-drivers-Move-wired_multicast_membership-to-a-common-.patch
+Patch19:       macsec-0020-drivers-Move-driver_wired_multi-to-a-common-file.patch
+Patch20:       macsec-0021-drivers-Move-driver_wired_get_ifflags-to-a-common-fi.patch
+Patch21:       macsec-0022-drivers-Move-driver_wired_set_ifflags-to-a-common-fi.patch
+Patch22:       macsec-0023-drivers-Move-driver_wired_get_ifstatus-to-a-common-f.patch
+Patch23:       macsec-0024-drivers-Move-driver_wired_init_common-to-a-common-fi.patch
+Patch24:       macsec-0025-drivers-Move-driver_wired_deinit_common-to-a-common-.patch
+Patch25:       macsec-0026-drivers-Move-driver_wired_get_capa-to-a-common-file.patch
+Patch26:       macsec-0027-drivers-Move-driver_wired_get_bssid-to-a-common-file.patch
+Patch27:       macsec-0028-drivers-Move-driver_wired_get_ssid-to-a-common-file.patch
+Patch28:       macsec-0029-macsec_linux-Add-a-driver-for-macsec-on-Linux-kernel.patch
+Patch29:       macsec-0030-mka-Remove-references-to-macsec_qca-from-wpa_supplic.patch
+Patch30:       macsec-0031-PAE-Make-KaY-specific-details-available-via-control-.patch
+Patch31:       macsec-0032-mka-Make-MKA-actor-priority-configurable.patch
+Patch32:       macsec-0033-mka-Fix-an-incorrect-update-of-participant-to_use_sa.patch
+Patch33:       macsec-0034-mka-Some-bug-fixes-for-MACsec-in-PSK-mode.patch
+Patch34:       macsec-0035-mka-Send-MKPDUs-forever-if-mode-is-PSK.patch
+Patch35:       macsec-0036-mka-Fix-the-order-of-operations-in-secure-channel-de.patch
+Patch36:       macsec-0037-mka-Fix-use-after-free-when-receive-secure-channels-.patch
+Patch37:       macsec-0038-mka-Fix-use-after-free-when-transmit-secure-channels.patch
+Patch38:       macsec-0039-macsec_linux-Fix-NULL-pointer-dereference-on-error-c.patch
+Patch39:       rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
+Patch40:       rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
+Patch41:       rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
+Patch42:       rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch
+Patch43:       rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
+Patch44:       rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch
+Patch45:       rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
+Patch46:       rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
+Patch47:       rh1451834-nl80211-Fix-race-condition-in-detecting-MAC-change.patch
+Patch48:       rh1462262-use-system-openssl-ciphers.patch
+Patch49:       rh1465138-openssl-Fix-openssl-1-1-private-key-callback.patch
+Patch50:       rh1497640-mka-add-error-handling-for-secy_init_macsec.patch
+Patch51:       rh1497640-pae-validate-input-before-pointer.patch
+Patch52:       rh1567474-0002-D-Bus-Add-pmf-to-global-capabilities.patch
+Patch53:       rh1570903-nl80211-Fix-NL80211_ATTR_SMPS_MODE-encoding.patch
+Patch54:       CVE-2019-9496-SAE-Fix-confirm-message-validation-in-error-cases.patch
+Patch55:       CVE-2019-9494-1.patch
+Patch56:       CVE-2019-9494-2.patch
+Patch57:       CVE-2019-9494-3.patch
+Patch58:       CVE-2019-9494-4.patch
+Patch59:       CVE-2019-9494-5.patch
+Patch60:       CVE-2019-9494-6.patch
+Patch61:       CVE-2019-9494-7.patch
+Patch62:       CVE-2019-9494-8.patch
+Patch63:       CVE-2019-16275.patch
+Patch64:       CVE-2019-9497.patch
+Patch65:       CVE-2019-9498-and-CVE-2019-9499.patch
+Patch66:       CVE-2019-11555-1.patch
+Patch67:       CVE-2019-11555-2.patch
+Patch68:       rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
+Patch69:       CVE-2019-9499.patch
+Patch70:       CVE-2019-9495-pre1.patch
+Patch71:       CVE-2019-9495-pre2.patch
+Patch72:       CVE-2019-9495-pre3.patch
+Patch73:       CVE-2019-9495.patch
+Patch74:       CVE-2019-13377-1.patch
+Patch75:       CVE-2019-13377-2-pre1.patch
+Patch76:       CVE-2019-13377-2-pre.patch
+Patch77:       CVE-2019-13377-2.patch
+Patch78:       CVE-2019-13377-3.patch
+Patch79:       CVE-2019-13377-4.patch
+Patch80:       CVE-2019-13377-5.patch
+Patch81:       CVE-2019-13377-6-pre.patch
+Patch82:       CVE-2019-13377-6.patch
+Patch83:       add-options-of-wpa_supplicant-service.patch
+Patch84:       allow-to-override-names-of-qt4-tools.patch
+Patch85:       CVE-2021-27803.patch

 BuildRequires: qt-devel >= 4.0 openssl-devel readline-devel dbus-devel libnl3-devel systemd-units docbook-utils
 Requires(post): systemd-sysv
@ -192,6 +192,9 @@ install -m644 %{name}/doc/docbook/*.5 %{buildroot}%{_mandir}/man5
 %{_mandir}/man5/*

 %changelog
+* Thu Mar 11 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:2.6-28
+- fix CVE-2021-27803
+
 * Thu Dec 24 2020 wuchaochao <wuchaochao4@huawei.com> - 1:2.6-27
 - Type:cves
 - ID: CVE-2019-13377