CVE-2011-2517: kernel: nl80211: missing check for valid SSID size in scan operations

2011-07-06 09:25:53 -04:00 · 2011-07-06 09:25:53 -04:00 · 5d1e28000d
parent 10aa0c1bf7
commit 5d1e28000d
3 changed files with 93 additions and 0 deletions
--- a/kernel.spec
+++ b/kernel.spec
@ -780,6 +780,9 @@ Patch12419: iwlagn-use-cts-to-self-protection-on-5000-adapters-series.patch

 Patch12420: crypto-aesni_intel-merge-with-fpu_ko.patch

+Patch12430: nl80211-fix-check-for-valid-ssid-size-in-scan-operations.patch
+Patch12431: nl80211-fix-overflow-in-ssid_len.patch.patch
+
 %endif

 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@ -1335,6 +1338,9 @@ ApplyPatch hda_intel-prealloc-4mb-dmabuffer.patch
 ApplyPatch bluetooth-device-ids-for-ath3k-on-pegatron-lucid-tablets.patch
 # CVE-2011-2497
 ApplyPatch bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
+# CVE-2011-2517
+ApplyPatch nl80211-fix-check-for-valid-ssid-size-in-scan-operations.patch
+ApplyPatch nl80211-fix-overflow-in-ssid_len.patch.patch

 # Misc fixes
 # The input layer spews crap no-one cares about.
@ -2073,6 +2079,7 @@ fi
 - Revert SCSI/block patches from 2.6.38.6 that caused more problems
  than they fixed; drop band-aid patch attempting to fix the fix.
 - CVE-2011-2497: kernel: bluetooth: buffer overflow in l2cap config request
+- CVE-2011-2517: kernel: nl80211: missing check for valid SSID size in scan operations

 * Mon Jun 27 2011 Dave Jones <davej@redhat.com>
 - Disable CONFIG_CRYPTO_MANAGER_DISABLE_TESTS, as this also disables FIPS (rhbz 716942)
--- a/nl80211-fix-check-for-valid-ssid-size-in-scan-operations.patch
+++ b/nl80211-fix-check-for-valid-ssid-size-in-scan-operations.patch
@ -0,0 +1,42 @@
+From: Luciano Coelho <coelho@ti.com>
+Date: Wed, 18 May 2011 21:43:38 +0000 (+0300)
+Subject: nl80211: fix check for valid SSID size in scan operations
+X-Git-Tag: v3.0-rc2~7^2~16^2~12
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=208c72f4fe44fe09577e7975ba0e7fa0278f3d03
+
+nl80211: fix check for valid SSID size in scan operations
+[ 2.6.38 backport ]
+
+In both trigger_scan and sched_scan operations, we were checking for
+the SSID length before assigning the value correctly.  Since the
+memory was just kzalloc'ed, the check was always failing and SSID with
+over 32 characters were allowed to go through.
+
+This was causing a buffer overflow when copying the actual SSID to the
+proper place.
+
+This bug has been there since 2.6.29-rc4.
+
+Cc: stable@kernel.org
+Signed-off-by: Luciano Coelho <coelho@ti.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+---
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index ec83f41..88a565f 100644
+--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
+@@ -3406,12 +3406,12 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
+ 	i = 0;
+ 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
+ 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
+			request->ssids[i].ssid_len = nla_len(attr);
+ 			if (request->ssids[i].ssid_len > IEEE80211_MAX_SSID_LEN) {
+ 				err = -EINVAL;
+ 				goto out_free;
+ 			}
+ 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
+-			request->ssids[i].ssid_len = nla_len(attr);
+ 			i++;
+ 		}
+ 	}
--- a/nl80211-fix-overflow-in-ssid_len.patch.patch
+++ b/nl80211-fix-overflow-in-ssid_len.patch.patch
@ -0,0 +1,44 @@
+From: Luciano Coelho <coelho@ti.com>
+Date: Tue, 7 Jun 2011 17:42:26 +0000 (+0300)
+Subject: nl80211: fix overflow in ssid_len
+X-Git-Tag: v3.0-rc4~5^2~13^2~6
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=57a27e1d6a3bb9ad4efeebd3a8c71156d6207536
+
+nl80211: fix overflow in ssid_len
+[ 2.6.38 backport ]
+
+When one of the SSID's length passed in a scan or sched_scan request
+is larger than 255, there will be an overflow in the u8 that is used
+to store the length before checking.  This causes the check to fail
+and we overrun the buffer when copying the SSID.
+
+Fix this by checking the nl80211 attribute length before copying it to
+the struct.
+
+This is a follow up for the previous commit
+208c72f4fe44fe09577e7975ba0e7fa0278f3d03, which didn't fix the problem
+entirely.
+
+Reported-by: Ido Yariv <ido@wizery.com>
+Signed-off-by: Luciano Coelho <coelho@ti.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+---
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 88a565f..98fa8eb 100644
+--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
+@@ -3406,11 +3406,11 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
+ 	i = 0;
+ 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
+ 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
+-			request->ssids[i].ssid_len = nla_len(attr);
+-			if (request->ssids[i].ssid_len > IEEE80211_MAX_SSID_LEN) {
+			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
+ 				err = -EINVAL;
+ 				goto out_free;
+ 			}
+			request->ssids[i].ssid_len = nla_len(attr);
+ 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
+ 			i++;
+ 		}