From e4b9de02a14e0905261690b8857ad2f79ac77b976f0a440d55a626b0181a4ea3 Mon Sep 17 00:00:00 2001 From: Clemens Famulla-Conrad Date: Thu, 4 Feb 2021 22:38:02 +0000 Subject: [PATCH] Accepting request 869589 from home:cfconrad:branches:hardware - Add CVE-2021-0326.patch -- P2P group information processing vulnerability (bsc#1181777) OBS-URL: https://build.opensuse.org/request/show/869589 OBS-URL: https://build.opensuse.org/package/show/hardware/wpa_supplicant?expand=0&rev=120 --- CVE-2021-0326.patch | 38 ++++++++++++++++++++++++++++++++++++++ wpa_supplicant.changes | 6 ++++++ wpa_supplicant.spec | 3 ++- 3 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 CVE-2021-0326.patch diff --git a/CVE-2021-0326.patch b/CVE-2021-0326.patch new file mode 100644 index 0000000..763c8bd --- /dev/null +++ b/CVE-2021-0326.patch @@ -0,0 +1,38 @@ +From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Mon, 9 Nov 2020 11:43:12 +0200 +Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group + client + +Parsing and copying of WPS secondary device types list was verifying +that the contents is not too long for the internal maximum in the case +of WPS messages, but similar validation was missing from the case of P2P +group information which encodes this information in a different +attribute. This could result in writing beyond the memory area assigned +for these entries and corrupting memory within an instance of struct +p2p_device. This could result in invalid operations and unexpected +behavior when trying to free pointers from that corrupted memory. + +Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269 +Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers") +Signed-off-by: Jouni Malinen +--- + src/p2p/p2p.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c +index 74b7b52ae05c..5cbfc217fc1f 100644 +--- a/src/p2p/p2p.c ++++ b/src/p2p/p2p.c +@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev, + dev->info.config_methods = cli->config_methods; + os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8); + dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types; ++ if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN) ++ dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN; + os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types, + dev->info.wps_sec_dev_type_list_len); + } +-- +2.25.1 + diff --git a/wpa_supplicant.changes b/wpa_supplicant.changes index a6e77cf..88100ba 100644 --- a/wpa_supplicant.changes +++ b/wpa_supplicant.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Feb 4 12:27:02 UTC 2021 - Clemens Famulla-Conrad + +- Add CVE-2021-0326.patch -- P2P group information processing vulnerability + (bsc#1181777) + ------------------------------------------------------------------- Tue Oct 6 15:20:18 UTC 2020 - Florian diff --git a/wpa_supplicant.spec b/wpa_supplicant.spec index 5a2b51e..e89ca53 100644 --- a/wpa_supplicant.spec +++ b/wpa_supplicant.spec @@ -1,7 +1,7 @@ # # spec file for package wpa_supplicant # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -42,6 +42,7 @@ Patch5: wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff Patch6: restore-old-dbus-interface.patch Patch7: CVE-2019-16275.patch Patch8: wpa_supplicant-p2p_iname_size.diff +Patch9: CVE-2021-0326.patch BuildRequires: pkgconfig BuildRequires: readline-devel BuildRequires: systemd-rpm-macros