On Thu, May 17, 2018 at 3:19 PM, Andre McCurdy <armccu...@gmail.com> wrote: > An elevation of privilege vulnerability in libnl could enable a local > malicious application to execute arbitrary code within the context of > the Wi-Fi service. This issue is rated as Moderate because it first > requires compromising a privileged process and is mitigated by > current platform configurations. Product: Android. Versions: 5.0.2, > 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-32342065. NOTE: this > issue also exists in the upstream libnl before 3.3.0 library. > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0553 > > Backport fix from upstream 3.3.0 release: > > > https://github.com/thom311/libnl/commit/3e18948f17148e6a3c4255bdeaaf01ef6081ceeb > http://lists.infradead.org/pipermail/libnl/2017-May/002313.html
Ping. > Signed-off-by: Andre McCurdy <armccu...@gmail.com> > --- > ...eck-for-integer-overflow-in-nlmsg_reserve.patch | 43 > ++++++++++++++++++++++ > meta/recipes-support/libnl/libnl_3.2.28.bb | 1 + > 2 files changed, 44 insertions(+) > create mode 100644 > meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch > > diff --git > a/meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch > > b/meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch > new file mode 100644 > index 0000000..9e22c40 > --- /dev/null > +++ > b/meta/recipes-support/libnl/libnl/lib-check-for-integer-overflow-in-nlmsg_reserve.patch > @@ -0,0 +1,43 @@ > +From 1db543374db3e58faacdfd91e5061a8a595ce505 Mon Sep 17 00:00:00 2001 > +From: Thomas Haller <thal...@redhat.com> > +Date: Mon, 6 Feb 2017 22:23:52 +0100 > +Subject: [PATCH] lib: check for integer-overflow in nlmsg_reserve() > + > +In general, libnl functions are not robust against calling with > +invalid arguments. Thus, never call libnl functions with invalid > +arguments. In case of nlmsg_reserve() this means never provide > +a @len argument that causes overflow. > + > +Still, add an additional safeguard to avoid exploiting such bugs. > + > +Assume that @pad is a trusted, small integer. > +Assume that n->nm_size is a valid number of allocated bytes (and thus > +much smaller then SIZE_T_MAX). > +Assume, that @len may be set to an untrusted value. Then the patch > +avoids an integer overflow resulting in reserving too few bytes. > + > +Upstream-Status: Backport > [https://github.com/thom311/libnl/commit/3e18948f17148e6a3c4255bdeaaf01ef6081ceeb] > +CVE: CVE-2017-0553 > + > +Signed-off-by: Andre McCurdy <armccu...@gmail.com> > +--- > + lib/msg.c | 3 +++ > + 1 file changed, 3 insertions(+) > + > +diff --git a/lib/msg.c b/lib/msg.c > +index e8a7e99..f30fd2d 100644 > +--- a/lib/msg.c > ++++ b/lib/msg.c > +@@ -410,6 +410,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int > pad) > + size_t nlmsg_len = n->nm_nlh->nlmsg_len; > + size_t tlen; > + > ++ if (len > n->nm_size) > ++ return NULL; > ++ > + tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len; > + > + if ((tlen + nlmsg_len) > n->nm_size) > +-- > +1.9.1 > + > diff --git a/meta/recipes-support/libnl/libnl_3.2.28.bb > b/meta/recipes-support/libnl/libnl_3.2.28.bb > index 26982f3..a74b455 100644 > --- a/meta/recipes-support/libnl/libnl_3.2.28.bb > +++ b/meta/recipes-support/libnl/libnl_3.2.28.bb > @@ -12,6 +12,7 @@ DEPENDS = "flex-native bison-native" > SRC_URI = > "https://github.com/thom311/${BPN}/releases/download/${BPN}${@d.getVar('PV', > True).replace('.','_')}/${BP}.tar.gz \ > file://fix-pktloc_syntax_h-race.patch \ > file://fix-pc-file.patch \ > + file://lib-check-for-integer-overflow-in-nlmsg_reserve.patch \ > file://0001-lib-add-utility-function-nl_strerror_l.patch \ > > file://0002-lib-switch-to-using-strerror_l-instead-of-strerror_r.patch \ > > file://0003-src-switch-to-using-strerror_l-instead-of-strerror_r.patch \ > -- > 1.9.1 > -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core