From patchwork Tue Sep 9 19:29:59 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 69894 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B41A2CAC583 for ; Tue, 9 Sep 2025 19:30:20 +0000 (UTC) Received: from mail-pg1-f180.google.com (mail-pg1-f180.google.com [209.85.215.180]) by mx.groups.io with SMTP id smtpd.web11.4209.1757446211307697742 for ; Tue, 09 Sep 2025 12:30:11 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=kWw2g8TT; spf=softfail (domain: sakoman.com, ip: 209.85.215.180, mailfrom: steve@sakoman.com) Received: by mail-pg1-f180.google.com with SMTP id 41be03b00d2f7-b523af71683so1771355a12.3 for ; Tue, 09 Sep 2025 12:30:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1757446210; x=1758051010; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Ziq/lbESgHt3Fhm/UeSYw2nbNtjU5K2FE/+HF8h6sec=; b=kWw2g8TTsDAIiw7mHYsUJL0/7H5U4wXnmY6WjIp8NhDsGD8hLWxDxYaZ7NzqYo+GvJ lyNiGfhpbVSgFSQN6DDmP09Klc3OrAHakEEiZpErKKqsXSYqPAHmY7qEmPzl0U/W1Loh JGUVCSshTvDuTZi9Tz0fOACMGbnGujI9T5V68Vu25htEd74gzLBpuYyBkRWspMTkQoiq 9DhaFoB5CaePpcEp8THsrd0vkfejPJ7evF70d/4+1ZF/NvVejL/5NRhtf9KD/CJpFlVp JJ1YhjqAjeyiC3xk5Qa/FljIUs1aBQu+duQRLnxK0V0RLuU1PTabPgBRt6SPEkhGlQXz aDpw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757446210; x=1758051010; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Ziq/lbESgHt3Fhm/UeSYw2nbNtjU5K2FE/+HF8h6sec=; b=YKexS35VDKxKDf44AmUmKyvTwb6OIP8csqoecoJeLQrHoKte+brWDp9AijtB9+wKAl JBKn1CYe3lP/hdnbMe00+N6uvsRzMWEFH5kIISF34EBpKl84kWzIhWP15a5qzaU/Q4OP 1V9WtzZDEkoCeit86TP92MWypmKA51Oc7xrMtY0K8JOqn3Ae8PGLI/uh1NBkkTTQQ3oC hJHQ5YMIDNY0mAaTCnsPSuCJuZyPVDHVOzsk0hlcma5yzwV8dihgPYPXGRs13LsFbUAP F1FLqW/3V09fmALxdrvMqrPIugPCTn0FF1PtXxWHOPOqtS+lYMk8VPIlFfeijsvAV9kx CTRw== X-Gm-Message-State: AOJu0Yyd2nZl2rNWYQFuWuciO1gSHA8HP1B8wdREWPS5AStG0wCj9f47 e3yIxEjApFW9xUc9U0MEX3baTiCtm60F261rFnxPx1nRsbM0RIn0K8up9ZCZRT9Pd+0Iw7+Chm7 dqS+h X-Gm-Gg: ASbGncsjUfsYs+44pd9W90BkaTfwLvoOTKPuuzJU7PCYBWnE45gbRedtLO38VUNuwms JfVKz5WZjc4bQX34fd0vC8Fgp7KL0yQjTZMHvAOeTxa7qhXbWjB8i5rG6fZtNETUGsSS5q7KL+O cFG8A52vepT0tlpeexCbErxhLYlCqxynJdKsFuDhpYRtnukXoSu6CLThfdP45PcYdzZ2IBFns42 J+FYhYMf4Bw2iVFqV3GQzuFw8QMN+AJvEHmhSAwd7X4YW9f8UBlzFpT+3rQlVZr6GkZm5JMpUcm Q48AJBP4TPc8MdQ+OJ1nZ1dh7tVZVu2PnHOvKMqAVwrrzffMaAAmVGHR7ZdyQl0FG8LaHj44aiy HoSrtJ0a+lLqN4GPRTlz/mpIE X-Google-Smtp-Source: AGHT+IG2LLWuZ1Z8SRMYe4yqvd5EPX9HKiVHgWeD4AWXry+yTkbWW5TpVTTMV2esLdos+eFQ+xkYbg== X-Received: by 2002:a17:903:2105:b0:24c:c8d1:2bec with SMTP id d9443c01a7336-25172862367mr108028475ad.40.1757446210344; Tue, 09 Sep 2025 12:30:10 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:c560:31a3:4ee8:6083]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-25a2b0e5965sm5093855ad.143.2025.09.09.12.30.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Sep 2025 12:30:10 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 1/5] ffmpeg: fix CVE-2025-7700 Date: Tue, 9 Sep 2025 12:29:59 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 Sep 2025 19:30:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/223133 From: Archana Polampalli NULL Pointer Dereference in FFmpeg ALS Decoder (libavcodec/alsdec.c) Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../ffmpeg/ffmpeg/CVE-2025-7700.patch | 52 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb | 1 + 2 files changed, 53 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-7700.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-7700.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-7700.patch new file mode 100644 index 0000000000..758e38a0b1 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-7700.patch @@ -0,0 +1,52 @@ +From aad4b59cfee1f0a3cf02f5e2b1f291ce013bf27e Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Thu, 10 Jul 2025 16:26:39 +0000 +Subject: [PATCH] libavcodec/alsdec.c: Add check for av_malloc_array() and + av_calloc() + +Add check for the return value of av_malloc_array() and av_calloc() +to avoid potential NULL pointer dereference. + +Fixes: dcfd24b10c ("avcodec/alsdec: Implement floating point sample data decoding") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Michael Niedermayer +(cherry picked from commit 35a6de137a39f274d5e01ed0e0e6c4f04d0aaf07) +Signed-off-by: Michael Niedermayer + +CVE: CVE-2025-7700 + +Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/aad4b59cfee1f0a3cf02f5e2b1f291ce013bf27e] + +Signed-off-by: Archana Polampalli +--- + libavcodec/alsdec.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c +index 9c3be4e..ba85973 100644 +--- a/libavcodec/alsdec.c ++++ b/libavcodec/alsdec.c +@@ -2115,8 +2115,8 @@ static av_cold int decode_init(AVCodecContext *avctx) + ctx->nbits = av_malloc_array(ctx->cur_frame_length, sizeof(*ctx->nbits)); + ctx->mlz = av_mallocz(sizeof(*ctx->mlz)); + +- if (!ctx->mlz || !ctx->acf || !ctx->shift_value || !ctx->last_shift_value +- || !ctx->last_acf_mantissa || !ctx->raw_mantissa) { ++ if (!ctx->larray || !ctx->nbits || !ctx->mlz || !ctx->acf || !ctx->shift_value ++ || !ctx->last_shift_value || !ctx->last_acf_mantissa || !ctx->raw_mantissa) { + av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); + ret = AVERROR(ENOMEM); + goto fail; +@@ -2127,6 +2127,10 @@ static av_cold int decode_init(AVCodecContext *avctx) + + for (c = 0; c < avctx->channels; ++c) { + ctx->raw_mantissa[c] = av_calloc(ctx->cur_frame_length, sizeof(**ctx->raw_mantissa)); ++ if (!ctx->raw_mantissa[c]) { ++ av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); ++ return AVERROR(ENOMEM); ++ } + } + } + +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb index 8da11f196d..f205c4a5db 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb @@ -48,6 +48,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2025-25473.patch \ file://CVE-2025-22919.patch \ file://CVE-2025-22921.patch \ + file://CVE-2025-7700.patch \ " SRC_URI[sha256sum] = "04c70c377de233a4b217c2fdf76b19aeb225a287daeb2348bccd978c47b1a1db" From patchwork Tue Sep 9 19:30:00 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 69896 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CB644CAC58F for ; Tue, 9 Sep 2025 19:30:20 +0000 (UTC) Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by mx.groups.io with SMTP id smtpd.web11.4213.1757446212995613653 for ; Tue, 09 Sep 2025 12:30:13 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=qB2hZNAC; spf=softfail (domain: sakoman.com, ip: 209.85.214.180, mailfrom: steve@sakoman.com) Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-24af8cd99ddso76696775ad.0 for ; Tue, 09 Sep 2025 12:30:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1757446212; x=1758051012; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=gP6XDgLeIVyJiZwY2Ru/WsDw0DiSZjquJ/igjnRtLXY=; b=qB2hZNACY1+/mA+N/qW4kZtnTu3ydFjEZPSH49B9xfQ19Ns2BVdbwwyDSfW+c/UafC EkS+FA6WRtBh2MpRJHbtb85uHTtEm+utcdA/jGlfWpYYli3HMKdXB9lQ0BbYcr1EBJaR g2cbjN5zZrqCQb/Xh4DxJnz4vZ5UoM/HpqcOpInXWcIADzhu4XUUecjGtZn6rZS8isv7 rwunQShRal1WibSRiZMtJnvt27Cfjk7d37a+Q/ISyRCZf+C00ztqxE2QsC12xsTEDthk MD39h/eKwUlxEwTEUjYd969ma3TZaqtcvCY0DoDJN55fRIHi6Sclqjuwyk/C4nVMOY9E 6kVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757446212; x=1758051012; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=gP6XDgLeIVyJiZwY2Ru/WsDw0DiSZjquJ/igjnRtLXY=; b=GzjOH6QYdIv0D6JyzRkzDONimAJ2o2hndFzYjNYOC9x8adn/1NffwTR87OVuOEK2pV 1FyzicBPeYq2wDWZM28VafuM/tsHB/cip40yoECenUCHMhLSiyQ2wxYBTSCr9d795b5s Ds/zltEn1Qgh5IQHFUBZs9PwrCCZ5NpDZcbawwgzUps02xYIVC7Cdx4rVnWQzyis4FU0 IJuSQfn6JHdbJ2x+yBgBo07af6D/GNjGGt4JDy4lnYkODP4CVizrNNBAo1PpgA+t7AQm 0mrt4Xo/a/WnVshBW2OipQsgFT8WSzRBxsckMD2WIkfcX23GDkKYfUyXsjIF05HQPMxI q5AA== X-Gm-Message-State: AOJu0YxRH3zr/FIb8LhVBxGdBnmhmXdJkOcOeb8I/AtIugwatkKi1YEJ 4iX0uCDa3n4qoHWWtV2u1olB+EjHu3gdwzWheWC3qPStFw5eRbR2zr7ALliYqwpyczAQKO3IvfB koPia X-Gm-Gg: ASbGncuyOkbFYtdYbF0pHeIJ8yg6avsIm78F3Zv66WWlaHL3yfPYDejYAI9qUCSFMfd uFCPnSPDGJMygR9dMSmdOTgour9Ft9U6qWdiaNczpHQf7sbJ1Uf58Ot33WzX2bEuGcWkpmKf2lq ccw3C9FYLT/vLuYqhR6QWGQU2Km6ozCIzicKtoTMW+k1aAhpvYfU3n0or+U0kxXxkEZ9J1mfSFG 2GSaSGnicQhWU+0bjynNUYz1Ub4Rp0o7MFlHnE3Dl9N51ftmHUHGCnJwHn/ORGDiGuT2nnPy1Ea CwXrCWDK3I6opD6DEDMZFKfNniswxraGK0XFdb8CedwjHGd279fCc49jgNhYhhzrIVEALEsJsZS V5gnGf1I+GttB0w== X-Google-Smtp-Source: AGHT+IFtqctGVigWHBV8HsqXYyRl3wRLoLohMT4NHp+yKwKd4dsardV94wFEgHaEai7we4QPDfdwMw== X-Received: by 2002:a17:903:f8b:b0:251:5900:97fe with SMTP id d9443c01a7336-25172e32f26mr162292475ad.43.1757446211879; Tue, 09 Sep 2025 12:30:11 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:c560:31a3:4ee8:6083]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-25a2b0e5965sm5093855ad.143.2025.09.09.12.30.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Sep 2025 12:30:11 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 2/5] ffmpeg: fix multiple CVEs Date: Tue, 9 Sep 2025 12:30:00 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 Sep 2025 19:30:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/223134 From: Archana Polampalli CVE-2023-6605: A flaw was found in FFmpeg's DASH playlist support. This vulnerability allows arbitrary HTTP GET requests to be made on behalf of the machine running FFmpeg via a crafted DASH playlist containing malicious URLs. CVE-2023-6604: A flaw was found in FFmpeg. This vulnerability allows unexpected additional CPU load and storage consumption, potentially leading to degraded performance or denial of service via the demuxing of arbitrary data as XBIN-formatted data without proper format validation. CVE-2023-6602: flaw was found in FFmpeg's TTY Demuxer. This vulnerability allows possible data exfiltration via improper parsing of non-TTY-compliant input files in HLS playlists. