From e688ea771840a9868b5c7b3a7639c0a455243b1d Mon Sep 17 00:00:00 2001 From: Davide Caratti Date: Tue, 11 Apr 2017 18:45:21 +0200 Subject: [PATCH] macsec: fix segmentation fault and coverity scans (rh#1428937) --- ...r-free-when-receive-secure-channels-.patch | 49 ++++++++++++ ...r-free-when-transmit-secure-channels.patch | 41 ++++++++++ ...-NULL-pointer-dereference-on-error-c.patch | 74 +++++++++++++++++++ wpa_supplicant.spec | 12 ++- 4 files changed, 175 insertions(+), 1 deletion(-) create mode 100644 macsec-0037-mka-Fix-use-after-free-when-receive-secure-channels-.patch create mode 100644 macsec-0038-mka-Fix-use-after-free-when-transmit-secure-channels.patch create mode 100644 macsec-0039-macsec_linux-Fix-NULL-pointer-dereference-on-error-c.patch diff --git a/macsec-0037-mka-Fix-use-after-free-when-receive-secure-channels-.patch b/macsec-0037-mka-Fix-use-after-free-when-receive-secure-channels-.patch new file mode 100644 index 0000000..ef0056e --- /dev/null +++ b/macsec-0037-mka-Fix-use-after-free-when-receive-secure-channels-.patch @@ -0,0 +1,49 @@ +From 529d6ed7262f0015552e3b8f6eed8ea4508d7c1f Mon Sep 17 00:00:00 2001 +Message-Id: <529d6ed7262f0015552e3b8f6eed8ea4508d7c1f.1491928737.git.davide.caratti@gmail.com> +From: Davide Caratti +Date: Thu, 16 Mar 2017 14:01:54 +0100 +Subject: [PATCH] mka: Fix use-after-free when receive secure channels are + deleted + +ieee802_1x_kay_deinit_receive_sc() frees the receive secure channel data, +but secy_delete_receive_sc() still needs it. Since these two functions +are always called sequentially, secy_delete_receive_sc() can be called +from ieee802_1x_kay_deinit_receive_sc() before rxsc is freed. + +Fixes: 128f6a98b3d4 ("mka: Fix the order of operations in secure channel deletion") +Signed-off-by: Davide Caratti +--- + src/pae/ieee802_1x_kay.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c +index 3f9e53d..31905ed 100644 +--- a/src/pae/ieee802_1x_kay.c ++++ b/src/pae/ieee802_1x_kay.c +@@ -532,6 +532,7 @@ ieee802_1x_kay_deinit_receive_sc( + ieee802_1x_delete_receive_sa(participant->kay, psa); + + dl_list_del(&psc->list); ++ secy_delete_receive_sc(participant->kay, psc); + os_free(psc); + } + +@@ -2363,7 +2364,6 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx) + if (sci_equal(&rxsc->sci, &peer->sci)) { + ieee802_1x_kay_deinit_receive_sc( + participant, rxsc); +- secy_delete_receive_sc(kay, rxsc); + } + } + dl_list_del(&peer->list); +@@ -3433,7 +3433,6 @@ ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay, struct mka_key_name *ckn) + rxsc = dl_list_entry(participant->rxsc_list.next, + struct receive_sc, list); + ieee802_1x_kay_deinit_receive_sc(participant, rxsc); +- secy_delete_receive_sc(kay, rxsc); + } + ieee802_1x_kay_deinit_transmit_sc(participant, participant->txsc); + secy_delete_transmit_sc(kay, participant->txsc); +-- +2.7.4 + diff --git a/macsec-0038-mka-Fix-use-after-free-when-transmit-secure-channels.patch b/macsec-0038-mka-Fix-use-after-free-when-transmit-secure-channels.patch new file mode 100644 index 0000000..5c1b815 --- /dev/null +++ b/macsec-0038-mka-Fix-use-after-free-when-transmit-secure-channels.patch @@ -0,0 +1,41 @@ +From e50df5d2a265a462b0efc056d360649608f160bf Mon Sep 17 00:00:00 2001 +Message-Id: +From: Davide Caratti +Date: Thu, 16 Mar 2017 14:01:55 +0100 +Subject: [PATCH] mka: Fix use-after-free when transmit secure channels are + deleted + +ieee802_1x_kay_deinit_transmit_sc() frees the transmit secure channel +data, but secy_delete_transmit_sc() still needs it. Since this functions +are called sequentially, secy_delete_transmit_sc() can be called from +ieee802_1x_kay_deinit_transmit_sc() before txsc is freed. + +Fixes: 128f6a98b3d4 ("mka: Fix the order of operations in secure channel deletion") +Signed-off-by: Davide Caratti +--- + src/pae/ieee802_1x_kay.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c +index 31905ed..1d4ed89 100644 +--- a/src/pae/ieee802_1x_kay.c ++++ b/src/pae/ieee802_1x_kay.c +@@ -2546,6 +2546,7 @@ ieee802_1x_kay_deinit_transmit_sc( + dl_list_for_each_safe(psa, tmp, &psc->sa_list, struct transmit_sa, list) + ieee802_1x_delete_transmit_sa(participant->kay, psa); + ++ secy_delete_transmit_sc(participant->kay, psc); + os_free(psc); + } + +@@ -3435,7 +3436,6 @@ ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay, struct mka_key_name *ckn) + ieee802_1x_kay_deinit_receive_sc(participant, rxsc); + } + ieee802_1x_kay_deinit_transmit_sc(participant, participant->txsc); +- secy_delete_transmit_sc(kay, participant->txsc); + + os_memset(&participant->cak, 0, sizeof(participant->cak)); + os_memset(&participant->kek, 0, sizeof(participant->kek)); +-- +2.7.4 + diff --git a/macsec-0039-macsec_linux-Fix-NULL-pointer-dereference-on-error-c.patch b/macsec-0039-macsec_linux-Fix-NULL-pointer-dereference-on-error-c.patch new file mode 100644 index 0000000..338b766 --- /dev/null +++ b/macsec-0039-macsec_linux-Fix-NULL-pointer-dereference-on-error-c.patch @@ -0,0 +1,74 @@ +From 5db86df6a849684fda6a7ee53978a1ba931848cb Mon Sep 17 00:00:00 2001 +Message-Id: <5db86df6a849684fda6a7ee53978a1ba931848cb.1491601565.git.davide.caratti@gmail.com> +From: Davide Caratti +Date: Fri, 24 Mar 2017 10:25:24 +0100 +Subject: [PATCH] macsec_linux: Fix NULL pointer dereference on error cases + +In case wpa_supplicant is using driver_macsec_linux, but macsec module +is not (yet) loaded in the kernel, nl_socket_alloc() fails and drv->sk +is NULL. In this case, don't call libnl functions rntl_link_add() or +rtnl_link_change() using such NULL pointer, to prevent program from +getting segmentation faults like: + + Program received signal SIGSEGV, Segmentation fault. + nl_socket_get_local_port (sk=sk@entry=0x0) at socket.c:365 + 365 if (sk->s_local.nl_pid == 0) { + (gdb) p sk + $1 = (const struct nl_sock *) 0x0 + (gdb) bt + #0 nl_socket_get_local_port (sk=sk@entry=0x0) at socket.c:365 + #1 0x00007ffff79c56a0 in nl_complete_msg (sk=sk@entry=0x0, + msg=msg@entry=0x55555595a1f0) at nl.c:491 + #2 0x00007ffff79c56d1 in nl_send_auto (sk=sk@entry=0x0, + msg=msg@entry=0x55555595a1f0) at nl.c:522 + #3 0x00007ffff79c652f in nl_send_sync (sk=sk@entry=0x0, + msg=0x55555595a1f0) at nl.c:556 + #4 0x00007ffff755faf5 in rtnl_link_add (sk=0x0, + link=link@entry=0x55555595b0f0, flags=flags@entry=1024) at route/link.c:1548 + #5 0x000055555567a298 in macsec_drv_create_transmit_sc (priv=0x55555593b130, + sc=0x55555593b320, conf_offset=) at ../src/drivers/driver_macsec_linux.c:998 + +Signed-off-by: Davide Caratti +--- + src/drivers/driver_macsec_linux.