[morty][PATCH] libnl: fix CVE-2017-0553

* [morty][PATCH] libnl: fix CVE-2017-0553
@ 2018-05-17 22:19 Andre McCurdy
  2018-06-25 19:48 ` Andre McCurdy
  0 siblings, 1 reply; 3+ messages in thread
From: Andre McCurdy @ 2018-05-17 22:19 UTC (permalink / raw)
  To: openembedded-core

An elevation of privilege vulnerability in libnl could enable a local
malicious application to execute arbitrary code within the context of
the Wi-Fi service. This issue is rated as Moderate because it first
requires compromising a privileged process and is mitigated by
current platform configurations. Product: Android. Versions: 5.0.2,
5.1.1, 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-32342065. NOTE: this
issue also exists in the upstream libnl before 3.3.0 library.

  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0553

Backport fix from upstream 3.3.0 release:

  https://github.com/thom311/libnl/commit/3e18948f17148e6a3c4255bdeaaf01ef6081ceeb
  http://lists.infradead.org/pipermail/libnl/2017-May/002313.html

Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
---
 ...eck-for-integer-overflow-in-nlmsg_reserve.patch | 43 ++++++++++++++++++++++
 meta/recipes-support/libnl/libnl_3.2.28.bb         |  1 +
 2 files changed, 44 insertions(+)
 create mode 100644 meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch

diff --git a/meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch b/meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch
new file mode 100644
index 0000000..9e22c40
--- /dev/null
+++ b/meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch
@@ -0,0 +1,43 @@
+From 1db543374db3e58faacdfd91e5061a8a595ce505 Mon Sep 17 00:00:00 2001
+From: Thomas Haller <thaller@redhat.com>
+Date: Mon, 6 Feb 2017 22:23:52 +0100
+Subject: [PATCH] lib: check for integer-overflow in nlmsg_reserve()
+
+In general, libnl functions are not robust against calling with
+invalid arguments. Thus, never call libnl functions with invalid
+arguments. In case of nlmsg_reserve() this means never provide
+a @len argument that causes overflow.
+
+Still, add an additional safeguard to avoid exploiting such bugs.
+
+Assume that @pad is a trusted, small integer.
+Assume that n->nm_size is a valid number of allocated bytes (and thus
+much smaller then SIZE_T_MAX).
+Assume, that @len may be set to an untrusted value. Then the patch
+avoids an integer overflow resulting in reserving too few bytes.
+
+Upstream-Status: Backport [https://github.com/thom311/libnl/commit/3e18948f17148e6a3c4255bdeaaf01ef6081ceeb]
+CVE: CVE-2017-0553
+
+Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
+---
+ lib/msg.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/msg.c b/lib/msg.c
+index e8a7e99..f30fd2d 100644
+--- a/lib/msg.c
++++ b/lib/msg.c
+@@ -410,6 +410,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad)
+ 	size_t nlmsg_len = n->nm_nlh->nlmsg_len;
+ 	size_t tlen;
+ 
++	if (len > n->nm_size)
++		return NULL;
++
+ 	tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len;
+ 
+ 	if ((tlen + nlmsg_len) > n->nm_size)
+-- 
+1.9.1
+
diff --git a/meta/recipes-support/libnl/libnl_3.2.28.bb b/meta/recipes-support/libnl/libnl_3.2.28.bb
index 26982f3..a74b455 100644
--- a/meta/recipes-support/libnl/libnl_3.2.28.bb
+++ b/meta/recipes-support/libnl/libnl_3.2.28.bb
@@ -12,6 +12,7 @@ DEPENDS = "flex-native bison-native"
 SRC_URI = "https://github.com/thom311/${BPN}/releases/download/${BPN}${@d.getVar('PV', True).replace('.','_')}/${BP}.tar.gz \
            file://fix-pktloc_syntax_h-race.patch \
            file://fix-pc-file.patch \
+           file://lib-check-for-integer-overflow-in-nlmsg_reserve.patch \
            file://0001-lib-add-utility-function-nl_strerror_l.patch \
            file://0002-lib-switch-to-using-strerror_l-instead-of-strerror_r.patch \
            file://0003-src-switch-to-using-strerror_l-instead-of-strerror_r.patch \
-- 
1.9.1



^ permalink raw reply related	[flat|nested] 3+ messages in thread