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- ...602-CVE-2023-6604-CVE-2023-6605-0001.patch | 79 ++++++++++ ...602-CVE-2023-6604-CVE-2023-6605-0002.patch | 142 ++++++++++++++++++ ...602-CVE-2023-6604-CVE-2023-6605-0003.patch | 45 ++++++ .../recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb | 3 + 4 files changed, 269 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch new file mode 100644 index 0000000000..2b28eeada5 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch @@ -0,0 +1,79 @@ +From 3ef588940eef62742d28171bf212a474206f8e03 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Mon, 15 May 2023 00:54:50 +0200 +Subject: [PATCH] avformat: add ff_match_url_ext() + +Match url against a list of extensions similar to av_match_ext() + +Signed-off-by: Michael Niedermayer +(cherry picked from commit a7b06bfc5d20b12ff0122702c09517cf359fbb66) +Signed-off-by: Michael Niedermayer + +CVE: CVE-2023-6604 CVE-2023-6602 CVE-2023-6605 + +Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/3ef588940ee] + +Signed-off-by: Archana Polampalli +--- + libavformat/format.c | 25 +++++++++++++++++++++++++ + libavformat/internal.h | 9 +++++++++ + 2 files changed, 34 insertions(+) + +diff --git a/libavformat/format.c b/libavformat/format.c +index 52b85c1..5e057d7 100644 +--- a/libavformat/format.c ++++ b/libavformat/format.c +@@ -48,6 +48,31 @@ int av_match_ext(const char *filename, const char *extensions) + return 0; + } + ++int ff_match_url_ext(const char *url, const char *extensions) ++{ ++ const char *ext; ++ URLComponents uc; ++ int ret; ++ char scratchpad[128]; ++ ++ if (!url) ++ return 0; ++ ++ ret = ff_url_decompose(&uc, url, NULL); ++ if (ret < 0 || !URL_COMPONENT_HAVE(uc, scheme)) ++ return ret; ++ for (ext = uc.query; *ext != '.' && ext > uc.path; ext--) ++ ; ++ ++ if (*ext != '.') ++ return 0; ++ if (uc.query - ext > sizeof(scratchpad)) ++ return AVERROR(ENOMEM); //not enough memory in our scratchpad ++ av_strlcpy(scratchpad, ext + 1, FFMIN(sizeof(scratchpad), uc.query - ext)); ++ ++ return av_match_name(scratchpad, extensions); ++} ++ + const AVOutputFormat *av_guess_format(const char *short_name, const char *filename, + const char *mime_type) + { +diff --git a/libavformat/internal.h b/libavformat/internal.h +index bffb8e6..584b979 100644 +--- a/libavformat/internal.h ++++ b/libavformat/internal.h +@@ -1015,6 +1015,15 @@ int ff_unlock_avformat(void); + */ + void ff_format_set_url(AVFormatContext *s, char *url); + ++/** ++ * Return a positive value if the given url has one of the given ++ * extensions, negative AVERROR on error, 0 otherwise. ++ * ++ * @param url url to check against the given extensions ++ * @param extensions a comma-separated list of filename extensions ++ */ ++int ff_match_url_ext(const char *url, const char *extensions); ++ + void avpriv_register_devices(const AVOutputFormat * const o[], const AVInputFormat * const i[]); + + /** +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch new file mode 100644 index 0000000000..1ba1006197 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch @@ -0,0 +1,142 @@ +From 9803800e0e8cd8e1e7695f77cfbf4e0db0abfe57 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Thu, 16 Jan 2025 01:28:46 +0100 +Subject: [PATCH] avformat/hls: Be more picky on extensions + +This blocks disallowed extensions from probing +It also requires all available segments to have matching extensions to the format +mpegts is treated independent of the extension + +It is recommended to set the whitelists correctly +instead of depending on extensions, but this should help a bit, +and this is easier to backport + +Fixes: CVE-2023-6602 II. HLS Force TTY Demuxer +Fixes: CVE-2023-6602 IV. HLS XBIN Demuxer DoS Amplification + +The other parts of CVE-2023-6602 have been fixed by prior commits + +Found-by: Harvey Phillips of Amazon Element55 (element55) +Signed-off-by: Michael Niedermayer +(cherry picked from commit 91d96dc8ddaebe0b6cb393f672085e6bfaf15a31) +Signed-off-by: Michael Niedermayer + +CVE: CVE-2023-6602 CVE-2023-6604 CVE-2023-6605 + +Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/9803800e0e8cd8e1e7695f77cfbf4e0db0abfe57] + +Signed-off-by: Archana Polampalli +--- + doc/demuxers.texi | 7 +++++++ + libavformat/hls.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 57 insertions(+) + +diff --git a/doc/demuxers.texi b/doc/demuxers.texi +index 26ae768..6e0b25e 100644 +--- a/doc/demuxers.texi ++++ b/doc/demuxers.texi +@@ -365,6 +365,13 @@ segment index to start live streams at (negative values are from the end). + @item allowed_extensions + ',' separated list of file extensions that hls is allowed to access. + ++@item extension_picky ++This blocks disallowed extensions from probing ++It also requires all available segments to have matching extensions to the format ++except mpegts, which is always allowed. ++It is recommended to set the whitelists correctly instead of depending on extensions ++Enabled by default. ++ + @item max_reload + Maximum number of times a insufficient list is attempted to be reloaded. + Default value is 1000. +diff --git a/libavformat/hls.c b/libavformat/hls.c +index d5e9b21..e1bb677 100644 +--- a/libavformat/hls.c ++++ b/libavformat/hls.c +@@ -214,6 +214,7 @@ typedef struct HLSContext { + AVDictionary *avio_opts; + AVDictionary *seg_format_opts; + char *allowed_extensions; ++ int extension_picky; + int max_reload; + int http_persistent; + int http_multiple; +@@ -716,6 +717,40 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url, + return ret; + } + ++static int test_segment(AVFormatContext *s, const AVInputFormat *in_fmt, struct playlist *pls, struct segment *seg) ++{ ++ HLSContext *c = s->priv_data; ++ int matchA = 3; ++ int matchF = 0; ++ ++ if (!c->extension_picky) ++ return 0; ++ ++ if (strcmp(c->allowed_extensions, "ALL")) ++ matchA = av_match_ext (seg->url, c->allowed_extensions) ++ + 2*(ff_match_url_ext(seg->url, c->allowed_extensions) > 0); ++ ++ if (!matchA) { ++ av_log(s, AV_LOG_ERROR, "URL %s is not in allowed_extensions\n", seg->url); ++ return AVERROR_INVALIDDATA; ++ } ++ ++ if (in_fmt) { ++ if (in_fmt->extensions) { ++ matchF = av_match_ext( seg->url, in_fmt->extensions) ++ + 2*(ff_match_url_ext(seg->url, in_fmt->extensions) > 0); ++ } else if (!strcmp(in_fmt->name, "mpegts")) ++ matchF = 3; ++ ++ if (!(matchA & matchF)) { ++ av_log(s, AV_LOG_ERROR, "detected format extension %s mismatches allowed extensions in url %s\n", in_fmt->extensions ? in_fmt->extensions : "none", seg->url); ++ return AVERROR_INVALIDDATA; ++ } ++ } ++ ++ return 0; ++} ++ + static int parse_playlist(HLSContext *c, const char *url, + struct playlist *pls, AVIOContext *in) + { +@@ -959,6 +994,14 @@ static int parse_playlist(HLSContext *c, const char *url, + goto fail; + } + ++ ret = test_segment(c->ctx, pls->ctx ? pls->ctx->iformat : NULL, pls, seg); ++ if (ret < 0) { ++ av_free(seg->url); ++ av_free(seg->key); ++ av_free(seg); ++ goto fail; ++ } ++ + if (duration < 0.001 * AV_TIME_BASE) { + av_log(c->ctx, AV_LOG_WARNING, "Cannot get correct #EXTINF value of segment %s," + " set to default value to 1ms.\n", seg->url); +@@ -2040,6 +2083,11 @@ static int hls_read_header(AVFormatContext *s) + pls->ctx->interrupt_callback = s->interrupt_callback; + url = av_strdup(pls->segments[0]->url); + ret = av_probe_input_buffer(&pls->pb.pub, &in_fmt, url, NULL, 0, 0); ++ ++ for (int n = 0; n < pls->n_segments; n++) ++ if (ret >= 0) ++ ret = test_segment(s, in_fmt, pls, pls->segments[n]); ++ + if (ret < 0) { + /* Free the ctx - it isn't initialized properly at this point, + * so avformat_close_input shouldn't be called. If +@@ -2467,6 +2515,8 @@ static const AVOption hls_options[] = { + OFFSET(allowed_extensions), AV_OPT_TYPE_STRING, + {.str = "3gp,aac,avi,ac3,eac3,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"}, + INT_MIN, INT_MAX, FLAGS}, ++ {"extension_picky", "Be picky with all extensions matching", ++ OFFSET(extension_picky), AV_OPT_TYPE_BOOL, {.i64 = 1}, 0, 1, FLAGS}, + {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded", + OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS}, + {"m3u8_hold_counters", "The maximum number of times to load m3u8 when it refreshes without new segments", +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch new file mode 100644 index 0000000000..0a2488814f --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch @@ -0,0 +1,45 @@ +From 800f5f818e858c864db86c174114d13f44d59044 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Thu, 16 Jan 2025 00:22:05 +0100 +Subject: [PATCH] avformat/dashdec: Check whitelist + +Fixes: CVE-2023-6602, V. DASH Playlist SSRF + +Found-by: Harvey Phillips of Amazon Element55 (element55) +Signed-off-by: Michael Niedermayer +(cherry picked from commit 4c96d6bf75357ab13808efc9f08c1b41b1bf5bdf) +Signed-off-by: Michael Niedermayer + +CVE: CVE-2023-6602 CVE-2023-6604 CVE-2023-6604 + +Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/097131a6474bd6294ff337fa92025df60dff907a] + +Signed-off-by: Archana Polampalli +--- + libavformat/dashdec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c +index 797fe74..78118de 100644 +--- a/libavformat/dashdec.c ++++ b/libavformat/dashdec.c +@@ -442,7 +442,7 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url, + av_freep(pb); + av_dict_copy(&tmp, *opts, 0); + av_dict_copy(&tmp, opts2, 0); +- ret = avio_open2(pb, url, AVIO_FLAG_READ, c->interrupt_callback, &tmp); ++ ret = ffio_open_whitelist(pb, url, AVIO_FLAG_READ, c->interrupt_callback, &tmp, s->protocol_whitelist, s->protocol_blacklist); + if (ret >= 0) { + // update cookies on http response with setcookies. + char *new_cookies = NULL; +@@ -1217,7 +1217,7 @@ static int parse_manifest(AVFormatContext *s, const char *url, AVIOContext *in) + close_in = 1; + + av_dict_copy(&opts, c->avio_opts, 0); +- ret = avio_open2(&in, url, AVIO_FLAG_READ, c->interrupt_callback, &opts); ++ ret = ffio_open_whitelist(&in, url, AVIO_FLAG_READ, c->interrupt_callback, &opts, s->protocol_whitelist, s->protocol_blacklist); + av_dict_free(&opts); + if (ret < 0) + return ret; +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb index f205c4a5db..27a9a80e8c 