From: Vladis Dronov Date: Tue, 12 Sep 2017 22:21:21 +0000 (+0000) Subject: nl80211: check for the required netlink attributes presence X-Git-Tag: archive/raspbian/4.9.51-1+rpi1~8^2^2~42 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=737b592d3774b6cc2baf2e1b0444201312e692cb;p=linux-4.9.git nl80211: check for the required netlink attributes presence nl80211_set_rekey_data() does not check if the required attributes NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by users with CAP_NET_ADMIN privilege and may result in NULL dereference and a system crash. Add a check for the required attributes presence. This patch is based on the patch by bo Zhang. This fixes CVE-2017-12153. References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046 Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload") Cc: # v3.1-rc1 Reported-by: bo Zhang Signed-off-by: Vladis Dronov Gbp-Pq: Topic bugfix/all Gbp-Pq: Name nl80211-check-for-the-required-netlink-attributes-presence.patch --- diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index e7a3068a1c3b..7a95f98f43db 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -10381,6 +10381,9 @@ static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info) if (err) return err; + if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] || + !tb[NL80211_REKEY_DATA_KCK]) + return -EINVAL; if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN) return -ERANGE; if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)