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/src/drivers/driver_macsec_linux.c b/src/drivers/driver_macsec_linux.c +index 5dab77a..0694e60 100644 +--- a/src/drivers/driver_macsec_linux.c ++++ b/src/drivers/driver_macsec_linux.c +@@ -168,6 +168,9 @@ static int try_commit(struct macsec_drv_data *drv) + { + int err; + ++ if (!drv->sk) ++ return 0; ++ + if (!drv->link) + return 0; + +@@ -982,6 +985,11 @@ static int macsec_drv_create_transmit_sc( + + wpa_printf(MSG_DEBUG, "%s", __func__); + ++ if (!drv->sk) { ++ wpa_printf(MSG_ERROR, DRV_PREFIX "NULL rtnl socket"); ++ return -1; ++ } ++ + link = rtnl_link_macsec_alloc(); + if (!link) { + wpa_printf(MSG_ERROR, DRV_PREFIX "couldn't allocate link"); +@@ -1048,6 +1056,9 @@ static int macsec_drv_delete_transmit_sc(void *priv, struct transmit_sc *sc) + + wpa_printf(MSG_DEBUG, "%s", __func__); + ++ if (!drv->sk) ++ return 0; ++ + if (!drv->created_link) { + rtnl_link_put(drv->link); + drv->link = NULL; +-- +2.7.4 + diff --git a/wpa_supplicant.spec b/wpa_supplicant.spec index 3fdfb92..fd0128b 100644 --- a/wpa_supplicant.spec +++ b/wpa_supplicant.spec @@ -7,7 +7,7 @@ Summary: WPA/WPA2/IEEE 802.1X Supplicant Name: wpa_supplicant Epoch: 1 Version: 2.6 -Release: 5%{?dist} +Release: 6%{?dist} License: BSD Group: System Environment/Base Source0: http://w1.fi/releases/%{name}-%{version}%{rcver}%{snapshot}.tar.gz @@ -72,6 +72,9 @@ Patch41: macsec-0033-mka-Fix-an-incorrect-update-of-participant-to_use_sa.patch Patch42: macsec-0034-mka-Some-bug-fixes-for-MACsec-in-PSK-mode.patch Patch43: macsec-0035-mka-Send-MKPDUs-forever-if-mode-is-PSK.patch Patch44: macsec-0036-mka-Fix-the-order-of-operations-in-secure-channel-de.patch +Patch45: macsec-0037-mka-Fix-use-after-free-when-receive-secure-channels-.patch +Patch46: macsec-0038-mka-Fix-use-after-free-when-transmit-secure-channels.patch +Patch47: macsec-0039-macsec_linux-Fix-NULL-pointer-dereference-on-error-c.patch URL: http://w1.fi/wpa_supplicant/ @@ -158,6 +161,9 @@ Graphical User Interface for wpa_supplicant written using QT %patch42 -p1 -b .macsec-0034 %patch43 -p1 -b .macsec-0035 %patch44 -p1 -b .macsec-0036 +%patch45 -p1 -b .macsec-0037 +%patch46 -p1 -b .macsec-0038 +%patch47 -p1 -b .macsec-0039 %build pushd wpa_supplicant @@ -258,6 +264,10 @@ chmod -R 0644 %{name}/examples/*.py %endif %changelog +* Wed Apr 11 2017 Davide Caratti - 1:2.6-6 +- Fix use-after-free when macsec secure channels are deleted +- Fix segmentation fault in case macsec module is not loaded (rh#1428937) + * Mon Mar 13 2017 Thomas Haller - 1:2.6-5 - Enable IEEE 802.11w (management frame protection, PMF) (rh#909499)