[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <lsq.1507552234.50899559@decadent.org.uk>
Date: Mon, 09 Oct 2017 13:30:34 +0100
From: Ben Hutchings <ben@...adent.org.uk>
To: linux-kernel@...r.kernel.org, stable@...r.kernel.org
CC: akpm@...ux-foundation.org, "Vladis Dronov" <vdronov@...hat.com>,
"Johannes Berg" <johannes.berg@...el.com>,
"bo Zhang" <zhangbo5891001@...il.com>
Subject: [PATCH 3.2 60/74] nl80211: check for the required netlink
attributes presence
3.2.94-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vladis Dronov <vdronov@...hat.com>
commit e785fa0a164aa11001cba931367c7f94ffaff888 upstream.
nl80211_set_rekey_data() does not check if the required attributes
NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing
NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by
users with CAP_NET_ADMIN privilege and may result in NULL dereference
and a system crash. Add a check for the required attributes presence.
This patch is based on the patch by bo Zhang.
This fixes CVE-2017-12153.
References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046
Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload")
Reported-by: bo Zhang <zhangbo5891001@...il.com>
Signed-off-by: Vladis Dronov <vdronov@...hat.com>
Signed-off-by: Johannes Berg <johannes.berg@...el.com>
Signed-off-by: Ben Hutchings <ben@...adent.org.uk>
---
net/wireless/nl80211.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -5823,6 +5823,9 @@ static int nl80211_set_rekey_data(struct
if (err)
return err;
+ if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
+ !tb[NL80211_REKEY_DATA_KCK])
+ return -EINVAL;
if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
return -ERANGE;
if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
Powered by blists - more mailing lists