import wpa_supplicant-2.9-2.el8

2020-04-28 05:39:48 -04:00 · 2020-04-28 05:39:48 -04:00 · 1755e4dcde
commit 1755e4dcde
parent c1f5a8d0bf
7 changed files with 308 additions and 28 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/wpa_supplicant-2.7.tar.gz
+SOURCES/wpa_supplicant-2.9.tar.gz
--- a/.wpa_supplicant.metadata
+++ b/.wpa_supplicant.metadata
@ -1 +1 @@
-3c3c2c6bc493fb32b919d9b410768324f3729e25 SOURCES/wpa_supplicant-2.7.tar.gz
+b784c0e5e56889c81d027757a4623659bf15f9a8 SOURCES/wpa_supplicant-2.9.tar.gz
--- a/SOURCES/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
+++ b/SOURCES/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
@ -0,0 +1,73 @@
+From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Thu, 29 Aug 2019 11:52:04 +0300
+Subject: [PATCH] AP: Silently ignore management frame from unexpected source
+ address
+
+Do not process any received Management frames with unexpected/invalid SA
+so that we do not add any state for unexpected STA addresses or end up
+sending out frames to unexpected destination. This prevents unexpected
+sequences where an unprotected frame might end up causing the AP to send
+out a response to another device and that other device processing the
+unexpected response.
+
+In particular, this prevents some potential denial of service cases
+where the unexpected response frame from the AP might result in a
+connected station dropping its association.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/ap/drv_callbacks.c | 13 +++++++++++++
+ src/ap/ieee802_11.c    | 12 ++++++++++++
+ 2 files changed, 25 insertions(+)
+
+diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
+index 31587685fe3b..34ca379edc3d 100644
+--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
+@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
+ 			   "hostapd_notif_assoc: Skip event with no address");
+ 		return -1;
+ 	}
+
+	if (is_multicast_ether_addr(addr) ||
+	    is_zero_ether_addr(addr) ||
+	    os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
+		/* Do not process any frames with unexpected/invalid SA so that
+		 * we do not add any state for unexpected STA addresses or end
+		 * up sending out frames to unexpected destination. */
+		wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
+			   " in received indication - ignore this indication silently",
+			   __func__, MAC2STR(addr));
+		return 0;
+	}
+
+ 	random_add_randomness(addr, ETH_ALEN);
+ 
+ 	hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
+diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
+index c85a28db44b7..e7065372e158 100644
+--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
+@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
+ 	fc = le_to_host16(mgmt->frame_control);
+ 	stype = WLAN_FC_GET_STYPE(fc);
+ 
+	if (is_multicast_ether_addr(mgmt->sa) ||
+	    is_zero_ether_addr(mgmt->sa) ||
+	    os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
+		/* Do not process any frames with unexpected/invalid SA so that
+		 * we do not add any state for unexpected STA addresses or end
+		 * up sending out frames to unexpected destination. */
+		wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
+			   " in received frame - ignore this frame silently",
+			   MAC2STR(mgmt->sa));
+		return 0;
+	}
+
+ 	if (stype == WLAN_FC_STYPE_BEACON) {
+ 		handle_beacon(hapd, mgmt, len, fi);
+ 		return 1;
+-- 
+2.20.1
+
--- a/SOURCES/build-config
+++ b/SOURCES/build-config
@ -38,3 +38,8 @@ CONFIG_IBSS_RSN=y
 CONFIG_IEEE80211N=y
