[OE-core] [rocko][PATCH] libnl: fix CVE-2017-0553
Andre McCurdy
armccurdy at gmail.com
Tue May 15 20:14:03 UTC 2018
On Fri, May 11, 2018 at 4:52 PM, Andre McCurdy <armccurdy at gmail.com> wrote:
> An elevation of privilege vulnerability in libnl could enable a local
> malicious application to execute arbitrary code within the context of
> the Wi-Fi service. This issue is rated as Moderate because it first
> requires compromising a privileged process and is mitigated by
> current platform configurations. Product: Android. Versions: 5.0.2,
> 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-32342065. NOTE: this
> issue also exists in the upstream libnl before 3.3.0 library.
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0553
>
> Backport fix from upstream libnl 3.3.0 release:
>
> https://github.com/thom311/libnl/commit/3e18948f17148e6a3c4255bdeaaf01ef6081ceeb
> http://lists.infradead.org/pipermail/libnl/2017-May/002313.html
Armin, please let me know if this is OK and I'll send the same fix for
pyro and morty.
> Signed-off-by: Andre McCurdy <armccurdy at gmail.com>
> ---
> ...eck-for-integer-overflow-in-nlmsg_reserve.patch | 43 ++++++++++++++++++++++
> meta/recipes-support/libnl/libnl_3.2.29.bb | 2 +
> 2 files changed, 45 insertions(+)
> create mode 100644 meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch
>
> diff --git a/meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch b/meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch
> new file mode 100644
> index 0000000..594dd06
> --- /dev/null
> +++ b/meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch
> @@ -0,0 +1,43 @@
> +From 3e18948f17148e6a3c4255bdeaaf01ef6081ceeb Mon Sep 17 00:00:00 2001
> +From: Thomas Haller <thaller at redhat.com>
> +Date: Mon, 6 Feb 2017 22:23:52 +0100
> +Subject: [PATCH] lib: check for integer-overflow in nlmsg_reserve()
> +
> +In general, libnl functions are not robust against calling with
> +invalid arguments. Thus, never call libnl functions with invalid
> +arguments. In case of nlmsg_reserve() this means never provide
> +a @len argument that causes overflow.
> +
> +Still, add an additional safeguard to avoid exploiting such bugs.
> +
> +Assume that @pad is a trusted, small integer.
> +Assume that n->nm_size is a valid number of allocated bytes (and thus
> +much smaller then SIZE_T_MAX).
> +Assume, that @len may be set to an untrusted value. Then the patch
> +avoids an integer overflow resulting in reserving too few bytes.
> +
> +Upstream-Status: Backport [https://github.com/thom311/libnl/commit/3e18948f17148e6a3c4255bdeaaf01ef6081ceeb]
> +CVE: CVE-2017-0553
> +
> +Signed-off-by: Andre McCurdy <armccurdy at gmail.com>
> +---
> + lib/msg.c | 3 +++
> + 1 file changed, 3 insertions(+)
> +
> +diff --git a/lib/msg.c b/lib/msg.c
> +index 9af3f3a..3e27d4e 100644
> +--- a/lib/msg.c
> ++++ b/lib/msg.c
> +@@ -411,6 +411,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad)
> + size_t nlmsg_len = n->nm_nlh->nlmsg_len;
> + size_t tlen;
> +
> ++ if (len > n->nm_size)
> ++ return NULL;
> ++
> + tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len;
> +
> + if ((tlen + nlmsg_len) > n->nm_size)
> +--
> +1.9.1
> +
> diff --git a/meta/recipes-support/libnl/libnl_3.2.29.bb b/meta/recipes-support/libnl/libnl_3.2.29.bb
> index 7d4839b..4ce80e8 100644
> --- a/meta/recipes-support/libnl/libnl_3.2.29.bb
> +++ b/meta/recipes-support/libnl/libnl_3.2.29.bb
> @@ -12,7 +12,9 @@ DEPENDS = "flex-native bison-native"
> SRC_URI = "https://github.com/thom311/${BPN}/releases/download/${BPN}${@d.getVar('PV').replace('.','_')}/${BP}.tar.gz \
> file://fix-pktloc_syntax_h-race.patch \
> file://fix-pc-file.patch \
> + file://lib-check-for-integer-overflow-in-nlmsg_reserve.patch \
> "
> +
> UPSTREAM_CHECK_URI = "https://github.com/thom311/${BPN}/releases"
>
> SRC_URI[md5sum] = "a8ba62a5c4f883f4e493a46d1f3733fe"
> --
> 1.9.1
>
More information about the Openembedded-core
mailing list