3 files changed, 99 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch
new file mode 100644
index 0000000000..54c405b539
--- /dev/null
+++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch
@@ -0,0 +1,43 @@
+From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Mon, 9 Nov 2020 11:43:12 +0200
+Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group
+ client
+Parsing and copying of WPS secondary device types list was verifying
+that the contents is not too long for the internal maximum in the case
+of WPS messages, but similar validation was missing from the case of P2P
+group information which encodes this information in a different
+attribute. This could result in writing beyond the memory area assigned
+for these entries and corrupting memory within an instance of struct
+p2p_device. This could result in invalid operations and unexpected
+behavior when trying to free pointers from that corrupted memory.
+CVE: CVE-2021-0326
+Upstream-Status: Backport
+Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269
+Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers")
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ src/p2p/p2p.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
+index 74b7b52ae..5cbfc217f 100644
+--- a/src/p2p/p2p.c
+++ b/src/p2p/p2p.c
+@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev,
+        dev->info.config_methods = cli->config_methods;
+        os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8);
+        dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types;
+       if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN)
+               dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN;
+        os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types,
+                  dev->info.wps_sec_dev_type_list_len);
+ }
+-- 
+2.17.1
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch
new file mode 100644
index 0000000000..fedff76b18
--- /dev/null
+++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch
@@ -0,0 +1,54 @@
+From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 8 Dec 2020 23:52:50 +0200
+Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request
+p2p_add_device() may remove the oldest entry if there is no room in the
+peer table for a new peer. This would result in any pointer to that
+removed entry becoming stale. A corner case with an invalid PD Request
+frame could result in such a case ending up using (read+write) freed
+memory. This could only by triggered when the peer table has reached its
+maximum size and the PD Request frame is received from the P2P Device
+Address of the oldest remaining entry and the frame has incorrect P2P
+Device Address in the payload.
+Fix this by fetching the dev pointer again after having called
+p2p_add_device() so that the stale pointer cannot be used.
+CVE: CVE-2021-27803
+Upstream-Status: Backport
+Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request")
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ src/p2p/p2p_pd.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c
+index 3994ec03f..05fd59349 100644
+--- a/src/p2p/p2p_pd.c
+++ b/src/p2p/p2p_pd.c
+@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa,
+                        goto out;
+                }
+ 
+               dev = p2p_get_device(p2p, sa);
+                if (!dev) {
+-                       dev = p2p_get_device(p2p, sa);
+-                       if (!dev) {
+-                               p2p_dbg(p2p,
+-                                       "Provision Discovery device not found "
+-                                       MACSTR, MAC2STR(sa));
+-                               goto out;
+-                       }
+                       p2p_dbg(p2p,
+                               "Provision Discovery device not found "
+                               MACSTR, MAC2STR(sa));
+                       goto out;
+                }
+        } else if (msg.wfd_subelems) {
+                wpabuf_free(dev->info.wfd_subelems);
+-- 
+2.17.1
diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb b/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
index 1f38eee0ff..87899f3da2 100644
--- a/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
+++ b/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
@@ -13,6 +13,8 @@ SRC_URI = " \
    file://hostapd.service \
    file://CVE-2019-16275.patch \
    file://CVE-2019-5061.patch \
+    file://CVE-2021-0326.patch \
+    file://CVE-2021-27803.patch \
 "
 SRC_URI[md5sum] = "f188fc53a495fe7af3b6d77d3c31dee8"

diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch new file mode 100644 index 0000000000..54c405b539 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch
@@ -0,0 +1,43 @@
		1	From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001
		2	From: Jouni Malinen <jouni@codeaurora.org>
		3	Date: Mon, 9 Nov 2020 11:43:12 +0200
		4	Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group
		5	client
		6
		7	Parsing and copying of WPS secondary device types list was verifying
		8	that the contents is not too long for the internal maximum in the case
		9	of WPS messages, but similar validation was missing from the case of P2P
		10	group information which encodes this information in a different
		11	attribute. This could result in writing beyond the memory area assigned
		12	for these entries and corrupting memory within an instance of struct
		13	p2p_device. This could result in invalid operations and unexpected
		14	behavior when trying to free pointers from that corrupted memory.
		15
		16	CVE: CVE-2021-0326
		17
		18	Upstream-Status: Backport
		19
		20	Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269
		21	Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers")
		22	Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
		23	Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
		24	---
		25	src/p2p/p2p.c \| 2 ++
		26	1 file changed, 2 insertions(+)
		27
		28	diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
		29	index 74b7b52ae..5cbfc217f 100644
		30	--- a/src/p2p/p2p.c
		31	+++ b/src/p2p/p2p.c
		32	@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev,
		33	dev->info.config_methods = cli->config_methods;
		34	os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8);
		35	dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types;
		36	+ if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN)
		37	+ dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN;
		38	os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types,
		39	dev->info.wps_sec_dev_type_list_len);
		40	}
		41	--
		42	2.17.1
		43


diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch new file mode 100644 index 0000000000..fedff76b18 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch
@@ -0,0 +1,54 @@
		1	From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001
		2	From: Jouni Malinen <jouni@codeaurora.org>
		3	Date: Tue, 8 Dec 2020 23:52:50 +0200
		4	Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request
		5
		6	p2p_add_device() may remove the oldest entry if there is no room in the
		7	peer table for a new peer. This would result in any pointer to that
		8	removed entry becoming stale. A corner case with an invalid PD Request
		9	frame could result in such a case ending up using (read+write) freed
		10	memory. This could only by triggered when the peer table has reached its
		11	maximum size and the PD Request frame is received from the P2P Device
		12	Address of the oldest remaining entry and the frame has incorrect P2P
		13	Device Address in the payload.
		14
		15	Fix this by fetching the dev pointer again after having called
		16	p2p_add_device() so that the stale pointer cannot be used.
		17
		18	CVE: CVE-2021-27803
		19
		20	Upstream-Status: Backport
		21
		22	Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request")
		23	Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
		24	---
		25	src/p2p/p2p_pd.c \| 12 +++++-------
		26	1 file changed, 5 insertions(+), 7 deletions(-)
		27
		28	diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c
		29	index 3994ec03f..05fd59349 100644
		30	--- a/src/p2p/p2p_pd.c
		31	+++ b/src/p2p/p2p_pd.c
		32	@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data p2p, const u8 sa,
		33	goto out;
		34	}
		35
		36	+ dev = p2p_get_device(p2p, sa);
		37	if (!dev) {
		38	- dev = p2p_get_device(p2p, sa);
		39	- if (!dev) {
		40	- p2p_dbg(p2p,
		41	- "Provision Discovery device not found "
		42	- MACSTR, MAC2STR(sa));
		43	- goto out;
		44	- }
		45	+ p2p_dbg(p2p,
		46	+ "Provision Discovery device not found "
		47	+ MACSTR, MAC2STR(sa));
		48	+ goto out;
		49	}
		50	} else if (msg.wfd_subelems) {
		51	wpabuf_free(dev->info.wfd_subelems);
		52	--
		53	2.17.1
		54


diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb b/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb index 1f38eee0ff..87899f3da2 100644 --- a/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb +++ b/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb
@@ -13,6 +13,8 @@ SRC_URI = " \
13	file://hostapd.service \	13	file://hostapd.service \
14	file://CVE-2019-16275.patch \	14	file://CVE-2019-16275.patch \
15	file://CVE-2019-5061.patch \	15	file://CVE-2019-5061.patch \
		16	file://CVE-2021-0326.patch \
		17	file://CVE-2021-27803.patch \
16	"	18	"
17		19
18	SRC_URI[md5sum] = "f188fc53a495fe7af3b6d77d3c31dee8"	20	SRC_URI[md5sum] = "f188fc53a495fe7af3b6d77d3c31dee8"