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb @@ -49,6 +49,9 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2025-22919.patch \ file://CVE-2025-22921.patch \ file://CVE-2025-7700.patch \ + file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch \ + file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch \ + file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch \ " SRC_URI[sha256sum] = "04c70c377de233a4b217c2fdf76b19aeb225a287daeb2348bccd978c47b1a1db" From patchwork Tue Sep 9 19:30:01 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 69895 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CA498CA0FED for ; Tue, 9 Sep 2025 19:30:20 +0000 (UTC) Received: from mail-pg1-f172.google.com (mail-pg1-f172.google.com [209.85.215.172]) by mx.groups.io with SMTP id smtpd.web10.4459.1757446214909521937 for ; Tue, 09 Sep 2025 12:30:14 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=GiYj0ZAA; spf=softfail (domain: sakoman.com, ip: 209.85.215.172, mailfrom: steve@sakoman.com) Received: by mail-pg1-f172.google.com with SMTP id 41be03b00d2f7-b5229007f31so2197160a12.2 for ; Tue, 09 Sep 2025 12:30:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1757446214; x=1758051014; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=apm8suS0IiM2vWcve0tFaNPYoFzOsw8tyZ+P3ehYFz4=; b=GiYj0ZAAAJDsoouAH3hPgNZUR/yJVM1RKBZimxu+cphr0Q+giKLdX9jdMYr4nU8Rdl yA55hU6d1zTR0DnoD3nOeQZl6ZxsG6L4Z/WNoe8CQtDSldxpgNRymuY4D+dX5cPkREGL gFXKHuG9wpVmuanhCG71nwCOiP7xzg+Dn01f6VH1MHNkKnnvoDnOYcHE0k1ha4UwoHhk BjS7u/CnqFlIVZquk68ZcmFm3+O8vkm8EfbDvf+9oSmy4vPieURNXk8/neqyZpj/ssI/ 9da89J9xmraJO+GT5OZDOCOQXhehMCdAE5RQqokLJ3314CSVpIpX4lOCmVWyUg1jwrea rsqA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757446214; x=1758051014; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=apm8suS0IiM2vWcve0tFaNPYoFzOsw8tyZ+P3ehYFz4=; b=uX7DCTQLUC/vL8wxX6GCMPdXzEgPdNruD7wjBDH/wR03NxiBDp1ifAwdCW9xJtM4l8 SkcfsHfrqWZt8zBuye0InvurU4jkm3b3RDkif1zX+4kwJV4zgaUXM1/YgWytgLgpzybM hcH7wwRgT1G8ywU1SPgLGYf8rzFNCpwZUGqh0fr5r2ecSUY9X5PJ6Wsa5BhG5VtX3VU9 5cMTqreWJRqukwMut+xzfmiG/tjcKJnGyi673Ifrlk9tYu95RtieygOwQdKm6+b+BlJR 9uvk0dzkW9H8DSYCNM9dGsWSTHooR48511aVpOrgXlDQuJg6exUzj3BpNqpcm+Za5laQ 4pMw== X-Gm-Message-State: AOJu0Yzc6ZUOZlmhaWF4RRXn8YpiFo+E9Bsn/eR9QJDycEC71pQOo6V1 UxI339FkyAVOCDkgU1P1ll+bcSOpWlghoFmjhE/uyTVC01zq/df3wUcgOtxXsTovzt9FEk6K4T0 qRpGM X-Gm-Gg: ASbGncsSTXnDvnbhap9nH3vb3Xzw61ZqwgUyzNHJTx4/zufjaqHBxd9L1ZjNWS9YiXk X4nyXcpetCcY4CdSCej8Aqi+ePLadUyjwFf5NiVnzpVu1/TleQH1zynsM5MN8rzJuuAv8XotJnR LFKVHwPd77xi0xQ4QHjbeNoUEuWONHrJgjQIN71wJ03UAZxlYbI3tIZciXwthXSQdPZCzYr5M3f SbDeR6Ypvpq70Jz/+ecyTFc+GhoR4LjKmgbkVrPgfoCh8meGScdYCyvradc/x/8A2taGcZkpC4s F9IRGWvyEr9HtEOtiVk6/osmPC/bvcLRfBQTxirV58QWypHhGWy4X8aALfm3njtSmYpUsBFjV1Y QORwGhP8Nwn2brrQhs3paVzEx X-Google-Smtp-Source: AGHT+IG+L15Niq9fWGs9wkyy/xeYVrwyXqdJX/tANOHjB9p9zhQUiCfInOp8sxQp91bbmSpwujOGnQ== X-Received: by 2002:a17:903:2450:b0:246:a543:199 with SMTP id d9443c01a7336-25173301e63mr196716825ad.54.1757446213831; Tue, 09 Sep 2025 12:30:13 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:c560:31a3:4ee8:6083]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-25a2b0e5965sm5093855ad.143.2025.09.09.12.30.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Sep 2025 12:30:13 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 3/5] ffmpeg: fix CVE-2025-1594 Date: Tue, 9 Sep 2025 12:30:01 -0700 Message-ID: <5a922eb95da7d373ee2bc3018065448fa128e69a.1757446071.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 Sep 2025 19:30:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/223135 From: Archana Polampalli A vulnerability, which was classified as critical, was found in FFmpeg up to 7.1. This affects the function ff_aac_search_for_tns of the file libavcodec/aacenc_tns.c of the component AAC Encoder. The manipulation leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../ffmpeg/ffmpeg/CVE-2025-1594.patch | 104 ++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb | 1 + 2 files changed, 105 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-1594.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-1594.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-1594.patch new file mode 100644 index 0000000000..b8f0bc5781 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-1594.patch @@ -0,0 +1,104 @@ +From bedfb6eca402037f5cbb115fa767d106b8c14f1c Mon Sep 17 00:00:00 2001 +From: Lynne +Date: Sat, 8 Feb 2025 04:35:31 +0100 +Subject: [PATCH] aacenc_tns: clamp filter direction energy measurement + +The issue is that: + +float en[2]; +... +tns->n_filt[w] = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3; +for (g = 0; g < tns->n_filt[w]; g++) { + tns->direction[w][g] = slant != 2 ? slant : en[g] < en[!g]; + +When using the AAC Main profile, n_filt = 3, and slant is by +default 2 (normal long frames), g can go above 1. + +en is the evolution of energy in the frequency domain for every +band at the given window. E.g. whether the energy is concentrated +at the top of each band, or the bottom. + +For 2-pole filters, its straightforward. +For 3-pole filters, we need more than 2 measurements. + +This commit properly implements support for 3-pole filters, by measuring +the band energy across three areas. + +Do note that even xHE-AAC caps n_filt to 2, and only AAC Main allows +n_filt == 3. + +Fixes https://trac.ffmpeg.org/ticket/11418 + +CVE: CVE-2025-1594 + +Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/bedfb6eca402037f5cbb115fa767d106b8c14f1c] + +Signed-off-by: Archana Polampalli +--- + libavcodec/aacenc_tns.c | 33 ++++++++++++++++++++++++--------- + 1 file changed, 24 insertions(+), 9 deletions(-) + +diff --git a/libavcodec/aacenc_tns.c b/libavcodec/aacenc_tns.c +index 8dc6dfc..9ea3506 100644 +--- a/libavcodec/aacenc_tns.c ++++ b/libavcodec/aacenc_tns.c +@@ -172,6 +172,7 @@ void ff_aac_search_for_tns(AACEncContext *s, SingleChannelElement *sce) + sce->ics.window_sequence[0] == LONG_START_SEQUENCE ? 0 : 2; + const int sfb_len = sfb_end - sfb_start; + const int coef_len = sce->ics.swb_offset[sfb_end] - sce->ics.swb_offset[sfb_start]; ++ const int n_filt = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3; + + if (coef_len <= 0 || sfb_len <= 0) { + sce->tns.present = 0; +@@ -179,16 +180,30 @@ void ff_aac_search_for_tns(AACEncContext *s, SingleChannelElement *sce) + } + + for (w = 0; w < sce->ics.num_windows; w++) { +- float en[2] = {0.0f, 0.0f}; ++ float en[4] = {0.0f, 0.0f, 0.0f, 0.0f}; + int oc_start = 0, os_start = 0; + int coef_start = sce->ics.swb_offset[sfb_start]; + +- for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) { +- FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g]; +- if (g > sfb_start + (sfb_len/2)) +- en[1] += band->energy; +- else +- en[0] += band->energy; ++ if (n_filt == 2) { ++ for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) { ++ FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g]; ++ if (g > sfb_start + (sfb_len/2)) ++ en[1] += band->energy; /* End */ ++ else ++ en[0] += band->energy; /* Start */ ++ } ++ en[2] = en[0]; ++ } else { ++ for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) { ++ FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g]; ++ if (g > sfb_start + (sfb_len/2) + (sfb_len/4)) ++ en[2] += band->energy; /* End */ ++ else if (g > sfb_start + (sfb_len/2) - (sfb_len/4)) ++ en[1] += band->energy; /* Middle */ ++ else ++ en[0] += band->energy; /* Start */ ++ } ++ en[3] = en[0]; + } + + /* LPC */ +@@ -198,9 +213,9 @@ void ff_aac_search_for_tns(AACEncContext *s, SingleChannelElement *sce) + if (!order || !isfinite(gain) || gain < TNS_GAIN_THRESHOLD_LOW || gain > TNS_GAIN_THRESHOLD_HIGH) + continue; + +- tns->n_filt[w] = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3; ++ tns->n_filt[w] = n_filt; + for (g = 0; g < tns->n_filt[w]; g++) { +- tns->direction[w][g] = slant != 2 ? slant : en[g] < en[!g]; ++ tns->direction[w][g] = slant != 2 ? slant : en[g] < en[g + 1]; + tns->order[w][g] = g < tns->n_filt[w] ? order/tns->n_filt[w] : order - oc_start; + tns->length[w][g] = g < tns->n_filt[w] ? sfb_len/tns->n_filt[w] : sfb_len - os_start; + quantize_coefs(&coefs[oc_start], tns->coef_idx[w][g], tns->coef[w][g], +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb index 27a9a80e8c..a46cb3480a 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb @@ -52,6 +52,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch \ file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch \ file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch \ + file://CVE-2025-1594.patch \ " SRC_URI[sha256sum] = "04c70c377de233a4b217c2fdf76b19aeb225a287daeb2348bccd978c47b1a1db" From patchwork Tue Sep 9 19:30:02 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 69893 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B30C1CAC582 for ; Tue, 9 Sep 2025 19:30:20 +0000 (UTC) Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) by mx.groups.io with SMTP id smtpd.web10.4461.1757446216077174785 for ; Tue, 09 Sep 2025 12:30:16 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=nKYjvjkp; spf=softfail (domain: sakoman.com, ip: 209.85.214.172, mailfrom: steve@sakoman.com) Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-24c786130feso52147055ad.2 for ; Tue, 09 Sep 2025 12:30:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1757446215; x=1758051015; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=gz903LSn9+U5ZY3x40DGgVE7zIqauHEMGyzrGYLQVhU=; b=nKYjvjkpvzge1gSg3wG2ODCpstKxfPilwextPrA8ULnQdDXzWt0pWnM95N/XLozLW+ JcWx9o+N/RMjWQXpw3TSCUcrHPG64/yNxqe1eJd81VTWr3lZw310fl7ARQqJfilIAls2 csu2qFGfGaobM1mDzJyFl+qYx3zPb+idQa/B/dV0MQqD8gXDpHqNKE8WzV8/j0gEAUIB TcBPgnn8h+URUqY083kb7cZrnZsOohMisCWG7PNdmwYKwppR78T8GcA1znoDOCd+qrWx VlJCRz9NmShSmjU7DtjFodJPN1lHuleq1mtc7FL630W3SaZ6FuskmYmbxFPck0vtqm6v BzsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757446215; x=1758051015; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=gz903LSn9+U5ZY3x40DGgVE7zIqauHEMGyzrGYLQVhU=; b=Vuu1IaWEfIIUhdwSCKnOGxNilyg+xmfngoYrwfTVIgKtneJZKvgmydkT++W7yoTETd 8/fu5QPle7UBU6JQrK/Sb4LwV1gYI6C67i1gP75JeL1eEbTVWdZRVGnYxGiD4FbJ7Q1o X0Lzs5PtHFbSK2egYxoLZkZUgjHD0/wj4xYGsSgugIsq7xbyUUfgumocjHhwOhMUS4wZ TZ1YLjx29GWz9bs0OZv8If4vgPWkCxSXTwFLlwqpQ8NystzZiIY/9wmaf/OGi9EaSZUw h0sahGBGeoik72AVV4vhcUp5HXiKPDVnQbrY2wvzM/QJVjlQymJqvrJAXQeRhLxYKtFD 9EBg== X-Gm-Message-State: AOJu0Yxz5bs569iO8cI8OFP0r3m+UwNFWeVjXb8MNPOPhsI0r+hISzxe sPLFUv0UjiM7tMRg+TKdW9OKeAUFxgLdO2PhRDJD+BuPP8niS8yyTAml4lQgBbYnGEQGrmVvHAL 5P2C5 X-Gm-Gg: ASbGnctDY2D1Igqg4mv2xIHJHHeFFq8IiSbwaBzFR59RKw9lHSouWfiMAvXAySVPmaH IbAc3v9BMftYXUTteq8lLOFSXQXHeNWIlbKojNfIdVTUj4Vdr/rdueARh74noviB9V+GcPCk2KD qrWRIjix3f5QwYt5aVb6ey2bD73KE91uKTtA8GFQzWGcvgfdXC/E0V3LStIdD6KELn4w9u7Dwi7 hdyh5ymQ7kwvR20P4g12sRcNL1vafNMhjSD+Dwzs786Awt4pCLQMKjlUKExwJEt93uO/+Pmryuf PwoNiDSzzB+HA6eF1HckHqFGNpttLR6mKYy3Mi4nU+R1OWfHXLxmtFCCulE6llXtV/R8hyUv0g7 9UEakhm9d77WL2DaRNY1Y/wF9 X-Google-Smtp-Source: AGHT+IEHACBXvZ6nN5cOYjhkwRZsnZ73a2rxslMzi+0FWMzaaFZYujyaVU6cWpl46RLba6iJk8zPUQ== X-Received: by 2002:a17:902:d490:b0:24e:13f6:23e with SMTP id d9443c01a7336-2516d52d43fmr141428995ad.8.1757446215261; Tue, 09 Sep 2025 12:30:15 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:c560:31a3:4ee8:6083]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-25a2b0e5965sm5093855ad.143.2025.09.09.12.30.