macsec: fix segmentation fault and coverity scans (rh#1428937)
This commit is contained in:
parent
18d8fa3c44
commit
e688ea7718
@ -0,0 +1,49 @@
|
|||||||
|
From 529d6ed7262f0015552e3b8f6eed8ea4508d7c1f Mon Sep 17 00:00:00 2001
|
||||||
|
Message-Id: <529d6ed7262f0015552e3b8f6eed8ea4508d7c1f.1491928737.git.davide.caratti@gmail.com>
|
||||||
|
From: Davide Caratti <davide.caratti@gmail.com>
|
||||||
|
Date: Thu, 16 Mar 2017 14:01:54 +0100
|
||||||
|
Subject: [PATCH] mka: Fix use-after-free when receive secure channels are
|
||||||
|
deleted
|
||||||
|
|
||||||
|
ieee802_1x_kay_deinit_receive_sc() frees the receive secure channel data,
|
||||||
|
but secy_delete_receive_sc() still needs it. Since these two functions
|
||||||
|
are always called sequentially, secy_delete_receive_sc() can be called
|
||||||
|
from ieee802_1x_kay_deinit_receive_sc() before rxsc is freed.
|
||||||
|
|
||||||
|
Fixes: 128f6a98b3d4 ("mka: Fix the order of operations in secure channel deletion")
|
||||||
|
Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
|
||||||
|
---
|
||||||
|
src/pae/ieee802_1x_kay.c | 3 +--
|
||||||
|
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
|
||||||
|
index 3f9e53d..31905ed 100644
|
||||||
|
--- a/src/pae/ieee802_1x_kay.c
|
||||||
|
+++ b/src/pae/ieee802_1x_kay.c
|
||||||
|
@@ -532,6 +532,7 @@ ieee802_1x_kay_deinit_receive_sc(
|
||||||
|
ieee802_1x_delete_receive_sa(participant->kay, psa);
|
||||||
|
|
||||||
|
dl_list_del(&psc->list);
|
||||||
|
+ secy_delete_receive_sc(participant->kay, psc);
|
||||||
|
os_free(psc);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -2363,7 +2364,6 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx)
|
||||||
|
if (sci_equal(&rxsc->sci, &peer->sci)) {
|
||||||
|
ieee802_1x_kay_deinit_receive_sc(
|
||||||
|
participant, rxsc);
|
||||||
|
- secy_delete_receive_sc(kay, rxsc);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
dl_list_del(&peer->list);
|
||||||
|
@@ -3433,7 +3433,6 @@ ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay, struct mka_key_name *ckn)
|
||||||
|
rxsc = dl_list_entry(participant->rxsc_list.next,
|
||||||
|
struct receive_sc, list);
|
||||||
|
ieee802_1x_kay_deinit_receive_sc(participant, rxsc);
|
||||||
|
- secy_delete_receive_sc(kay, rxsc);
|
||||||
|
}
|
||||||
|
ieee802_1x_kay_deinit_transmit_sc(participant, participant->txsc);
|
||||||
|
secy_delete_transmit_sc(kay, participant->txsc);
|
||||||
|
--
|
||||||
|
2.7.4
|
||||||
|
|
@ -0,0 +1,41 @@
|
|||||||
|
From e50df5d2a265a462b0efc056d360649608f160bf Mon Sep 17 00:00:00 2001
|
||||||
|
Message-Id: <e50df5d2a265a462b0efc056d360649608f160bf.1491928635.git.davide.caratti@gmail.com>
|
||||||
|
From: Davide Caratti <davide.caratti@gmail.com>
|
||||||
|
Date: Thu, 16 Mar 2017 14:01:55 +0100
|
||||||
|
Subject: [PATCH] mka: Fix use-after-free when transmit secure channels are
|
||||||
|
deleted
|
||||||
|
|
||||||
|
ieee802_1x_kay_deinit_transmit_sc() frees the transmit secure channel
|
||||||
|
data, but secy_delete_transmit_sc() still needs it. Since this functions
|
||||||
|
are called sequentially, secy_delete_transmit_sc() can be called from
|
||||||
|
ieee802_1x_kay_deinit_transmit_sc() before txsc is freed.