 CONFIG_MACSEC=y
 CONFIG_TLS_DEFAULT_CIPHERS="PROFILE=SYSTEM:3DES"
+CONFIG_IEEE80211W=y
+CONFIG_SAE=y
+CONFIG_OWE=y
+CONFIG_DPP=y
+CONFIG_WIFI_DISPLAY=y
--- a/SOURCES/wpa_supplicant-dbus-service-file-args.patch
+++ b/SOURCES/wpa_supplicant-dbus-service-file-args.patch
@ -1,20 +0,0 @@
-diff -up wpa_supplicant-0.7.3/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in.fedora wpa_supplicant-0.7.3/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in
--- wpa_supplicant-0.7.3/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in.fedora	2008-03-02 20:58:35.000000000 -0500
-+++ wpa_supplicant-0.7.3/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in	2008-03-02 20:58:41.000000000 -0500
-@@ -1,5 +1,5 @@
- [D-BUS Service]
- Name=fi.w1.wpa_supplicant1
-Exec=@BINDIR@/wpa_supplicant -u
-+Exec=@BINDIR@/wpa_supplicant -B -u -f /var/log/wpa_supplicant.log -c /etc/wpa_supplicant/wpa_supplicant.conf -P /var/run/wpa_supplicant.pid
- User=root
- SystemdService=wpa_supplicant.service
-diff -up wpa_supplicant-0.7.3/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in.fedora wpa_supplicant-0.7.3/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in
--- wpa_supplicant-0.7.3/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in.fedora	2008-03-02 20:58:35.000000000 -0500
-+++ wpa_supplicant-0.7.3/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in	2008-03-02 20:58:41.000000000 -0500
-@@ -1,5 +1,5 @@
- [D-BUS Service]
- Name=fi.epitest.hostap.WPASupplicant
-Exec=@BINDIR@/wpa_supplicant -u
-+Exec=@BINDIR@/wpa_supplicant -B -u -f /var/log/wpa_supplicant.log -c /etc/wpa_supplicant/wpa_supplicant.conf -P /var/run/wpa_supplicant.pid
- User=root
- SystemdService=wpa_supplicant.service
--- a/SOURCES/wpa_supplicant-p2p-segfault-on-iface-removal.patch
+++ b/SOURCES/wpa_supplicant-p2p-segfault-on-iface-removal.patch
@ -0,0 +1,210 @@
+From b2ad4e6b24ed0271ca76cb27856def0a701fb778 Mon Sep 17 00:00:00 2001
+Message-Id: <b2ad4e6b24ed0271ca76cb27856def0a701fb778.1572271835.git.davide.caratti@gmail.com>
+From: Davide Caratti <davide.caratti@gmail.com>
+Date: Wed, 2 Oct 2019 14:08:41 +0200
+Subject: [PATCH] D-Bus: Fix P2P NULL dereference after interface removal
+
+When the P2P management interface is deleted, P2P is then disabled and
+global->p2p_init_wpa_s is set to NULL. After that, other interfaces can
+still trigger P2P functions (like wpas_p2p_find()) using D-Bus. This
+makes wpa_supplicant terminate with SIGSEGV, because it dereferences a
+NULL pointer. Fix this by adding proper checks, like it's done with
+wpa_cli.
+
+CC: Beniamino Galvani <bgalvani@redhat.com>
+CC: Benjamin Berg <benjamin@sipsolutions.net>
+Reported-by: Vladimir Benes <vbenes@redhat.com>
+Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
+---
+ wpa_supplicant/dbus/dbus_new_handlers_p2p.c | 69 ++++++++++++++++++++-
+ 1 file changed, 67 insertions(+), 2 deletions(-)
+
+diff --git a/wpa_supplicant/dbus/dbus_new_handlers_p2p.c b/wpa_supplicant/dbus/dbus_new_handlers_p2p.c
+index 8cdd88564..19715eb4c 100644
+--- a/wpa_supplicant/dbus/dbus_new_handlers_p2p.c
+++ b/wpa_supplicant/dbus/dbus_new_handlers_p2p.c
+@@ -40,6 +40,14 @@ static int wpas_dbus_validate_dbus_ipaddr(struct wpa_dbus_dict_entry entry)
+ }
+ 
+ 
+static dbus_bool_t no_p2p_mgmt_interface(DBusError *error)
+{
+	dbus_set_error_const(error, WPAS_DBUS_ERROR_IFACE_UNKNOWN,
+			     "Could not find P2P mgmt interface");
+	return FALSE;
+}
+
+
+ /**
+  * Parses out the mac address from the peer object path.