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Sep 2025 12:30:14 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 4/5] llvm: fix typo in CVE-2024-0151.patch Date: Tue, 9 Sep 2025 12:30:02 -0700 Message-ID: <77f29f8fea58de40459186952d25279877ce4994.1757446071.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 Sep 2025 19:30:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/223136 From: Gyorgy Sarvari During backporting the patch, accidentally a variable was removed. In case the recipe is compiled for 32-bit Arm target, compilation fails with the following error: 3.0.1-r0/git/llvm/lib/Target/ARM/ARMISelLowering.cpp:4481:13: error: 'RegVT' was not declared in this scope | 4481 | if (RegVT == MVT::f16 || RegVT == MVT::bf16) | | ^~~~~ This patch corrects the patch, and adds back the removed RegVT variable. Signed-off-by: Gyorgy Sarvari Signed-off-by: Steve Sakoman --- meta/recipes-devtools/llvm/llvm/CVE-2024-0151.patch | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/meta/recipes-devtools/llvm/llvm/CVE-2024-0151.patch b/meta/recipes-devtools/llvm/llvm/CVE-2024-0151.patch index cbe6f5bf3f..f5ef7e8d4f 100644 --- a/meta/recipes-devtools/llvm/llvm/CVE-2024-0151.patch +++ b/meta/recipes-devtools/llvm/llvm/CVE-2024-0151.patch @@ -32,6 +32,10 @@ Date: Thu Jun 20 10:22:01 2024 +0100 Upstream-Status: Backport [https://github.com/llvm/llvm-project/commit/78ff617d3f573fb3a9b2fef180fa0fd43d5584ea] CVE: CVE-2024-0151 Signed-off-by: Deepesh Varatharajan + +Added back RegVT variable, which was accidentally removed during backporting. + +Signed-off-by: Gyorgy Sarvari --- diff --git a/llvm/lib/Target/ARM/ARMISelLowering.cpp b/llvm/lib/Target/ARM/ARMISelLowering.cpp index 900113244e41..e12f8c183db2 100644 @@ -98,16 +102,15 @@ index 900113244e41..e12f8c183db2 100644 Function::const_arg_iterator CurOrigArg = MF.getFunction().arg_begin(); unsigned CurArgIdx = 0; -@@ -4432,7 +4450,7 @@ SDValue ARMTargetLowering::LowerFormalArguments( - } +@@ -4433,6 +4451,7 @@ SDValue ARMTargetLowering::LowerFormalArguments( // Arguments stored in registers. if (VA.isRegLoc()) { -- EVT RegVT = VA.getLocVT(); + EVT RegVT = VA.getLocVT(); + SDValue ArgValue; if (VA.needsCustom() && VA.getLocVT() == MVT::v2f64) { // f64 and vector types are split up into multiple registers or -@@ -4496,16 +4514,6 @@ SDValue ARMTargetLowering::LowerFormalArguments( +@@ -4496,16 +4515,6 @@ SDValue ARMTargetLowering::LowerFormalArguments( case CCValAssign::BCvt: ArgValue = DAG.getNode(ISD::BITCAST, dl, VA.getValVT(), ArgValue); break; @@ -124,7 +127,7 @@ index 900113244e41..e12f8c183db2 100644 } // f16 arguments have their size extended to 4 bytes and passed as if they -@@ -4515,6 +4523,15 @@ SDValue ARMTargetLowering::LowerFormalArguments( +@@ -4515,6 +4524,15 @@ SDValue ARMTargetLowering::LowerFormalArguments( (VA.getValVT() == MVT::f16 || VA.getValVT() == MVT::bf16)) ArgValue = MoveToHPR(dl, DAG, VA.getLocVT(), VA.getValVT(), ArgValue); From patchwork Tue Sep 9 19:30:03 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 69897 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CB594CAC58E for ; Tue, 9 Sep 2025 19:30:20 +0000 (UTC) Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com [209.85.215.182]) by mx.groups.io with SMTP id smtpd.web11.4216.1757446219291241479 for ; Tue, 09 Sep 2025 12:30:19 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=2CKktPAa; spf=softfail (domain: sakoman.com, ip: 209.85.215.182, mailfrom: steve@sakoman.com) Received: by mail-pg1-f182.google.com with SMTP id 41be03b00d2f7-b47052620a6so4929893a12.1 for ; Tue, 09 Sep 2025 12:30:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1757446218; x=1758051018; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=JL8UhrLdty5EWYJJytqTOgrzms6Mj2VHmd4hgYfENRc=; b=2CKktPAavP3s69t5rz20G6ufhVC43uLl/ya4xeML77lm7YhEQGMuKwJ6EPYS9pxh5J 4z548wNl0W29MKk1aRWAirwKQ4ako4FG6V9KSExddG5aRdOl4KyT4WfbI8bUnKyARRom ATySXJwKOvvjeNtsOl0Cxsstkk29j/XhT9mkDQqSGj1kgmYvzUgh+j8Vw5wWqBgzT2Cy StQjqKVKqggeoXGqUIbecIEZSgUysL3Hck4DTOXeS1scgRd1V03eJgLkurXkG5tCgsz5 YuXEfZdAszd87AfOW3POU/sXbAY8eFRGpXGanGI3TfLQuXMewgakSNWxyTgHAGE7rEsv 3Lhg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757446218; x=1758051018; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=JL8UhrLdty5EWYJJytqTOgrzms6Mj2VHmd4hgYfENRc=; b=iSYVaVLbcsU47znnPtq15zGB5YicNH3zQpX8waleqHDdnE5ZqRxeUuedP2VsEHM3t+ 1twmxUELHIvlLd0Qv/tPo+hsL/go2U0TNFNjb6ZGJcrZqUMR0gXlU1cxl+p+/1jvS6FO tSs842t4h7DwOGBTiMqAu3hP8PIA9O+m6i3Y1Y/bTq3CpvyG7wPVtH1La4ZCF7Z9Mm7+ osdaZut4FPr6Weoef8yhFFPLt7dq0hGPj9QTv+m31ZuxBQ1yMLAMtgF2uVxrlpdpDDAl plp3vgxsqSWSuKabDZBDEE05yR8qjO3fnaDsu4y/JYdFwmdKmqQ06aZhWS93UpByqLX6 UzDw== X-Gm-Message-State: AOJu0YzXJ5ayG8BqlGXxQCmUgFiV+8kaBxHBBFsP2cQrMR/ICPccNPBR SJqjv64UO2c9wYHBeIbMQM+1XXmKB/GSnuXERONA/sszNLqVC4Vj9jXJIJPVi9LYqhLXC8HeVey d/eW+ X-Gm-Gg: ASbGncuV73rZN6gvzWEACEyZY1z/+hvd8Vjg2xtzyskwlvSfAVCW9bZ1sqQpsHeW30P ly4SDbhuQRsOTnlBTBE1YmpyQLeR5MUViY8y8/Xj5z+VyHRXwGljNm1oiSiIp/UwhAMmWXjf1n4 cylAM/RjJgSV0/nudpyd7+2LdR5/TVeqgci3POkwDalq2IRsFTnk7QyPnXKUOXMdXslDP6t8xEE vuzkIiEY9wpCjharEvfvhauHwxfOrAbjn8leY0AitqoAni0tcIsyZmBMggrMLQfGKG6sXFt+oj4 U7F++VEuXNTylq9S8Syey3hrulwNbaeeainBdNw9qOy3Wicipj07d7HoWuj6k2lWp6tumdTJJdr amZPBHaHsbUqRhA== X-Google-Smtp-Source: AGHT+IHiUCZryZp2Uie46M9BimES11+7SHuFDGbCcHs8XSA3g/VcOhQ2MkopkKM++MkhGUmFowQnXg== X-Received: by 2002:a17:902:ce03:b0:231:d0da:5e1f with SMTP id d9443c01a7336-25179686313mr150389525ad.21.1757446217221; Tue, 09 Sep 2025 12:30:17 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:c560:31a3:4ee8:6083]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-25a2b0e5965sm5093855ad.143.2025.09.09.12.30.16 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Sep 2025 12:30:16 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 5/5] wpa-supplicant: fix CVE-2022-37660 Date: Tue, 9 Sep 2025 12:30:03 -0700 Message-ID: <3dd917c52ace30607800f0b70a52a52662dda731.1757446071.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 Sep 2025 19:30:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/223137 From: Divya Chellam In hostapd 2.10 and earlier, the PKEX code remains active even after a successful PKEX association. An attacker that successfully bootstrapped public keys with another entity using PKEX in the past, will be able to subvert a future bootstrapping by passively observing public keys, re-using the encrypting element Qi and subtracting it from the captured message M (X = M - Qi). This will result in the public ephemeral key X; the only element required to subvert the PKEX association. CVE-2022-37660-0001, CVE-2022-37660-0002, CVE-2022-37660-0003 and CVE-2022-37660-0004 are dependent commits while CVE-2022-37660-0005 is actual CVE fix. Reference: https://security-tracker.debian.org/tracker/CVE-2022-37660 Upstream-patches: https://git.w1.fi/cgit/hostap/commit/?id=9d3f347a2b14652e767d51142600206a32676b62 https://git.w1.fi/cgit/hostap/commit/?id=80213629981a21825e4688fde1b590e4c4d4bcea https://git.w1.fi/cgit/hostap/commit/?id=bdcccbc2755dd1a75731496782e02b5435fb9534 https://git.w1.fi/cgit/hostap/commit/?id=d7be749335f2585658cf98c4f0e7d6cd5ac06865 https://git.w1.fi/cgit/hostap/commit/?id=15af83cf1846870873a011ed4d714732f01cd2e4 Signed-off-by: Divya Chellam Signed-off-by: Steve Sakoman --- .../wpa-supplicant/CVE-2022-37660-0001.patch | 254 +++++ .../wpa-supplicant/CVE-2022-37660-0002.patch | 139 +++ .../wpa-supplicant/CVE-2022-37660-0003.patch | 196 ++++ .../wpa-supplicant/CVE-2022-37660-0004.patch | 941 ++++++++++++++++++ .../wpa-supplicant/CVE-2022-37660-0005.patch | 144 +++ .../wpa-supplicant/wpa-supplicant_2.10.bb | 5 + 6 files changed, 1679 insertions(+) create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0001.patch create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0002.patch create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0003.patch create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0004.patch create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0005.patch diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0001.