|
||||||
|
|
||||||
|
Fixes: 128f6a98b3d4 ("mka: Fix the order of operations in secure channel deletion")
|
||||||
|
Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
|
||||||
|
---
|
||||||
|
src/pae/ieee802_1x_kay.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
|
||||||
|
index 31905ed..1d4ed89 100644
|
||||||
|
--- a/src/pae/ieee802_1x_kay.c
|
||||||
|
+++ b/src/pae/ieee802_1x_kay.c
|
||||||
|
@@ -2546,6 +2546,7 @@ ieee802_1x_kay_deinit_transmit_sc(
|
||||||
|
dl_list_for_each_safe(psa, tmp, &psc->sa_list, struct transmit_sa, list)
|
||||||
|
ieee802_1x_delete_transmit_sa(participant->kay, psa);
|
||||||
|
|
||||||
|
+ secy_delete_transmit_sc(participant->kay, psc);
|
||||||
|
os_free(psc);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -3435,7 +3436,6 @@ ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay, struct mka_key_name *ckn)
|
||||||
|
ieee802_1x_kay_deinit_receive_sc(participant, rxsc);
|
||||||
|
}
|
||||||
|
ieee802_1x_kay_deinit_transmit_sc(participant, participant->txsc);
|
||||||
|
- secy_delete_transmit_sc(kay, participant->txsc);
|
||||||
|
|
||||||
|
os_memset(&participant->cak, 0, sizeof(participant->cak));
|
||||||
|
os_memset(&participant->kek, 0, sizeof(participant->kek));
|
||||||
|
--
|
||||||
|
2.7.4
|
||||||
|
|
@ -0,0 +1,74 @@
|
|||||||
|
From 5db86df6a849684fda6a7ee53978a1ba931848cb Mon Sep 17 00:00:00 2001
|
||||||
|
Message-Id: <5db86df6a849684fda6a7ee53978a1ba931848cb.1491601565.git.davide.caratti@gmail.com>
|
||||||
|
From: Davide Caratti <davide.caratti@gmail.com>
|
||||||
|
Date: Fri, 24 Mar 2017 10:25:24 +0100
|
||||||
|
Subject: [PATCH] macsec_linux: Fix NULL pointer dereference on error cases
|
||||||
|
|
||||||
|
In case wpa_supplicant is using driver_macsec_linux, but macsec module
|
||||||
|
is not (yet) loaded in the kernel, nl_socket_alloc() fails and drv->sk
|
||||||
|
is NULL. In this case, don't call libnl functions rntl_link_add() or
|
||||||
|
rtnl_link_change() using such NULL pointer, to prevent program from
|
||||||
|
getting segmentation faults like:
|
||||||
|
|
||||||
|
Program received signal SIGSEGV, Segmentation fault.
|
||||||
|
nl_socket_get_local_port (sk=sk@entry=0x0) at socket.c:365
|
||||||
|
365 if (sk->s_local.nl_pid == 0) {
|
||||||
|
(gdb) p sk
|
||||||
|
$1 = (const struct nl_sock *) 0x0
|
||||||
|
(gdb) bt
|
||||||
|
#0 nl_socket_get_local_port (sk=sk@entry=0x0) at socket.c:365
|
||||||
|
#1 0x00007ffff79c56a0 in nl_complete_msg (sk=sk@entry=0x0,
|
||||||
|
msg=msg@entry=0x55555595a1f0) at nl.c:491
|
||||||
|
#2 0x00007ffff79c56d1 in nl_send_auto (sk=sk@entry=0x0,
|
||||||
|
msg=msg@entry=0x55555595a1f0) at nl.c:522
|
||||||
|
#3 0x00007ffff79c652f in nl_send_sync (sk=sk@entry=0x0,
|
||||||
|
msg=0x55555595a1f0) at nl.c:556
|
||||||
|
#4 0x00007ffff755faf5 in rtnl_link_add (sk=0x0,
|
||||||
|
link=link@entry=0x55555595b0f0, flags=flags@entry=1024) at route/link.c:1548
|
||||||
|
#5 0x000055555567a298 in macsec_drv_create_transmit_sc (priv=0x55555593b130,
|
||||||
|
sc=0x55555593b320, conf_offset=<optimized out>) at ../src/drivers/driver_macsec_linux.c:998
|
||||||
|
|
||||||
|
Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
|
||||||
|
---
|
||||||
|
src/drivers/driver_macsec_linux.c | 11 +++++++++++
|
||||||
|
1 file changed, 11 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/drivers/driver_macsec_linux.c b/src/drivers/driver_macsec_linux.c
|
||||||
|
index 5dab77a..0694e60 100644
|
||||||
|
--- a/src/drivers/driver_macsec_linux.c
|
||||||
|
+++ b/src/drivers/driver_macsec_linux.c
|
||||||
|
@@ -168,6 +168,9 @@ static int try_commit(struct macsec_drv_data *drv)
