From patchwork Sun Nov 17 23:23:33 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anuj Mittal X-Patchwork-Id: 179575 Delivered-To: patch@linaro.org Received: by 2002:a92:38d5:0:0:0:0:0 with SMTP id g82csp2154661ilf; Sun, 17 Nov 2019 15:25:14 -0800 (PST) X-Google-Smtp-Source: APXvYqySK3fEzLhg0ucZAnHalxr1TVMkDlzjd54r2BMzhD9SjERrtXgo64AqYWVs1VXd/cKrCjQL X-Received: by 2002:a63:5c21:: with SMTP id q33mr21041391pgb.61.1574033114618; Sun, 17 Nov 2019 15:25:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574033114; cv=none; d=google.com; s=arc-20160816; b=jd1TNhmXR58UkrPXVfuIZCO7aVVg+95RARjUPJb+51auEJ6NhIGqXLXCmGRcBWF0RL foAkRpBnhEUSkqx8MiBEkNEPCj8Fzekje4AS7oP4QPajYI1wH1VksazNjNHxVSYej3dM 3DBeQsgS5hkcNRcJ7T8MharuyWmL3A44xuZVCY1xDjQd7WT8VN3ogyk0v8wJY+sO6FZY cDHM4bjyJv5Ycrje3qbvjZ29w2JbsThCnENiwOdKAdjg3Px43KPYvkLyNI1ZjCOtIBEb gIaINfgg9D/b+sBUD0lw7mI67DMrGO27nP8yh92dxQi+13i2ZxiBoOztu4imN/Ba18JR viwA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :delivered-to; bh=Wu76J7y8shIByiwd0Hn2MQ4yahH0TN2Ugdan7WQoxFk=; b=tNnKI8Bgl0Hh7CkT1/5zjP4uWetCdHD7JU3+8TzoUbIASm+KPCY/FmrHYycb8OaQ5v RxnVqc2n1PA9ZEXweTk6w/pvonLV+qat1wTFUMkSsGYG41bw1CfEgWwgl7vNHsegbI0/ KrawBxiaZmEJ8NeK8MTSt9ebkbdWi8lUQC6/MyuiJpirS8jQ2wf0Rkt9hbnGDPchU1Bj hIwULjC4bOxIhZATI+aWFJGGxcAlj8KFTWtzruLhgoGtqSv490OG6IjxgmL2N85XcQxQ QYHMje1crcfZRMH8r+AyBi/4CkizvT8aqiM3SGS+Z4jo0HNwgFZFnDxzoKOAXY+V6HXe juYw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id w7si18045068pge.344.2019.11.17.15.25.14; Sun, 17 Nov 2019 15:25:14 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id DA9CE7F931; Sun, 17 Nov 2019 23:25:08 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by mail.openembedded.org (Postfix) with ESMTP id 9C0DB7F96B for ; Sun, 17 Nov 2019 23:24:15 +0000 (UTC) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Nov 2019 15:24:16 -0800 X-IronPort-AV: E=Sophos;i="5.68,318,1569308400"; d="scan'208";a="195955428" Received: from anmitta2-mobl1.gar.corp.intel.com ([10.221.20.29]) by orsmga007-auth.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Nov 2019 15:24:16 -0800 From: Anuj Mittal To: openembedded-core@lists.openembedded.org Date: Mon, 18 Nov 2019 07:23:33 +0800 Message-Id: <20191117232337.5635-4-anuj.mittal@intel.com> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20191117232337.5635-1-anuj.mittal@intel.com> References: <20191117232337.5635-1-anuj.mittal@intel.com> MIME-Version: 1.0 Subject: [OE-core] [zeus][PATCH 3/7] wpa-supplicant: fix CVE-2019-16275 X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org From: Ross Burton (From OE-Core rev: d7b5a2ebdb6e74a21059ac2496b5dbea4597eb87) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Anuj Mittal --- ...re-management-frame-from-unexpected-.patch | 82 +++++++++++++++++++ .../wpa-supplicant/wpa-supplicant_2.9.bb | 1 + 2 files changed, 83 insertions(+) create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch -- 2.21.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch new file mode 100644 index 0000000000..7b0713cf6d --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch @@ -0,0 +1,82 @@ +hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect indication +of disconnection in certain situations because source address validation is +mishandled. This is a denial of service that should have been prevented by PMF +(aka management frame protection). The attacker must send a crafted 802.11 frame +from a location that is within the 802.11 communications range. + +CVE: CVE-2019-16275 +Upstream-Status: Backport +Signed-off-by: Ross Burton + +From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Thu, 29 Aug 2019 11:52:04 +0300 +Subject: [PATCH] AP: Silently ignore management frame from unexpected source + address + +Do not process any received Management frames with unexpected/invalid SA +so that we do not add any state for unexpected STA addresses or end up +sending out frames to unexpected destination. This prevents unexpected +sequences where an unprotected frame might end up causing the AP to send +out a response to another device and that other device processing the +unexpected response. + +In particular, this prevents some potential denial of service cases +where the unexpected response frame from the AP might result in a +connected station dropping its association. + +Signed-off-by: Jouni Malinen +--- + src/ap/drv_callbacks.c | 13 +++++++++++++ + src/ap/ieee802_11.c | 12 ++++++++++++ + 2 files changed, 25 insertions(+) + +diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c +index 31587685fe3b..34ca379edc3d 100644 +--- a/src/ap/drv_callbacks.c ++++ b/src/ap/drv_callbacks.c +@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr, + "hostapd_notif_assoc: Skip event with no address"); + return -1; + } ++ ++ if (is_multicast_ether_addr(addr) || ++ is_zero_ether_addr(addr) || ++ os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) { ++ /* Do not process any frames with unexpected/invalid SA so that ++ * we do not add any state for unexpected STA addresses or end ++ * up sending out frames to unexpected destination. */ ++ wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR ++ " in received indication - ignore this indication silently", ++ __func__, MAC2STR(addr)); ++ return 0; ++ } ++ + random_add_randomness(addr, ETH_ALEN); + + hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211, +diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c +index c85a28db44b7..e7065372e158 100644 +--- a/src/ap/ieee802_11.c ++++ b/src/ap/ieee802_11.c +@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len, + fc = le_to_host16(mgmt->frame_control); + stype = WLAN_FC_GET_STYPE(fc); + ++ if (is_multicast_ether_addr(mgmt->sa) || ++ is_zero_ether_addr(mgmt->sa) || ++ os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) { ++ /* Do not process any frames with unexpected/invalid SA so that ++ * we do not add any state for unexpected STA addresses or end ++ * up sending out frames to unexpected destination. */ ++ wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR ++ " in received frame - ignore this frame silently", ++ MAC2STR(mgmt->sa)); ++ return 0; ++ } ++ + if (stype == WLAN_FC_STYPE_BEACON) { + handle_beacon(hapd, mgmt, len, fi); + return 1; +-- +2.20.1 diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb index c16978cfe8..2db09ad2c6 100644 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb @@ -25,6 +25,7 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ file://wpa_supplicant.conf-sane \ file://99_wpa_supplicant \ file://0001-replace-systemd-install-Alias-with-WantedBy.patch \ + file://0001-AP-Silently-ignore-management-frame-from-unexpected-.patch \ " SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190" SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17"