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0001.patch new file mode 100644 index 0000000000..e7d3a967fa --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0001.patch @@ -0,0 +1,254 @@ +From 9d3f347a2b14652e767d51142600206a32676b62 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Mon, 24 Jan 2022 20:57:19 +0200 +Subject: [PATCH] DPP3: Add PKEX initiator retries and fallback from v2 to v1 + for hostapd + +This extends hostapd with the design used in wpa_supplicant for PKEX +initiator retries and automatic version fallback from v2 to v1 (the +latter is enabled only with CONFIG_DPP3=y). + +Signed-off-by: Jouni Malinen + +CVE: CVE-2022-37660 + +Upstream-Status: Backport [https://git.w1.fi/cgit/hostap/commit/?id=9d3f347a2b14652e767d51142600206a32676b62] + +Signed-off-by: Divya Chellam +--- + src/ap/dpp_hostapd.c | 188 +++++++++++++++++++++++++++++++++++++++---- + 1 file changed, 171 insertions(+), 17 deletions(-) + +diff --git a/src/ap/dpp_hostapd.c b/src/ap/dpp_hostapd.c +index 13e1fc5..6c30ba3 100644 +--- a/src/ap/dpp_hostapd.c ++++ b/src/ap/dpp_hostapd.c +@@ -216,6 +216,163 @@ static void hostapd_dpp_auth_resp_retry(struct hostapd_data *hapd) + } + + ++static int hostapd_dpp_allow_ir(struct hostapd_data *hapd, unsigned int freq) ++{ ++ int i, j; ++ ++ if (!hapd->iface->hw_features) ++ return -1; ++ ++ for (i = 0; i < hapd->iface->num_hw_features; i++) { ++ struct hostapd_hw_modes *mode = &hapd->iface->hw_features[i]; ++ ++ for (j = 0; j < mode->num_channels; j++) { ++ struct hostapd_channel_data *chan = &mode->channels[j]; ++ ++ if (chan->freq != (int) freq) ++ continue; ++ ++ if (chan->flag & (HOSTAPD_CHAN_DISABLED | ++ HOSTAPD_CHAN_NO_IR | ++ HOSTAPD_CHAN_RADAR)) ++ continue; ++ ++ return 1; ++ } ++ } ++ ++ wpa_printf(MSG_DEBUG, ++ "DPP: Frequency %u MHz not supported or does not allow PKEX initiation in the current channel list", ++ freq); ++ ++ return 0; ++} ++ ++ ++static int hostapd_dpp_pkex_next_channel(struct hostapd_data *hapd, ++ struct dpp_pkex *pkex) ++{ ++ if (pkex->freq == 2437) ++ pkex->freq = 5745; ++ else if (pkex->freq == 5745) ++ pkex->freq = 5220; ++ else if (pkex->freq == 5220) ++ pkex->freq = 60480; ++ else ++ return -1; /* no more channels to try */ ++ ++ if (hostapd_dpp_allow_ir(hapd, pkex->freq) == 1) { ++ wpa_printf(MSG_DEBUG, "DPP: Try to initiate on %u MHz", ++ pkex->freq); ++ return 0; ++ } ++ ++ /* Could not use this channel - try the next one */ ++ return hostapd_dpp_pkex_next_channel(hapd, pkex); ++} ++ ++ ++static int hostapd_dpp_pkex_init(struct hostapd_data *hapd, bool v2) ++{ ++ struct dpp_pkex *pkex; ++ struct wpabuf *msg; ++ unsigned int wait_time; ++ ++ wpa_printf(MSG_DEBUG, "DPP: Initiating PKEXv%d", v2 ? 2 : 1); ++ dpp_pkex_free(hapd->dpp_pkex); ++ hapd->dpp_pkex = dpp_pkex_init(hapd->msg_ctx, hapd->dpp_pkex_bi, ++ hapd->own_addr, ++ hapd->dpp_pkex_identifier, ++ hapd->dpp_pkex_code, v2); ++ pkex = hapd->dpp_pkex; ++ if (!pkex) ++ return -1; ++ ++ msg = hapd->dpp_pkex->exchange_req; ++ wait_time = 2000; /* TODO: hapd->max_remain_on_chan; */ ++ pkex->freq = 2437; ++ wpa_msg(hapd->msg_ctx, MSG_INFO, DPP_EVENT_TX "dst=" MACSTR ++ " freq=%u type=%d", MAC2STR(broadcast), pkex->freq, ++ v2 ? DPP_PA_PKEX_EXCHANGE_REQ : ++ DPP_PA_PKEX_V1_EXCHANGE_REQ); ++ hostapd_drv_send_action(hapd, pkex->freq, 0, broadcast, ++ wpabuf_head(msg), wpabuf_len(msg)); ++ pkex->exch_req_wait_time = wait_time; ++ pkex->exch_req_tries = 1; ++ ++ return 0; ++} ++ ++ ++static void hostapd_dpp_pkex_retry_timeout(void *eloop_ctx, void *timeout_ctx) ++{ ++ struct hostapd_data *hapd = eloop_ctx; ++ struct dpp_pkex *pkex = hapd->dpp_pkex; ++ ++ if (!pkex || !pkex->exchange_req) ++ return; ++ if (pkex->exch_req_tries >= 5) { ++ if (hostapd_dpp_pkex_next_channel(hapd, pkex) < 0) { ++#ifdef CONFIG_DPP3 ++ if (pkex->v2) { ++ wpa_printf(MSG_DEBUG, ++ "DPP: Fall back to PKEXv1"); ++ hostapd_dpp_pkex_init(hapd, false); ++ return; ++ } ++#endif /* CONFIG_DPP3 */ ++ wpa_msg(hapd->msg_ctx, MSG_INFO, DPP_EVENT_FAIL ++ "No response from PKEX peer"); ++ dpp_pkex_free(pkex); ++ hapd->dpp_pkex = NULL; ++ return; ++ } ++ pkex->exch_req_tries = 0; ++ } ++ ++ pkex->exch_req_tries++; ++ wpa_printf(MSG_DEBUG, "DPP: Retransmit PKEX Exchange Request (try %u)", ++ pkex->exch_req_tries); ++ wpa_msg(hapd->msg_ctx, MSG_INFO, DPP_EVENT_TX "dst=" MACSTR ++ " freq=%u type=%d", ++ MAC2STR(broadcast), pkex->freq, ++ pkex->v2 ? DPP_PA_PKEX_EXCHANGE_REQ : ++ DPP_PA_PKEX_V1_EXCHANGE_REQ); ++ hostapd_drv_send_action(hapd, pkex->freq, pkex->exch_req_wait_time, ++ broadcast, ++ wpabuf_head(pkex->exchange_req), ++ wpabuf_len(pkex->exchange_req)); ++} ++ ++ ++static void hostapd_dpp_pkex_tx_status(struct hostapd_data *hapd, const u8 *dst, ++ const u8 *data, size_t data_len, int ok) ++{ ++ struct dpp_pkex *pkex = hapd->dpp_pkex; ++ ++ if (pkex->failed) { ++ wpa_printf(MSG_DEBUG, ++ "DPP: Terminate PKEX exchange due to an earlier error"); ++ if (pkex->t > pkex->own_bi->pkex_t) ++ pkex->own_bi->pkex_t = pkex->t; ++ dpp_pkex_free(pkex); ++ hapd->dpp_pkex = NULL; ++ return; ++ } ++ ++ if (pkex->exch_req_wait_time && pkex->exchange_req) { ++ /* Wait for PKEX Exchange Response frame and retry request if ++ * no response is seen. */ ++ eloop_cancel_timeout(hostapd_dpp_pkex_retry_timeout, hapd, ++ NULL); ++ eloop_register_timeout(pkex->exch_req_wait_time / 1000, ++ (pkex->exch_req_wait_time % 1000) * 1000, ++ hostapd_dpp_pkex_retry_timeout, hapd, ++ NULL); ++ } ++} ++ ++ + void hostapd_dpp_tx_status(struct hostapd_data *hapd, const u8 *dst, + const u8 *data, size_t data_len, int ok) + { +@@ -227,6 +384,11 @@ void hostapd_dpp_tx_status(struct hostapd_data *hapd, const u8 *dst, + " result=%s", MAC2STR(dst), ok ? "SUCCESS" : "FAILED"); + + if (!hapd->dpp_auth) { ++ if (hapd->dpp_pkex) { ++ hostapd_dpp_pkex_tx_status(hapd, dst, data, data_len, ++ ok); ++ return; ++ } + wpa_printf(MSG_DEBUG, + "DPP: Ignore TX status since there is no ongoing authentication exchange"); + return; +@@ -1783,6 +1945,9 @@ hostapd_dpp_rx_pkex_exchange_resp(struct hostapd_data *hapd, const u8 *src, + return; + } + ++ eloop_cancel_timeout(hostapd_dpp_pkex_retry_timeout, hapd, NULL); ++ hapd->dpp_pkex->exch_req_wait_time = 0; ++ + msg = dpp_pkex_rx_exchange_resp(hapd->dpp_pkex, src, buf, len); + if (!msg) { + wpa_printf(MSG_DEBUG, "DPP: Failed to process the response"); +@@ -2172,26 +2337,14 @@ int hostapd_dpp_pkex_add(struct hostapd_data *hapd, const char *cmd) + return -1; + + if (os_strstr(cmd, " init=1") || os_strstr(cmd, " init=2")) { +- struct wpabuf *msg; ++#ifdef CONFIG_DPP3 ++ bool v2 = true; ++#else /* CONFIG_DPP3 */ + bool v2 = os_strstr(cmd, " init=2") != NULL; ++#endif /* CONFIG_DPP3 */ + +- wpa_printf(MSG_DEBUG, "DPP: Initiating PKEX"); +- dpp_pkex_free(hapd->dpp_pkex); +- hapd->dpp_pkex = dpp_pkex_init(hapd->msg_ctx, own_bi, +- hapd->own_addr, +- hapd->dpp_pkex_identifier, +- hapd->dpp_pkex_code, v2); +- if (!hapd->dpp_pkex) ++ if (hostapd_dpp_pkex_init(hapd, v2) < 0) + return -1; +- +- msg = hapd->dpp_pkex->exchange_req; +- /* TODO: Which channel to use? */ +- wpa_msg(hapd->msg_ctx, MSG_INFO, DPP_EVENT_TX "dst=" MACSTR +- " freq=%u type=%d", MAC2STR(broadcast), 2437, +- v2 ? DPP_PA_PKEX_EXCHANGE_REQ : +- DPP_PA_PKEX_V1_EXCHANGE_REQ); +- hostapd_drv_send_action(hapd, 2437, 0, broadcast, +- wpabuf_head(msg), wpabuf_len(msg)); + } + + /* TODO: Support multiple PKEX info entries */ +@@ -2319,6 +2472,7 @@ void hostapd_dpp_deinit(struct hostapd_data *hapd) + #endif /* CONFIG_TESTING_OPTIONS */ + if (!hapd->dpp_init_done) + return; ++ eloop_cancel_timeout(hostapd_dpp_pkex_retry_timeout, hapd, NULL); + eloop_cancel_timeout(hostapd_dpp_reply_wait_timeout, hapd, NULL); + eloop_cancel_timeout(hostapd_dpp_auth_conf_wait_timeout, hapd, NULL); + eloop_cancel_timeout(hostapd_dpp_init_timeout, hapd, NULL); +-- +2.40.0 + diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0002.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0002.patch new file mode 100644 index 0000000000..9d39f18f43 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0002.patch @@ -0,0 +1,139 @@ +From 80213629981a21825e4688fde1b590e4c4d4bcea Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Mon, 24 Jan 2022 20:21:24 +0200 +Subject: [PATCH] DPP3: Start with PKEXv2 and fall back to v1 + +Use automatic PKEX version negotiation as the initiator by starting with +PKEXv2 and if no response is received, trying again with PKEXv1. For +now, this is enabled only in wpa_supplicant CONFIG_DPP3=y builds. + +Signed-off-by: Jouni Malinen + +CVE: CVE-2022-37660 + +Upstream-Status: Backport [https://git.w1.fi/cgit/hostap/commit/?id=80213629981a21825e4688fde1b590e4c4d4bcea] + +Signed-off-by: Divya Chellam +--- + wpa_supplicant/dpp_supplicant.c | 81 +++++++++++++++++++++------------ + 1 file changed, 52 insertions(+), 29 deletions(-) + +diff --git a/wpa_supplicant/dpp_supplicant.c b/wpa_supplicant/dpp_supplicant.c +index 584654a..43c85d3 100644 +--- a/wpa_supplicant/dpp_supplicant.c ++++ b/wpa_supplicant/dpp_supplicant.c +@@ -2557,6 +2557,45 @@ static int wpas_dpp_pkex_next_channel(struct wpa_supplicant *wpa_s, + } + + ++static int wpas_dpp_pkex_init(struct wpa_supplicant *wpa_s, bool v2) ++{ ++ struct dpp_pkex *pkex; ++ struct wpabuf *msg; ++ unsigned int wait_time; ++ ++ wpa_printf(MSG_DEBUG, "DPP: Initiating PKEXv%d", v2 ? 