|
||||||
|
{
|
||||||
|
int err;
|
||||||
|
|
||||||
|
+ if (!drv->sk)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
if (!drv->link)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
@@ -982,6 +985,11 @@ static int macsec_drv_create_transmit_sc(
|
||||||
|
|
||||||
|
wpa_printf(MSG_DEBUG, "%s", __func__);
|
||||||
|
|
||||||
|
+ if (!drv->sk) {
|
||||||
|
+ wpa_printf(MSG_ERROR, DRV_PREFIX "NULL rtnl socket");
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
link = rtnl_link_macsec_alloc();
|
||||||
|
if (!link) {
|
||||||
|
wpa_printf(MSG_ERROR, DRV_PREFIX "couldn't allocate link");
|
||||||
|
@@ -1048,6 +1056,9 @@ static int macsec_drv_delete_transmit_sc(void *priv, struct transmit_sc *sc)
|
||||||
|
|
||||||
|
wpa_printf(MSG_DEBUG, "%s", __func__);
|
||||||
|
|
||||||
|
+ if (!drv->sk)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
if (!drv->created_link) {
|
||||||
|
rtnl_link_put(drv->link);
|
||||||
|
drv->link = NULL;
|
||||||
|
--
|
||||||
|
2.7.4
|
||||||
|
|
@ -7,7 +7,7 @@ Summary: WPA/WPA2/IEEE 802.1X Supplicant
|
|||||||
Name: wpa_supplicant
|
Name: wpa_supplicant
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Version: 2.6
|
Version: 2.6
|
||||||
Release: 5%{?dist}
|
Release: 6%{?dist}
|
||||||
License: BSD
|
License: BSD
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source0: http://w1.fi/releases/%{name}-%{version}%{rcver}%{snapshot}.tar.gz
|
Source0: http://w1.fi/releases/%{name}-%{version}%{rcver}%{snapshot}.tar.gz
|
||||||
@ -72,6 +72,9 @@ Patch41: macsec-0033-mka-Fix-an-incorrect-update-of-participant-to_use_sa.patch
|
|||||||
Patch42: macsec-0034-mka-Some-bug-fixes-for-MACsec-in-PSK-mode.patch
|
Patch42: macsec-0034-mka-Some-bug-fixes-for-MACsec-in-PSK-mode.patch
|
||||||
Patch43: macsec-0035-mka-Send-MKPDUs-forever-if-mode-is-PSK.patch
|
Patch43: macsec-0035-mka-Send-MKPDUs-forever-if-mode-is-PSK.patch
|
||||||
Patch44: macsec-0036-mka-Fix-the-order-of-operations-in-secure-channel-de.patch
|
Patch44: macsec-0036-mka-Fix-the-order-of-operations-in-secure-channel-de.patch
|
||||||
|
Patch45: macsec-0037-mka-Fix-use-after-free-when-receive-secure-channels-.patch
|
||||||
|
Patch46: macsec-0038-mka-Fix-use-after-free-when-transmit-secure-channels.patch
|
||||||
|
Patch47: macsec-0039-macsec_linux-Fix-NULL-pointer-dereference-on-error-c.patch
|
||||||
|
|
||||||
URL: http://w1.fi/wpa_supplicant/
|
URL: http://w1.fi/wpa_supplicant/
|
||||||
|
|
||||||
@ -158,6 +161,9 @@ Graphical User Interface for wpa_supplicant written using QT
|
|||||||
%patch42 -p1 -b .macsec-0034
|
%patch42 -p1 -b .macsec-0034
|
||||||
%patch43 -p1 -b .macsec-0035
|
%patch43 -p1 -b .macsec-0035
|
||||||
%patch44 -p1 -b .macsec-0036
|
%patch44 -p1 -b .macsec-0036
|
||||||
|
%patch45 -p1 -b .macsec-0037
|
||||||
|
%patch46 -p1 -b .macsec-0038
|
||||||
|
%patch47 -p1 -b .macsec-0039
|
||||||
|
|
||||||
%build
|
%build
|
||||||
pushd wpa_supplicant
|
pushd wpa_supplicant
|
||||||
@ -258,6 +264,10 @@ chmod -R 0644 %{name}/examples/*.py
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Apr 11 2017 Davide Caratti <dcaratti@redhat.com> - 1:2.6-6
|
||||||
|
- Fix use-after-free when macsec secure channels are deleted
|
||||||
|
- Fix segmentation fault in case macsec module is not loaded (rh#1428937)
|
||||||
|
|
||||||
* Mon Mar 13 2017 Thomas Haller <thaller@redhat.com> - 1:2.6-5
|
* Mon Mar 13 2017 Thomas Haller <thaller@redhat.com> - 1:2.6-5
|
||||||
- Enable IEEE 802.11w (management frame protection, PMF) (rh#909499)
|
- Enable IEEE 802.11w (management frame protection, PMF) (rh#909499)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user