+  * @peer_path - object path of the form
+@@ -78,6 +86,22 @@ wpas_dbus_error_persistent_group_unknown(DBusMessage *message)
+ }
+ 
+ 
+/**
+ * wpas_dbus_error_no_p2p_mgmt_iface - Return a new InterfaceUnknown error
+ * message
+ * @message: Pointer to incoming dbus message this error refers to
+ * Returns: a dbus error message
+ *
+ * Convenience function to create and return an unknown interface error.
+ */
+static DBusMessage * wpas_dbus_error_no_p2p_mgmt_iface(DBusMessage *message)
+{
+	wpa_printf(MSG_DEBUG, "dbus: Could not find P2P mgmt interface");
+	return dbus_message_new_error(message, WPAS_DBUS_ERROR_IFACE_UNKNOWN,
+				      "Could not find P2P mgmt interface");
+}
+
+
+ DBusMessage * wpas_dbus_handler_p2p_find(DBusMessage *message,
+ 					 struct wpa_supplicant *wpa_s)
+ {
+@@ -145,6 +169,10 @@ DBusMessage * wpas_dbus_handler_p2p_find(DBusMessage *message,
+ 	}
+ 
+ 	wpa_s = wpa_s->global->p2p_init_wpa_s;
+	if (!wpa_s) {
+		reply = wpas_dbus_error_no_p2p_mgmt_iface(message);
+		goto error_nop2p;
+	}
+ 
+ 	if (wpas_p2p_find(wpa_s, timeout, type, num_req_dev_types,
+ 			  req_dev_types, NULL, 0, 0, NULL, freq))
+@@ -157,8 +185,9 @@ DBusMessage * wpas_dbus_handler_p2p_find(DBusMessage *message,
+ error_clear:
+ 	wpa_dbus_dict_entry_clear(&entry);
+ error:
+-	os_free(req_dev_types);
+ 	reply = wpas_dbus_error_invalid_args(message, entry.key);
+error_nop2p:
+	os_free(req_dev_types);
+ 	return reply;
+ }
+ 
+@@ -166,7 +195,9 @@ error:
+ DBusMessage * wpas_dbus_handler_p2p_stop_find(DBusMessage *message,
+ 					      struct wpa_supplicant *wpa_s)
+ {
+-	wpas_p2p_stop_find(wpa_s->global->p2p_init_wpa_s);
+	wpa_s = wpa_s->global->p2p_init_wpa_s;
+	if (wpa_s)
+		wpas_p2p_stop_find(wpa_s);
+ 	return NULL;
+ }
+ 
+@@ -185,6 +216,8 @@ DBusMessage * wpas_dbus_handler_p2p_rejectpeer(DBusMessage *message,
+ 		return wpas_dbus_error_invalid_args(message, NULL);
+ 
+ 	wpa_s = wpa_s->global->p2p_init_wpa_s;
+	if (!wpa_s)
+		return wpas_dbus_error_no_p2p_mgmt_iface(message);
+ 
+ 	if (wpas_p2p_reject(wpa_s, peer_addr) < 0)
+ 		return wpas_dbus_error_unknown_error(message,
+@@ -204,6 +237,8 @@ DBusMessage * wpas_dbus_handler_p2p_listen(DBusMessage *message,
+ 		return wpas_dbus_error_no_memory(message);
+ 
+ 	wpa_s = wpa_s->global->p2p_init_wpa_s;
+	if (!wpa_s)
+		return wpas_dbus_error_no_p2p_mgmt_iface(message);
+ 
+ 	if (wpas_p2p_listen(wpa_s, (unsigned int) timeout)) {
+ 		return dbus_message_new_error(message,
+@@ -245,6 +280,8 @@ DBusMessage * wpas_dbus_handler_p2p_extendedlisten(
+ 	}
+ 
+ 	wpa_s = wpa_s->global->p2p_init_wpa_s;
+	if (!wpa_s)
+		return wpas_dbus_error_no_p2p_mgmt_iface(message);
+ 
+ 	if (wpas_p2p_ext_listen(wpa_s, period, interval))
+ 		return wpas_dbus_error_unknown_error(
