On 05/15/2018 01:14 PM, Andre McCurdy wrote: > On Fri, May 11, 2018 at 4:52 PM, Andre McCurdy <[email protected]> wrote: >> An elevation of privilege vulnerability in libnl could enable a local >> malicious application to execute arbitrary code within the context of >> the Wi-Fi service. This issue is rated as Moderate because it first >> requires compromising a privileged process and is mitigated by >> current platform configurations. Product: Android. Versions: 5.0.2, >> 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-32342065. NOTE: this >> issue also exists in the upstream libnl before 3.3.0 library. >> >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0553 >> >> Backport fix from upstream libnl 3.3.0 release: >> >> >> https://github.com/thom311/libnl/commit/3e18948f17148e6a3c4255bdeaaf01ef6081ceeb >> http://lists.infradead.org/pipermail/libnl/2017-May/002313.html > Armin, please let me know if this is OK and I'll send the same fix for > pyro and morty.
this is fine. I have it in stable/rocko-mnut pending build rotation thanks, Armin > >> Signed-off-by: Andre McCurdy <[email protected]> >> --- >> ...eck-for-integer-overflow-in-nlmsg_reserve.patch | 43 >> ++++++++++++++++++++++ >> meta/recipes-support/libnl/libnl_3.2.29.bb | 2 + >> 2 files changed, 45 insertions(+) >> create mode 100644 >> meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch >> >> diff --git >> a/meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch >> >> b/meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch >> new file mode 100644 >> index 0000000..594dd06 >> --- /dev/null >> +++ >> b/meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch >> @@ -0,0 +1,43 @@ >> +From 3e18948f17148e6a3c4255bdeaaf01ef6081ceeb Mon Sep 17 00:00:00 2001 >> +From: Thomas Haller <[email protected]> >> +Date: Mon, 6 Feb 2017 22:23:52 +0100 >> +Subject: [PATCH] lib: check for integer-overflow in nlmsg_reserve() >> + >> +In general, libnl functions are not robust against calling with >> +invalid arguments. Thus, never call libnl functions with invalid >> +arguments. In case of nlmsg_reserve() this means never provide >> +a @len argument that causes overflow. >> + >> +Still, add an additional safeguard to avoid exploiting such bugs. >> + >> +Assume that @pad is a trusted, small integer. >> +Assume that n->nm_size is a valid number of allocated bytes (and thus >> +much smaller then SIZE_T_MAX). >> +Assume, that @len may be set to an untrusted value. Then the patch >> +avoids an integer overflow resulting in reserving too few bytes. >> + >> +Upstream-Status: Backport >> [https://github.com/thom311/libnl/commit/3e18948f17148e6a3c4255bdeaaf01ef6081ceeb] >> +CVE: CVE-2017-0553 >> + >> +Signed-off-by: Andre McCurdy <[email protected]> >> +--- >> + lib/msg.c | 3 +++ >> + 1 file changed, 3 insertions(+) >> + >> +diff --git a/lib/msg.c b/lib/msg.c >> +index 9af3f3a..3e27d4e 100644 >> +--- a/lib/msg.c >> ++++ b/lib/msg.c >> +@@ -411,6 +411,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int >> pad) >> + size_t nlmsg_len = n->nm_nlh->nlmsg_len; >> + size_t tlen; >> + >> ++ if (len > n->nm_size) >> ++ return NULL; >> ++ >> + tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len; >> + >> + if ((tlen + nlmsg_len) > n->nm_size) >> +-- >> +1.9.1 >> + >> diff --git a/meta/recipes-support/libnl/libnl_3.2.29.bb >> b/meta/recipes-support/libnl/libnl_3.2.29.bb >> index 7d4839b..4ce80e8 100644 >> --- a/meta/recipes-support/libnl/libnl_3.2.29.bb >> +++ b/meta/recipes-support/libnl/libnl_3.2.29.bb >> @@ -12,7 +12,9 @@ DEPENDS = "flex-native bison-native" >> SRC_URI = >> "https://github.com/thom311/${BPN}/releases/download/${BPN}${@d.getVar('PV').replace('.','_')}/${BP}.tar.gz >> \ >> file://fix-pktloc_syntax_h-race.patch \ >> file://fix-pc-file.patch \ >> + file://lib-check-for-integer-overflow-in-nlmsg_reserve.patch \ >> " >> + >> UPSTREAM_CHECK_URI = "https://github.com/thom311/${BPN}/releases"; >> >> SRC_URI[md5sum] = "a8ba62a5c4f883f4e493a46d1f3733fe" >> -- >> 1.9.1 >> -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
