From: Peter Marko <peter.ma...@siemens.com> Pick patches according to http://w1.fi/security/2024-2/sae-h2h-and-incomplete-downgrade-protection-for-group-negotiation.txt SAE H2E and incomplete downgrade protection for group negotiation
Signed-off-by: Peter Marko <peter.ma...@siemens.com> Signed-off-by: Steve Sakoman <st...@sakoman.com> --- ...valid-Rejected-Groups-element-length.patch | 52 +++++++++++++++++++ ...valid-Rejected-Groups-element-length.patch | 50 ++++++++++++++++++ ...id-Rejected-Groups-element-in-the-pa.patch | 38 ++++++++++++++ .../wpa-supplicant/wpa-supplicant_2.10.bb | 3 ++ 4 files changed, 143 insertions(+) create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-SAE-Check-for-invalid-Rejected-Groups-element-length.patch create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch new file mode 100644 index 0000000000..5780f27f8b --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch @@ -0,0 +1,52 @@ +From 364c2da8741f0979dae497551e70b94c0e6c8636 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j...@w1.fi> +Date: Sun, 7 Jul 2024 11:46:49 +0300 +Subject: [PATCH 1/3] SAE: Check for invalid Rejected Groups element length + explicitly + +Instead of practically ignoring an odd octet at the end of the element, +check for such invalid case explicitly. This is needed to avoid a +potential group downgrade attack. + +Signed-off-by: Jouni Malinen <j...@w1.fi> + +CVE: CVE-2024-3596 +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=364c2da8741f0979dae497551e70b94c0e6c8636] +Signed-off-by: Peter Marko <peter.ma...@siemens.com> +--- + src/ap/ieee802_11.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c +index db4104928..1a62e30cc 100644 +--- a/src/ap/ieee802_11.c ++++ b/src/ap/ieee802_11.c +@@ -1258,7 +1258,7 @@ static int check_sae_rejected_groups(struct hostapd_data *hapd, + struct sae_data *sae) + { + const struct wpabuf *groups; +- size_t i, count; ++ size_t i, count, len; + const u8 *pos; + + if (!sae->tmp) +@@ -1268,7 +1268,15 @@ static int check_sae_rejected_groups(struct hostapd_data *hapd, + return 0; + + pos = wpabuf_head(groups); +- count = wpabuf_len(groups) / 2; ++ len = wpabuf_len(groups); ++ if (len & 1) { ++ wpa_printf(MSG_DEBUG, ++ "SAE: Invalid length of the Rejected Groups element payload: %zu", ++ len); ++ return 1; ++ } ++ ++ count = len / 2; + for (i = 0; i < count; i++) { + int enabled; + u16 group; +-- +2.30.2 + diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-SAE-Check-for-invalid-Rejected-Groups-element-length.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-SAE-Check-for-invalid-Rejected-Groups-element-length.patch new file mode 100644 index 0000000000..3e96ae9e2e --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-SAE-Check-for-invalid-Rejected-Groups-element-length.patch @@ -0,0 +1,50 @@ +From 593a7c2f8c93edd6b552f2d42e28164464b4e6ff Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j...@w1.fi> +Date: Tue, 9 Jul 2024 23:33:38 +0300 +Subject: [PATCH 2/3] SAE: Check for invalid Rejected Groups element length + explicitly on STA + +Instead of practically ignoring an odd octet at the end of the element, +check for such invalid case explicitly. This is needed to avoid a +potential group downgrade attack. + +Fixes: 444d76f74f65 ("SAE: Check that peer's rejected groups are not enabled") +Signed-off-by: Jouni Malinen <j...@w1.fi> + +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=593a7c2f8c93edd6b552f2d42e28164464b4e6ff] +Signed-off-by: Peter Marko <peter.ma...@siemens.com> +--- + wpa_supplicant/sme.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c +index 7f43216c6..c7289f6a8 100644 +--- a/wpa_supplicant/sme.c ++++ b/wpa_supplicant/sme.c +@@ -1222,14 +1222,21 @@ static int sme_sae_is_group_enabled(struct wpa_supplicant *wpa_s, int group) + static int sme_check_sae_rejected_groups(struct wpa_supplicant *wpa_s, + const struct wpabuf *groups) + { +- size_t i, count; ++ size_t i, count, len; + const u8 *pos; + + if (!groups) + return 0; + + pos = wpabuf_head(groups); +- count = wpabuf_len(groups) / 2; ++ len = wpabuf_len(groups); ++ if (len & 1) { ++ wpa_printf(MSG_DEBUG, ++ "SAE: Invalid length of the Rejected Groups element payload: %zu", ++ len); ++ return 1; ++ } ++ count = len / 2; + for (i = 0; i < count; i++) { + int enabled; + u16 group; +-- +2.30.2 + diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch new file mode 100644 index 0000000000..5e9e8bc01d --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch @@ -0,0 +1,38 @@ +From 9716bf1160beb677e965d9e6475d6c9e162e8374 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j...@w1.fi> +Date: Tue, 9 Jul 2024 23:34:34 +0300 +Subject: [PATCH 3/3] SAE: Reject invalid Rejected Groups element in the parser + +There is no need to depend on all uses (i.e., both hostapd and +wpa_supplicant) to verify that the length of the Rejected Groups field +in the Rejected Groups element is valid (i.e., a multiple of two octets) +since the common parser can reject the message when detecting this. + +Signed-off-by: Jouni Malinen <j...@w1.fi> + +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=9716bf1160beb677e965d9e6475d6c9e162e8374] +Signed-off-by: Peter Marko <peter.ma...@siemens.com> +--- + src/common/sae.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/common/sae.c b/src/common/sae.c +index c0f154e91..620bdf753 100644 +--- a/src/common/sae.c ++++ b/src/common/sae.c +@@ -2076,6 +2076,12 @@ static int sae_parse_rejected_groups(struct sae_data *sae, + return WLAN_STATUS_UNSPECIFIED_FAILURE; + epos++; /* skip ext ID */ + len--; ++ if (len & 1) { ++ wpa_printf(MSG_DEBUG, ++ "SAE: Invalid length of the Rejected Groups element payload: %u", ++ len); ++ return WLAN_STATUS_UNSPECIFIED_FAILURE; ++ } + + wpabuf_free(sae->tmp->peer_rejected_groups); + sae->tmp->peer_rejected_groups = wpabuf_alloc(len); +-- +2.30.2 + diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb index f5e9dce17c..459039d01e 100644 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb @@ -35,6 +35,9 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ file://CVE-2024-3596_06.patch \ file://CVE-2024-3596_07.patch \ file://CVE-2024-3596_08.patch \ + file://0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch \ + file://0002-SAE-Check-for-invalid-Rejected-Groups-element-length.patch \ + file://0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch \ " SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f" -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#205189): https://lists.openembedded.org/g/openembedded-core/message/205189 Mute This Topic: https://lists.openembedded.org/mt/108779042/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