+@@ -350,6 +387,10 @@ DBusMessage * wpas_dbus_handler_p2p_group_add(DBusMessage *message,
+ 	}
+ 
+ 	wpa_s = wpa_s->global->p2p_init_wpa_s;
+	if (!wpa_s) {
+		reply = wpas_dbus_error_no_p2p_mgmt_iface(message);
+		goto out;
+	}
+ 
+ 	if (pg_object_path != NULL) {
+ 		char *net_id_str;
+@@ -433,6 +474,12 @@ static dbus_bool_t wpa_dbus_p2p_check_enabled(struct wpa_supplicant *wpa_s,
+ 				     "P2P is not available for this interface");
+ 		return FALSE;
+ 	}
+	if (!wpa_s->global->p2p_init_wpa_s) {
+		if (out_reply)
+			*out_reply = wpas_dbus_error_no_p2p_mgmt_iface(
+				message);
+		return no_p2p_mgmt_interface(error);
+	}
+ 	return TRUE;
+ }
+ 
+@@ -822,6 +869,8 @@ DBusMessage * wpas_dbus_handler_p2p_prov_disc_req(DBusMessage *message,
+ 		return wpas_dbus_error_invalid_args(message, NULL);
+ 
+ 	wpa_s = wpa_s->global->p2p_init_wpa_s;
+	if (!wpa_s)
+		return wpas_dbus_error_no_p2p_mgmt_iface(message);
+ 
+ 	if (wpas_p2p_prov_disc(wpa_s, peer_addr, config_method,
+ 			       WPAS_P2P_PD_FOR_GO_NEG, NULL) < 0)
+@@ -1882,6 +1931,8 @@ dbus_bool_t wpas_dbus_getter_p2p_peer_groups(
+ 
+ 	wpa_s = peer_args->wpa_s;
+ 	wpa_s = wpa_s->global->p2p_init_wpa_s;
+	if (!wpa_s)
+		return no_p2p_mgmt_interface(error);
+ 
+ 	wpa_s_go = wpas_get_p2p_client_iface(wpa_s, info->p2p_device_addr);
+ 	if (wpa_s_go) {
+@@ -1963,6 +2014,9 @@ dbus_bool_t wpas_dbus_getter_persistent_groups(
+ 	dbus_bool_t success = FALSE;
+ 
+ 	wpa_s = wpa_s->global->p2p_init_wpa_s;
+	if (!wpa_s)
+		return no_p2p_mgmt_interface(error);
+
+ 	if (!wpa_s->parent->dbus_new_path)
+ 		return FALSE;
+ 
+@@ -2077,6 +2131,11 @@ DBusMessage * wpas_dbus_handler_add_persistent_group(
+ 	dbus_message_iter_init(message, &iter);
+ 
+ 	wpa_s = wpa_s->global->p2p_init_wpa_s;
+	if (!wpa_s) {
+		reply = wpas_dbus_error_no_p2p_mgmt_iface(message);
+		goto err;
+	}
+
+ 	if (wpa_s->parent->dbus_new_path)
+ 		ssid = wpa_config_add_network(wpa_s->conf);
+ 	if (ssid == NULL) {
+@@ -2159,6 +2218,10 @@ DBusMessage * wpas_dbus_handler_remove_persistent_group(
+ 			      DBUS_TYPE_INVALID);
+ 
+ 	wpa_s = wpa_s->global->p2p_init_wpa_s;
+	if (!wpa_s) {
+		reply = wpas_dbus_error_no_p2p_mgmt_iface(message);
+		goto out;
+	}
+ 
+ 	/*
+ 	 * Extract the network ID and ensure the network is actually a child of
+@@ -2235,6 +2298,8 @@ DBusMessage * wpas_dbus_handler_remove_all_persistent_groups(
+ 	struct wpa_config *config;
+ 
+ 	wpa_s = wpa_s->global->p2p_init_wpa_s;
+	if (!wpa_s)
+		return wpas_dbus_error_no_p2p_mgmt_iface(message);
+ 
+ 	config = wpa_s->conf;
+ 	ssid = config->ssid;
+-- 
+2.21.0
+
--- a/SPECS/wpa_supplicant.spec
+++ b/SPECS/wpa_supplicant.spec
@ -6,8 +6,8 @@
 Summary: WPA/WPA2/IEEE 802.1X Supplicant
 Name: wpa_supplicant
