ACK: [SRU][Trusty][Zesty][PATCH 1/1] nl80211: check for the required netlink attributes presence

[Colin Ian King]

On 06/12/17 09:54, Kleber Sacilotto de Souza wrote:
> From: Vladis Dronov <vdronov at redhat.com>
> 
> nl80211_set_rekey_data() does not check if the required attributes
> NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing
> NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by
> users with CAP_NET_ADMIN privilege and may result in NULL dereference
> and a system crash. Add a check for the required attributes presence.
> This patch is based on the patch by bo Zhang.
> 
> This fixes CVE-2017-12153.
> 
> References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046
> Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload")
> Cc: <stable at vger.kernel.org> # v3.1-rc1
> Reported-by: bo Zhang <zhangbo5891001 at gmail.com>
> Signed-off-by: Vladis Dronov <vdronov at redhat.com>
> Signed-off-by: Johannes Berg <johannes.berg at intel.com>
> 
> CVE-2017-12153
> (cherry picked from commit e785fa0a164aa11001cba931367c7f94ffaff888)
> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>
> ---
>  net/wireless/nl80211.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
> index 0df8023f480b..fbd5593e88cb 100644
> --- a/net/wireless/nl80211.c
> +++ b/net/wireless/nl80211.c
> @@ -10903,6 +10903,9 @@ static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
>  	if (err)
>  		return err;
>  
> +	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
> +	    !tb[NL80211_REKEY_DATA_KCK])
> +		return -EINVAL;
>  	if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
>  		return -ERANGE;
>  	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
> 
Clean cherry pick.

Acked-by: Colin Ian King <colin.king at canonical.com>