 Epoch: 1
-Version: 2.7
-Release: 1%{?dist}
+Version: 2.9
+Release: 2%{?dist}
 License: BSD
 Group: System Environment/Base
 Source0: http://w1.fi/releases/%{name}-%{version}%{rcver}%{snapshot}.tar.gz
@ -25,14 +25,16 @@ Patch0: wpa_supplicant-assoc-timeout.patch
 # ensures that debug output gets flushed immediately to help diagnose driver
 # bugs, not suitable for upstream
 Patch1: wpa_supplicant-flush-debug-output.patch
-# disto specific customization for log paths, not suitable for upstream
-Patch2: wpa_supplicant-dbus-service-file-args.patch
 # quiet an annoying and frequent syslog message
 Patch3: wpa_supplicant-quiet-scan-results-message.patch
 # distro specific customization for Qt4 build tools, not suitable for upstream
 Patch5: rh1542234-remove-wpa_gui.patch
 Patch6: wpa_supplicant-gui-qt4.patch

+Patch7: wpa_supplicant-p2p-segfault-on-iface-removal.patch
+# fix for CVE-2019-16275
+Patch8: 0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
+
 URL: http://w1.fi/wpa_supplicant/

 %if %{build_gui}
@ -114,7 +116,6 @@ install -m 0755 %{name}/wpa_supplicant %{buildroot}/%{_sbindir}
 install -m 0755 %{name}/eapol_test %{buildroot}/%{_sbindir}
 install -D -m 0644 %{name}/dbus/dbus-wpa_supplicant.conf %{buildroot}/%{_sysconfdir}/dbus-1/system.d/wpa_supplicant.conf
 install -D -m 0644 %{name}/dbus/fi.w1.wpa_supplicant1.service %{buildroot}/%{_datadir}/dbus-1/system-services/fi.w1.wpa_supplicant1.service
-install -D -m 0644 %{name}/dbus/fi.epitest.hostap.WPASupplicant.service %{buildroot}/%{_datadir}/dbus-1/system-services/fi.epitest.hostap.WPASupplicant.service

 %if %{build_gui}
 # gui
@ -161,7 +162,6 @@ chmod -R 0644 %{name}/examples/*.py
 %config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
 %{_unitdir}/%{name}.service
 %{_sysconfdir}/dbus-1/system.d/%{name}.conf
-%{_datadir}/dbus-1/system-services/fi.epitest.hostap.WPASupplicant.service
 %{_datadir}/dbus-1/system-services/fi.w1.wpa_supplicant1.service
 %{_sbindir}/wpa_passphrase
 %{_sbindir}/wpa_supplicant
@ -177,6 +177,18 @@ chmod -R 0644 %{name}/examples/*.py
 %endif

 %changelog
+* Tue Oct 29 2019 Davide Caratti <dcaratti@redhat.com> - 1:2.9-2
+- Fix AP mode PMF disconnection protection bypass (CVE-2019-16275)
+- Fix NULL dereference in d-bus handler when P2P control interface is removed (rh #1752780)
+- enable WIFI_DISPLAY (rh #1755941)
+
+* Mon Oct 21 2019 Davide Caratti <dcaratti@redhat.com> - 1:2.9-1
+- Update to 2.9 upstream release
+- Enable OWE, SAE and DPP (rh #1730169)
+
+* Thu Feb 07 2019 Davide Caratti <dcaratti@redhat.com> - 1:2.7-2
+- Enable CI gating (rh #1682340) and add a basic selftest
+
 * Thu Feb 07 2019 Davide Caratti <dcaratti@redhat.com> - 1:2.7-1
 - Update to 2.7 upstream release