2 : 1); ++ dpp_pkex_free(wpa_s->dpp_pkex); ++ wpa_s->dpp_pkex = dpp_pkex_init(wpa_s, wpa_s->dpp_pkex_bi, ++ wpa_s->own_addr, ++ wpa_s->dpp_pkex_identifier, ++ wpa_s->dpp_pkex_code, v2); ++ pkex = wpa_s->dpp_pkex; ++ if (!pkex) ++ return -1; ++ ++ msg = pkex->exchange_req; ++ wait_time = wpa_s->max_remain_on_chan; ++ if (wait_time > 2000) ++ wait_time = 2000; ++ pkex->freq = 2437; ++ wpa_msg(wpa_s, MSG_INFO, DPP_EVENT_TX "dst=" MACSTR ++ " freq=%u type=%d", ++ MAC2STR(broadcast), pkex->freq, ++ v2 ? DPP_PA_PKEX_EXCHANGE_REQ : ++ DPP_PA_PKEX_V1_EXCHANGE_REQ); ++ offchannel_send_action(wpa_s, pkex->freq, broadcast, ++ wpa_s->own_addr, broadcast, ++ wpabuf_head(msg), wpabuf_len(msg), ++ wait_time, wpas_dpp_tx_pkex_status, 0); ++ if (wait_time == 0) ++ wait_time = 2000; ++ pkex->exch_req_wait_time = wait_time; ++ pkex->exch_req_tries = 1; ++ ++ return 0; ++} ++ ++ + static void wpas_dpp_pkex_retry_timeout(void *eloop_ctx, void *timeout_ctx) + { + struct wpa_supplicant *wpa_s = eloop_ctx; +@@ -2566,6 +2605,14 @@ static void wpas_dpp_pkex_retry_timeout(void *eloop_ctx, void *timeout_ctx) + return; + if (pkex->exch_req_tries >= 5) { + if (wpas_dpp_pkex_next_channel(wpa_s, pkex) < 0) { ++#ifdef CONFIG_DPP3 ++ if (pkex->v2) { ++ wpa_printf(MSG_DEBUG, ++ "DPP: Fall back to PKEXv1"); ++ wpas_dpp_pkex_init(wpa_s, false); ++ return; ++ } ++#endif /* CONFIG_DPP3 */ + wpa_msg(wpa_s, MSG_INFO, DPP_EVENT_FAIL + "No response from PKEX peer"); + dpp_pkex_free(pkex); +@@ -3271,7 +3318,6 @@ int wpas_dpp_pkex_add(struct wpa_supplicant *wpa_s, const char *cmd) + { + struct dpp_bootstrap_info *own_bi; + const char *pos, *end; +- unsigned int wait_time; + + pos = os_strstr(cmd, " own="); + if (!pos) +@@ -3315,37 +3361,14 @@ int wpas_dpp_pkex_add(struct wpa_supplicant *wpa_s, const char *cmd) + return -1; + + if (os_strstr(cmd, " init=1") || os_strstr(cmd, " init=2")) { +- struct dpp_pkex *pkex; +- struct wpabuf *msg; ++#ifdef CONFIG_DPP3 ++ bool v2 = true; ++#else /* CONFIG_DPP3 */ + bool v2 = os_strstr(cmd, " init=2") != NULL; ++#endif /* CONFIG_DPP3 */ + +- wpa_printf(MSG_DEBUG, "DPP: Initiating PKEX"); +- dpp_pkex_free(wpa_s->dpp_pkex); +- wpa_s->dpp_pkex = dpp_pkex_init(wpa_s, own_bi, wpa_s->own_addr, +- wpa_s->dpp_pkex_identifier, +- wpa_s->dpp_pkex_code, v2); +- pkex = wpa_s->dpp_pkex; +- if (!pkex) ++ if (wpas_dpp_pkex_init(wpa_s, v2) < 0) + return -1; +- +- msg = pkex->exchange_req; +- wait_time = wpa_s->max_remain_on_chan; +- if (wait_time > 2000) +- wait_time = 2000; +- pkex->freq = 2437; +- wpa_msg(wpa_s, MSG_INFO, DPP_EVENT_TX "dst=" MACSTR +- " freq=%u type=%d", +- MAC2STR(broadcast), pkex->freq, +- v2 ? DPP_PA_PKEX_EXCHANGE_REQ : +- DPP_PA_PKEX_V1_EXCHANGE_REQ); +- offchannel_send_action(wpa_s, pkex->freq, broadcast, +- wpa_s->own_addr, broadcast, +- wpabuf_head(msg), wpabuf_len(msg), +- wait_time, wpas_dpp_tx_pkex_status, 0); +- if (wait_time == 0) +- wait_time = 2000; +- pkex->exch_req_wait_time = wait_time; +- pkex->exch_req_tries = 1; + } + + /* TODO: Support multiple PKEX info entries */ +-- +2.40.0 + diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0003.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0003.patch new file mode 100644 index 0000000000..7334720dfb --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0003.patch @@ -0,0 +1,196 @@ +From bdcccbc2755dd1a75731496782e02b5435fb9534 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Tue, 25 Jan 2022 20:06:49 +0200 +Subject: [PATCH] DPP: Change PKEX version configuration design + +Use a separate ver=<1|2> parameter to DPP_PKEX_ADD instead of +overloading init=1 with version indication. This allows additional +options for forcing v1-only and v2-only in addition to automatic mode +(start with v2 and fall back to v1, if needed). + +Signed-off-by: Jouni Malinen + +CVE: CVE-2022-37660 + +Upstream-Status: Backport [https://git.w1.fi/cgit/hostap/commit/?id=bdcccbc2755dd1a75731496782e02b5435fb9534] + +Signed-off-by: Divya Chellam +--- + src/ap/dpp_hostapd.c | 37 ++++++++++++++++++++++++++------- + src/common/dpp.h | 1 + + wpa_supplicant/dpp_supplicant.c | 37 ++++++++++++++++++++++++++------- + 3 files changed, 61 insertions(+), 14 deletions(-) + +diff --git a/src/ap/dpp_hostapd.c b/src/ap/dpp_hostapd.c +index 6c30ba3..fdfdcf9 100644 +--- a/src/ap/dpp_hostapd.c ++++ b/src/ap/dpp_hostapd.c +@@ -272,11 +272,19 @@ static int hostapd_dpp_pkex_next_channel(struct hostapd_data *hapd, + } + + +-static int hostapd_dpp_pkex_init(struct hostapd_data *hapd, bool v2) ++enum hostapd_dpp_pkex_ver { ++ PKEX_VER_AUTO, ++ PKEX_VER_ONLY_1, ++ PKEX_VER_ONLY_2, ++}; ++ ++static int hostapd_dpp_pkex_init(struct hostapd_data *hapd, ++ enum hostapd_dpp_pkex_ver ver) + { + struct dpp_pkex *pkex; + struct wpabuf *msg; + unsigned int wait_time; ++ bool v2 = ver != PKEX_VER_ONLY_1; + + wpa_printf(MSG_DEBUG, "DPP: Initiating PKEXv%d", v2 ? 2 : 1); + dpp_pkex_free(hapd->dpp_pkex); +@@ -287,6 +295,7 @@ static int hostapd_dpp_pkex_init(struct hostapd_data *hapd, bool v2) + pkex = hapd->dpp_pkex; + if (!pkex) + return -1; ++ pkex->forced_ver = ver != PKEX_VER_AUTO; + + msg = hapd->dpp_pkex->exchange_req; + wait_time = 2000; /* TODO: hapd->max_remain_on_chan; */ +@@ -314,10 +323,10 @@ static void hostapd_dpp_pkex_retry_timeout(void *eloop_ctx, void *timeout_ctx) + if (pkex->exch_req_tries >= 5) { + if (hostapd_dpp_pkex_next_channel(hapd, pkex) < 0) { + #ifdef CONFIG_DPP3 +- if (pkex->v2) { ++ if (pkex->v2 && !pkex->forced_ver) { + wpa_printf(MSG_DEBUG, + "DPP: Fall back to PKEXv1"); +- hostapd_dpp_pkex_init(hapd, false); ++ hostapd_dpp_pkex_init(hapd, PKEX_VER_ONLY_1); + return; + } + #endif /* CONFIG_DPP3 */ +@@ -2336,14 +2345,28 @@ int hostapd_dpp_pkex_add(struct hostapd_data *hapd, const char *cmd) + if (!hapd->dpp_pkex_code) + return -1; + +- if (os_strstr(cmd, " init=1") || os_strstr(cmd, " init=2")) { ++ if (os_strstr(cmd, " init=1")) { + #ifdef CONFIG_DPP3 +- bool v2 = true; ++ enum hostapd_dpp_pkex_ver ver = PKEX_VER_AUTO; + #else /* CONFIG_DPP3 */ +- bool v2 = os_strstr(cmd, " init=2") != NULL; ++ enum hostapd_dpp_pkex_ver ver = PKEX_VER_ONLY_1; + #endif /* CONFIG_DPP3 */ + +- if (hostapd_dpp_pkex_init(hapd, v2) < 0) ++ pos = os_strstr(cmd, " ver="); ++ if (pos) { ++ int v; ++ ++ pos += 5; ++ v = atoi(pos); ++ if (v == 1) ++ ver = PKEX_VER_ONLY_1; ++ else if (v == 2) ++ ver = PKEX_VER_ONLY_2; ++ else ++ return -1; ++ } ++ ++ if (hostapd_dpp_pkex_init(hapd, ver) < 0) + return -1; + } + +diff --git a/src/common/dpp.h b/src/common/dpp.h +index 8d62a0e..bfea446 100644 +--- a/src/common/dpp.h ++++ b/src/common/dpp.h +@@ -177,6 +177,7 @@ struct dpp_pkex { + unsigned int exchange_done:1; + unsigned int failed:1; + unsigned int v2:1; ++ unsigned int forced_ver:1; + struct dpp_bootstrap_info *own_bi; + u8 own_mac[ETH_ALEN]; + u8 peer_mac[ETH_ALEN]; +diff --git a/wpa_supplicant/dpp_supplicant.c b/wpa_supplicant/dpp_supplicant.c +index 43c85d3..61b300f 100644 +--- a/wpa_supplicant/dpp_supplicant.c ++++ b/wpa_supplicant/dpp_supplicant.c +@@ -2557,11 +2557,19 @@ static int wpas_dpp_pkex_next_channel(struct wpa_supplicant *wpa_s, + } + + +-static int wpas_dpp_pkex_init(struct wpa_supplicant *wpa_s, bool v2) ++enum wpas_dpp_pkex_ver { ++ PKEX_VER_AUTO, ++ PKEX_VER_ONLY_1, ++ PKEX_VER_ONLY_2, ++}; ++ ++static int wpas_dpp_pkex_init(struct wpa_supplicant *wpa_s, ++ enum wpas_dpp_pkex_ver ver) + { + struct dpp_pkex *pkex; + struct wpabuf *msg; + unsigned int wait_time; ++ bool v2 = ver != PKEX_VER_ONLY_1; + + wpa_printf(MSG_DEBUG, "DPP: Initiating PKEXv%d", v2 ? 2 : 1); + dpp_pkex_free(wpa_s->dpp_pkex); +@@ -2572,6 +2580,7 @@ static int wpas_dpp_pkex_init(struct wpa_supplicant *wpa_s, bool v2) + pkex = wpa_s->dpp_pkex; + if (!pkex) + return -1; ++ pkex->forced_ver = ver != PKEX_VER_AUTO; + + msg = pkex->exchange_req; + wait_time = wpa_s->max_remain_on_chan; +@@ -2606,10 +2615,10 @@ static void wpas_dpp_pkex_retry_timeout(void *eloop_ctx, void *timeout_ctx) + if (pkex->exch_req_tries >= 5) { + if (wpas_dpp_pkex_next_channel(wpa_s, pkex) < 0) { + #ifdef CONFIG_DPP3 +- if (pkex->v2) { ++ if (pkex->v2 && !pkex->forced_ver) { + wpa_printf(MSG_DEBUG, + "DPP: Fall back to PKEXv1"); +- wpas_dpp_pkex_init(wpa_s, false); ++ wpas_dpp_pkex_init(wpa_s, PKEX_VER_ONLY_1); + return; + } + #endif /* CONFIG_DPP3 */ +@@ -3360,14 +3369,28 @@ int wpas_dpp_pkex_add(struct wpa_supplicant *wpa_s, const char *cmd) + if (!wpa_s->dpp_pkex_code) + return -1; + +- if (os_strstr(cmd, " init=1") || os_strstr(cmd, " init=2")) { ++ if (os_strstr(cmd, " init=1")) { + #ifdef CONFIG_DPP3 +- bool v2 = true; ++ enum wpas_dpp_pkex_ver ver = PKEX_VER_AUTO; + #else /* CONFIG_DPP3 */ +- bool v2 = os_strstr(cmd, " init=2") != NULL; ++ enum wpas_dpp_pkex_ver ver = PKEX_VER_ONLY_1; + #endif /* CONFIG_DPP3 */ + +- if (wpas_dpp_pkex_init(wpa_s, v2) < 0) ++ pos = os_strstr(cmd, " ver="); ++ if (pos) { ++ int v; ++ ++ pos += 5; ++ v = atoi(pos); ++ if (v == 1) ++ ver = PKEX_VER_ONLY_1; ++ else if (v == 2) ++ ver = PKEX_VER_ONLY_2; ++ else ++ return -1; ++ } ++ ++ if (wpas_dpp_pkex_init(wpa_s, ver) < 0) + return -1; + } + +-- +2.40.0 + diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0004.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0004.patch new file mode 100644 index 0000000000..0077bb5aa3 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0004.patch @@ -0,0 +1,941 @@ +From d7be749335f2585658cf98c4f0e7d6cd5ac06865 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Tue, 25 Jan 2022 00:35:36 +0200 +Subject: [PATCH] DPP3: PKEX over TCP + +Signed-off-by: Jouni Malinen + +CVE: CVE-2022-37660 + +Upstream-Status: Backport [https://git.w1.fi/cgit/hostap/commit/?id=d7be749335f2585658cf98c4f0e7d6cd5ac06865] + +Signed-off-by: Divya Chellam +--- + src/ap/dpp_hostapd.c | 155 ++++++++++++++-- + src/common/dpp.h | 13 ++ + src/common/dpp_pkex.c | 18 +- + src/common/dpp_tcp.c | 308 +++++++++++++++++++++++++++++++- + wpa_supplicant/dpp_supplicant.c | 122 ++++++++++++- + 5 files changed, 580 insertions(+), 36 deletions(-) + +diff --git a/src/ap/dpp_hostapd.c b/src/ap/dpp_hostapd.c +index fdfdcf9..d956be9 100644 +--- a/src/ap/dpp_hostapd.c ++++ b/src/ap/dpp_hostapd.c +@@ -28,12 +28,16 @@ static void hostapd_dpp_auth_conf_wait_timeout(void *eloop_ctx, + static void hostapd_dpp_auth_success(struct hostapd_data *hapd, int initiator); + static void hostapd_dpp_init_timeout(void *eloop_ctx, void *timeout_ctx); + static int hostapd_dpp_auth_init_next(struct hostapd_data *hapd); ++static void hostapd_dpp_set_testing_options(struct hostapd_data *hapd, ++ struct dpp_authentication *auth); + #ifdef CONFIG_DPP2 + static void hostapd_dpp_reconfig_reply_wait_timeout(void *eloop_ctx, + void *timeout_ctx); + static void hostapd_dpp_handle_config_obj(struct hostapd_data *hapd, + struct dpp_authentication *auth, + struct dpp_config_obj *conf); ++static int hostapd_dpp_process_conf_obj(void *ctx, ++ struct dpp_authentication *auth); + #endif /* CONFIG_DPP2 */ + + static const u8 broadcast[ETH_ALEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; +@@ -272,6 +276,75 @@ static int hostapd_dpp_pkex_next_channel(struct hostapd_data *hapd, + } + + ++#ifdef CONFIG_DPP2 ++static int hostapd_dpp_pkex_done(void *ctx, void *conn, ++ struct dpp_bootstrap_info *peer_bi) ++{ ++ struct hostapd_data *hapd = ctx; ++ const char *cmd = hapd->dpp_pkex_auth_cmd; ++ const char *pos; ++ u8 allowed_roles = DPP_CAPAB_CONFIGURATOR; ++ struct dpp_bootstrap_info *own_bi = NULL; ++ struct dpp_authentication *auth; ++ ++ if (!cmd) ++ cmd = ""; ++ wpa_printf(MSG_DEBUG, "DPP: Start authentication after PKEX (cmd: %s)", ++ cmd); ++ ++ pos = os_strstr(cmd, " own="); ++ if (pos) { ++ pos += 5; ++ own_bi = dpp_bootstrap_get_id(hapd->iface->interfaces->dpp, ++ atoi(pos)); ++ if (!own_bi) { ++ wpa_printf(MSG_INFO, ++ "DPP: Could not find bootstrapping info for the identified local entry"); ++ return -1; ++ } ++ ++ if (peer_bi->curve != own_bi->curve) { ++ wpa_printf(MSG_INFO, ++ "DPP: Mismatching curves in bootstrapping info (peer=%s own=%s)", ++ peer_bi->curve->name, own_bi->curve->name); ++ return -1; ++ } ++ } ++ ++ pos = os_strstr(cmd, " role="); ++ if (pos) { ++ pos += 6; ++ if (os_strncmp(pos, "configurator", 12) == 0) ++ allowed_roles = DPP_CAPAB_CONFIGURATOR; ++ else if (os_strncmp(pos, "enrollee", 8) == 0) ++ allowed_roles = DPP_CAPAB_ENROLLEE; ++ else if (os_strncmp(pos, "either", 6) == 0) ++ allowed_roles = DPP_CAPAB_CONFIGURATOR | ++ DPP_CAPAB_ENROLLEE; ++ else ++ return -1; ++ } ++ ++ auth = dpp_auth_init(hapd->iface->interfaces->dpp, hapd->msg_ctx, ++ peer_bi, own_bi, allowed_roles, 0, ++ hapd->iface->hw_features, ++ hapd->iface->num_hw_features); ++ if (!auth) ++ return -1; ++ ++ hostapd_dpp_set_testing_options(hapd, auth); ++ if (dpp_set_configurator(auth, cmd) < 0) { ++ dpp_auth_deinit(auth); ++ return -1; ++ } ++ ++ return dpp_tcp_auth(hapd->iface->interfaces->dpp, conn, auth, ++ hapd->conf->dpp_name, DPP_NETROLE_AP, ++ hostapd_dpp_process_conf_obj); ++} ++#endif /* CONFIG_DPP2 */ ++ ++ + enum hostapd_dpp_pkex_ver { + PKEX_VER_AUTO, + PKEX_VER_ONLY_1, +@@ -279,7 +352,9 @@ enum hostapd_dpp_pkex_ver { + }; + + static int hostapd_dpp_pkex_init(struct hostapd_data *hapd, +- enum hostapd_dpp_pkex_ver ver) ++ enum hostapd_dpp_pkex_ver ver, ++ const struct hostapd_ip_addr *ipaddr, ++ int tcp_port) + { + struct dpp_pkex *pkex; + struct wpabuf *msg; +@@ -288,15 +363,26 @@ static int hostapd_dpp_pkex_init(struct hostapd_data *hapd, + + wpa_printf(MSG_DEBUG, "DPP: Initiating PKEXv%d", v2 ? 2 : 1); + dpp_pkex_free(hapd->dpp_pkex); +- hapd->dpp_pkex = dpp_pkex_init(hapd->msg_ctx, hapd->dpp_pkex_bi, +- hapd->own_addr, +- hapd->dpp_pkex_identifier, +- hapd->dpp_pkex_code, v2); +- pkex = hapd->dpp_pkex; ++ hapd->dpp_pkex = NULL; ++ pkex = dpp_pkex_init(hapd->msg_ctx, hapd->dpp_pkex_bi, hapd->own_addr, ++ hapd->dpp_pkex_identifier, ++ hapd->dpp_pkex_code, v2); + if (!pkex) + return -1; + pkex->forced_ver = ver != PKEX_VER_AUTO; + ++ if (ipaddr) { ++#ifdef CONFIG_DPP2 ++ return dpp_tcp_pkex_init(hapd->iface->interfaces->dpp, pkex, ++ ipaddr, tcp_port, ++ hapd->msg_ctx, hapd, ++ hostapd_dpp_pkex_done); ++#else /* CONFIG_DPP2 */ ++ return -1; ++#endif /* CONFIG_DPP2 */ ++ } ++ ++ hapd->dpp_pkex = pkex; + msg = hapd->dpp_pkex->exchange_req; + wait_time = 2000; /* TODO: hapd->max_remain_on_chan; */ + pkex->freq = 2437; +@@ -326,7 +412,8 @@ static void hostapd_dpp_pkex_retry_timeout(void *eloop_ctx, void *timeout_ctx) + if (pkex->v2 && !pkex->forced_ver) { + wpa_printf(MSG_DEBUG, + "DPP: Fall back to PKEXv1"); +- hostapd_dpp_pkex_init(hapd, PKEX_VER_ONLY_1); ++ hostapd_dpp_pkex_init(hapd, PKEX_VER_ONLY_1, ++ NULL, 0); + return; + } + #endif /* CONFIG_DPP3 */ +@@ -1883,7 +1970,7 @@ static void hostapd_dpp_rx_peer_disc_req(struct hostapd_data *hapd, + + static void + hostapd_dpp_rx_pkex_exchange_req(struct hostapd_data *hapd, const u8 *src, +- const u8 *buf, size_t len, ++ const u8 *hdr, const u8 *buf, size_t len, + unsigned int freq, bool v2) + { + struct wpabuf *msg; +@@ -1897,14 +1984,14 @@ hostapd_dpp_rx_pkex_exchange_req(struct hostapd_data *hapd, const u8 *src, + if (!hapd->dpp_pkex_code || !hapd->dpp_pkex_bi) { + wpa_printf(MSG_DEBUG, + "DPP: No PKEX code configured - ignore request"); +- return; ++ goto try_relay; + } + + if (hapd->dpp_pkex) { + /* TODO: Support parallel operations */ + wpa_printf(MSG_DEBUG, + "DPP: Already in PKEX session - ignore new request"); +- return; ++ goto try_relay; + } + + hapd->dpp_pkex = dpp_pkex_rx_exchange_req(hapd->msg_ctx, +@@ -1916,7 +2003,7 @@ hostapd_dpp_rx_pkex_exchange_req(struct hostapd_data *hapd, const u8 *src, + if (!hapd->dpp_pkex) { + wpa_printf(MSG_DEBUG, + "DPP: Failed to process the request - ignore it"); +- return; ++ goto try_relay; + } + + msg = hapd->dpp_pkex->exchange_resp; +@@ -1933,6 +2020,17 @@ hostapd_dpp_rx_pkex_exchange_req(struct hostapd_data *hapd, const u8 *src, + dpp_pkex_free(hapd->dpp_pkex); + hapd->dpp_pkex = NULL; + } ++ ++ return; ++ ++try_relay: ++#ifdef CONFIG_DPP2 ++ if (v2) ++ dpp_relay_rx_action(hapd->iface->interfaces->dpp, ++ src, hdr, buf, len, freq, NULL, NULL, hapd); ++#else /* CONFIG_DPP2 */ ++ wpa_printf(MSG_DEBUG, "DPP: No relay functionality included - skip"); ++#endif /* CONFIG_DPP2 */ + } + + +@@ -2132,12 +2230,12 @@ void hostapd_dpp_rx_action(struct hostapd_data *hapd, const u8 *src, + /* This is for PKEXv2, but for now, process only with + * CONFIG_DPP3 to avoid issues with a capability that has not + * been tested with other implementations. */ +- hostapd_dpp_rx_pkex_exchange_req(hapd, src, buf, len, freq, ++ hostapd_dpp_rx_pkex_exchange_req(hapd, src, hdr, buf, len, freq, + true); + break; + #endif /* CONFIG_DPP3 */ + case DPP_PA_PKEX_V1_EXCHANGE_REQ: +- hostapd_dpp_rx_pkex_exchange_req(hapd, src, buf, len, freq, ++ hostapd_dpp_rx_pkex_exchange_req(hapd, src, hdr, buf, len, freq, + false); + break; + case DPP_PA_PKEX_EXCHANGE_RESP: +@@ -2303,6 +2401,29 @@ int hostapd_dpp_pkex_add(struct hostapd_data *hapd, const char *cmd) + { + struct dpp_bootstrap_info *own_bi; + const char *pos, *end; ++ int tcp_port = DPP_TCP_PORT; ++ struct hostapd_ip_addr *ipaddr = NULL; ++#ifdef CONFIG_DPP2 ++ struct hostapd_ip_addr ipaddr_buf; ++ char *addr; ++ ++ pos = os_strstr(cmd, " tcp_port="); ++ if (pos) { ++ pos += 10; ++ tcp_port = atoi(pos); ++ } ++ ++ addr = get_param(cmd, " tcp_addr="); ++ if (addr) { ++ int res; ++ ++ res = hostapd_parse_ip_addr(addr, &ipaddr_buf); ++ os_free(addr); ++ if (res) ++ return -1; ++ ipaddr = &ipaddr_buf; ++ } ++#endif /* CONFIG_DPP2 */ + + pos = os_strstr(cmd, " own="); + if (!pos) +@@ -2366,8 +2487,14 @@ int hostapd_dpp_pkex_add(struct hostapd_data *hapd, const char *cmd) + return -1; + } + +- if (hostapd_dpp_pkex_init(hapd, ver) < 0) ++ if (hostapd_dpp_pkex_init(hapd, ver, ipaddr, tcp_port) < 0) + return -1; ++ } else { ++#ifdef CONFIG_DPP2 ++ dpp_controller_pkex_add(hapd->iface->interfaces->dpp, own_bi, ++ hapd->dpp_pkex_code, ++ hapd->dpp_pkex_identifier); ++#endif /* CONFIG_DPP2 */ + } + + /* TODO: Support multiple PKEX info entries */ +diff --git a/src/common/dpp.h b/src/common/dpp.h +index bfea446..ca33fe3 100644 +--- a/src/common/dpp.h ++++ b/src/common/dpp.h +@@ -550,6 +550,9 @@ int dpp_auth_conf_rx(struct dpp_authentication *auth, const u8 *hdr, + const u8 *attr_start, size_t attr_len); + int dpp_notify_new_qr_code(struct dpp_authentication *auth, + struct dpp_bootstrap_info *peer_bi); ++void dpp_controller_pkex_add(struct dpp_global *dpp, ++ struct dpp_bootstrap_info *bi, ++ const char *code, const char *identifier); + struct dpp_configuration * dpp_configuration_alloc(const char *type); + int dpp_akm_psk(enum dpp_akm akm); + int dpp_akm_sae(enum dpp_akm akm); +@@ -688,12 +691,22 @@ struct dpp_authentication * dpp_controller_get_auth(struct dpp_global *dpp, + unsigned int id); + void dpp_controller_new_qr_code(struct dpp_global *dpp, + struct dpp_bootstrap_info *bi); ++int dpp_tcp_pkex_init(struct dpp_global *dpp, struct dpp_pkex *pkex, ++ const struct hostapd_ip_addr *addr, int port, ++ void *msg_ctx, void *cb_ctx, ++ int (*pkex_done)(void *ctx, void *conn, ++ struct dpp_bootstrap_info *bi)); + int dpp_tcp_init(struct dpp_global *dpp, struct dpp_authentication *auth, + const struct hostapd_ip_addr *addr, int port, + const char *name, enum dpp_netrole netrole, void *msg_ctx, + void *cb_ctx, + int (*process_conf_obj)(void *ctx, + struct dpp_authentication *auth)); ++int dpp_tcp_auth(struct dpp_global *dpp, void *_conn, ++ struct dpp_authentication *auth, const char *name, ++ enum dpp_netrole netrole, ++ int (*process_conf_obj)(void *ctx, ++ struct dpp_authentication *auth)); + + struct wpabuf * dpp_build_presence_announcement(struct dpp_bootstrap_info *bi); + void dpp_notify_chirp_received(void *msg_ctx, int id, const u8 *src, +diff --git a/src/common/dpp_pkex.c b/src/common/dpp_pkex.c +index 38349fa..72084d9 100644 +--- a/src/common/dpp_pkex.c ++++ b/src/common/dpp_pkex.c +@@ -469,8 +469,10 @@ struct dpp_pkex * dpp_pkex_rx_exchange_req(void *msg_ctx, + pkex->t = bi->pkex_t; + pkex->msg_ctx = msg_ctx; + pkex->own_bi = bi; +- os_memcpy(pkex->own_mac, own_mac, ETH_ALEN); +- os_memcpy(pkex->peer_mac, peer_mac, ETH_ALEN); ++ if (own_mac) ++ os_memcpy(pkex->own_mac, own_mac, ETH_ALEN); ++ if (peer_mac) ++ os_memcpy(pkex->peer_mac, peer_mac, ETH_ALEN); + if (identifier) { + pkex->identifier = os_strdup(identifier); + if (!pkex->identifier) +@@ -742,7 +744,8 @@ struct wpabuf * dpp_pkex_rx_exchange_resp(struct dpp_pkex *pkex, + } + #endif /* CONFIG_DPP2 */ + +- os_memcpy(pkex->peer_mac, peer_mac, ETH_ALEN); ++ if (peer_mac) ++ os_memcpy(pkex->peer_mac, peer_mac, ETH_ALEN); + + attr_status = dpp_get_attr(buf, buflen, DPP_ATTR_STATUS, + &attr_status_len); +@@ -1341,9 +1344,12 @@ dpp_pkex_finish(struct dpp_global *dpp, struct dpp_pkex *pkex, const u8 *peer, + return NULL; + bi->id = dpp_next_id(dpp); + bi->type = DPP_BOOTSTRAP_PKEX; +- os_memcpy(bi->mac_addr, peer, ETH_ALEN); +- bi->num_freq = 1; +- bi->freq[0] = freq; ++ if (peer) ++ os_memcpy(bi->mac_addr, peer, ETH_ALEN); ++ if (freq) { ++ bi->num_freq = 1; ++ bi->freq[0] = freq; ++ } + bi->curve = pkex->own_bi->curve; + bi->pubkey = pkex->peer_bootstrap_key; + pkex->peer_bootstrap_key = NULL; +diff --git a/src/common/dpp_tcp.c b/src/common/dpp_tcp.c +index fb8ef1c..1a8a7c7 100644 +--- a/src/common/dpp_tcp.c ++++ b/src/common/dpp_tcp.c +@@ -24,10 +24,12 @@ struct dpp_connection { + struct dpp_controller *ctrl; + struct dpp_relay_controller *relay; + struct dpp_global *global; ++ struct dpp_pkex *pkex; + struct dpp_authentication *auth; + void *msg_ctx; + void *cb_ctx; + int (*process_conf_obj)(void *ctx, struct dpp_authentication *auth); ++ int (*pkex_done)(void *ctx, void *conn, struct dpp_bootstrap_info *bi); + int sock; + u8 mac_addr[ETH_ALEN]; + unsigned int freq; +@@ -71,6 +73,9 @@ struct dpp_controller { + struct dl_list conn; /* struct dpp_connection */ + char *configurator_params; + enum dpp_netrole netrole; ++ struct dpp_bootstrap_info *pkex_bi; ++ char *pkex_code; ++ char *pkex_identifier; + void *msg_ctx; + void *cb_ctx; + int (*process_conf_obj)(void *ctx, struct dpp_authentication *auth); +@@ -102,6 +107,7 @@ static void dpp_connection_free(struct dpp_connection *conn) + wpabuf_free(conn->msg); + wpabuf_free(conn->msg_out); + dpp_auth_deinit(conn->auth); ++ dpp_pkex_free(conn->pkex); + os_free(conn->name); + os_free(conn); + } +@@ -525,6 +531,8 @@ int dpp_relay_rx_action(struct dpp_global *dpp, const u8 *src, const u8 *hdr, + /* TODO: Could send this to all configured Controllers. For now, + * only the first Controller is supported. */ + ctrl = dpp_relay_controller_get_ctx(dpp, cb_ctx); ++ } else if (type == DPP_PA_PKEX_EXCHANGE_REQ) { ++ ctrl = dpp_relay_controller_get_ctx(dpp, cb_ctx); + } else { + if (!r_bootstrap) + return -1; +@@ -609,6 +617,8 @@ static void dpp_controller_free(struct dpp_controller *ctrl) + eloop_unregister_sock(ctrl->sock, EVENT_TYPE_READ); + } + os_free(ctrl->configurator_params); ++ os_free(ctrl->pkex_code); ++ os_free(ctrl->pkex_identifier); + os_free(ctrl); + } + +@@ -955,6 +965,143 @@ static int dpp_controller_rx_reconfig_auth_resp(struct dpp_connection *conn, + } + + ++static int dpp_controller_rx_pkex_exchange_req(struct dpp_connection *conn, ++ const u8 *hdr, const u8 *buf, ++ size_t len) ++{ ++ struct dpp_controller *ctrl = conn->ctrl; ++ ++ if (!ctrl) ++ return 0; ++ ++ wpa_printf(MSG_DEBUG, "DPP: PKEX Exchange Request"); ++ ++ /* TODO: Support multiple PKEX codes by iterating over all the enabled ++ * values here */ ++ ++ if (!ctrl->pkex_code || !ctrl->pkex_bi) { ++ wpa_printf(MSG_DEBUG, ++ "DPP: No PKEX code configured - ignore request"); ++ return 0; ++ } ++ ++ if (conn->pkex || conn->auth) { ++ wpa_printf(MSG_DEBUG, ++ "DPP: Already in PKEX/Authentication session - ignore new PKEX request"); ++ return 0; ++ } ++ ++ conn->pkex = dpp_pkex_rx_exchange_req(conn->ctrl->global, ctrl->pkex_bi, ++ NULL, NULL, ++ ctrl->pkex_identifier, ++ ctrl->pkex_code, ++ buf, len, true); ++ if (!conn->pkex) { ++ wpa_printf(MSG_DEBUG, ++ "DPP: Failed to process the request"); ++ return -1; ++ } ++ ++ return dpp_tcp_send_msg(conn, conn->pkex->exchange_resp); ++} ++ ++ ++static int dpp_controller_rx_pkex_exchange_resp(struct dpp_connection *conn, ++ const u8 *hdr, const u8 *buf, ++ size_t len) ++{ ++ struct dpp_pkex *pkex = conn->pkex; ++ struct wpabuf *msg; ++ int res; ++ ++ wpa_printf(MSG_DEBUG, "DPP: PKEX Exchange Response"); ++ ++ if (!pkex || !pkex->initiator || pkex->exchange_done) { ++ wpa_printf(MSG_DEBUG, "DPP: No matching PKEX session"); ++ return 0; ++ } ++ ++ msg = dpp_pkex_rx_exchange_resp(pkex, NULL, buf, len); ++ if (!msg) { ++ wpa_printf(MSG_DEBUG, "DPP: Failed to process the response"); ++ return -1; ++ } ++ ++ wpa_printf(MSG_DEBUG, "DPP: Send PKEX Commit-Reveal Request"); ++ res = dpp_tcp_send_msg(conn, msg); ++ wpabuf_free(msg); ++ return res; ++} ++ ++ ++static int dpp_controller_rx_pkex_commit_reveal_req(struct dpp_connection *conn, ++ const u8 *hdr, ++ const u8 *buf, size_t len) ++{ ++ struct dpp_pkex *pkex = conn->pkex; ++ struct wpabuf *msg; ++ int res; ++ struct dpp_bootstrap_info *bi; ++ ++ wpa_printf(MSG_DEBUG, "DPP: PKEX Commit-Reveal Request"); ++ ++ if (!pkex || pkex->initiator || !pkex->exchange_done) { ++ wpa_printf(MSG_DEBUG, "DPP: No matching PKEX session"); ++ return 0; ++ } ++ ++ msg = dpp_pkex_rx_commit_reveal_req(pkex, hdr, buf, len); ++ if (!msg) { ++ wpa_printf(MSG_DEBUG, "DPP: Failed to process the request"); ++ return -1; ++ } ++ ++ wpa_printf(MSG_DEBUG, "DPP: Send PKEX Commit-Reveal Response"); ++ res = dpp_tcp_send_msg(conn, msg); ++ wpabuf_free(msg); ++ if (res < 0) ++ return res; ++ bi = dpp_pkex_finish(conn->global, pkex, NULL, 0); ++ if (!bi) ++ return -1; ++ conn->pkex = NULL; ++ return 0; ++} ++ ++ ++static int ++dpp_controller_rx_pkex_commit_reveal_resp(struct dpp_connection *conn, ++ const u8 *hdr, ++ const u8 *buf, size_t len) ++{ ++ struct dpp_pkex *pkex = conn->pkex; ++ int res; ++ struct dpp_bootstrap_info *bi; ++ ++ wpa_printf(MSG_DEBUG, "DPP: PKEX Commit-Reveal Response"); ++ ++ if (!pkex || !pkex->initiator || !pkex->exchange_done) { ++ wpa_printf(MSG_DEBUG, "DPP: No matching PKEX session"); ++ return 0; ++ } ++ ++ res = dpp_pkex_rx_commit_reveal_resp(pkex, hdr, buf, len); ++ if (res < 0) { ++ wpa_printf(MSG_DEBUG, "DPP: Failed to process the response"); ++ return res; ++ } ++ ++ bi = dpp_pkex_finish(conn->global, pkex, NULL, 0); ++ if (!bi) ++ return -1; ++ conn->pkex = NULL; ++ ++ if (!conn->pkex_done) ++ return -1; ++ return conn->pkex_done(conn->cb_ctx, conn, bi); ++} ++ ++ + static int dpp_controller_rx_action(struct dpp_connection *conn, const u8 *msg, + size_t len) + { +@@ -1014,6 +1161,22 @@ static int dpp_controller_rx_action(struct dpp_connection *conn, const u8 *msg, + case DPP_PA_RECONFIG_AUTH_RESP: + return dpp_controller_rx_reconfig_auth_resp(conn, msg, pos, + end - pos); ++ case DPP_PA_PKEX_V1_EXCHANGE_REQ: ++ wpa_printf(MSG_DEBUG, ++ "DPP: Ignore PKEXv1 Exchange Request - not supported over TCP"); ++ return -1; ++ case DPP_PA_PKEX_EXCHANGE_REQ: ++ return dpp_controller_rx_pkex_exchange_req(conn, msg, pos, ++ end - pos); ++ case DPP_PA_PKEX_EXCHANGE_RESP: ++ return dpp_controller_rx_pkex_exchange_resp(conn, msg, pos, ++ end - pos); ++ case DPP_PA_PKEX_COMMIT_REVEAL_REQ: ++ return dpp_controller_rx_pkex_commit_reveal_req(conn, msg, pos, ++ end - pos); ++ case DPP_PA_PKEX_COMMIT_REVEAL_RESP: ++ return dpp_controller_rx_pkex_commit_reveal_resp(conn, msg, pos, ++ end - pos); + default: + /* TODO: missing messages types */ + wpa_printf(MSG_DEBUG, +@@ -1559,6 +1722,101 @@ fail: + } + + ++int dpp_tcp_pkex_init(struct dpp_global *dpp, struct dpp_pkex *pkex, ++ const struct hostapd_ip_addr *addr, int port, ++ void *msg_ctx, void *cb_ctx, ++ int (*pkex_done)(void *ctx, void *conn, ++ struct dpp_bootstrap_info *bi)) ++{ ++ struct dpp_connection *conn; ++ struct sockaddr_storage saddr; ++ socklen_t addrlen; ++ const u8 *hdr, *pos, *end; ++ char txt[100]; ++ ++ wpa_printf(MSG_DEBUG, "DPP: Initialize TCP connection to %s port %d", ++ hostapd_ip_txt(addr, txt, sizeof(txt)), port); ++ if (dpp_ipaddr_to_sockaddr((struct sockaddr *) &saddr, &addrlen, ++ addr, port) < 0) { ++ dpp_pkex_free(pkex); ++ return -1; ++ } ++ ++ conn = os_zalloc(sizeof(*conn)); ++ if (!conn) { ++ dpp_pkex_free(pkex); ++ return -1; ++ } ++ ++ conn->msg_ctx = msg_ctx; ++ conn->cb_ctx = cb_ctx; ++ conn->pkex_done = pkex_done; ++ conn->global = dpp; ++ conn->pkex = pkex; ++ conn->sock = socket(AF_INET, SOCK_STREAM, 0); ++ if (conn->sock < 0) ++ goto fail; ++ ++ if (fcntl(conn->sock, F_SETFL, O_NONBLOCK) != 0) { ++ wpa_printf(MSG_DEBUG, "DPP: fnctl(O_NONBLOCK) failed: %s", ++ strerror(errno)); ++ goto fail; ++ } ++ ++ if (connect(conn->sock, (struct sockaddr *) &saddr, addrlen) < 0) { ++ if (errno != EINPROGRESS) { ++ wpa_printf(MSG_DEBUG, "DPP: Failed to connect: %s", ++ strerror(errno)); ++ goto fail; ++ } ++ ++ /* ++ * Continue connecting in the background; eloop will call us ++ * once the connection is ready (or failed). ++ */ ++ } ++ ++ if (eloop_register_sock(conn->sock, EVENT_TYPE_WRITE, ++ dpp_conn_tx_ready, conn, NULL) < 0) ++ goto fail; ++ conn->write_eloop = 1; ++ ++ hdr = wpabuf_head(pkex->exchange_req); ++ end = hdr + wpabuf_len(pkex->exchange_req); ++ hdr += 2; /* skip Category and Actiom */ ++ pos = hdr + DPP_HDR_LEN; ++ conn->msg_out = dpp_tcp_encaps(hdr, pos, end - pos); ++ if (!conn->msg_out) ++ goto fail; ++ /* Message will be sent in dpp_conn_tx_ready() */ ++ ++ /* TODO: eloop timeout to clear a connection if it does not complete ++ * properly */ ++ dl_list_add(&dpp->tcp_init, &conn->list); ++ return 0; ++fail: ++ dpp_connection_free(conn); ++ return -1; ++} ++ ++ ++static int dpp_tcp_auth_start(struct dpp_connection *conn, ++ struct dpp_authentication *auth) ++{ ++ const u8 *hdr, *pos, *end; ++ ++ hdr = wpabuf_head(auth->req_msg); ++ end = hdr + wpabuf_len(auth->req_msg); ++ hdr += 2; /* skip Category and Actiom */ ++ pos = hdr + DPP_HDR_LEN; ++ conn->msg_out = dpp_tcp_encaps(hdr, pos, end - pos); ++ if (!conn->msg_out) ++ return -1; ++ /* Message will be sent in dpp_conn_tx_ready() */ ++ return 0; ++} ++ ++ + int dpp_tcp_init(struct dpp_global *dpp, struct dpp_authentication *auth, + const struct hostapd_ip_addr *addr, int port, const char *name, + enum dpp_netrole netrole, void *msg_ctx, void *cb_ctx, +@@ -1568,7 +1826,6 @@ int dpp_tcp_init(struct dpp_global *dpp, struct dpp_authentication *auth, + struct dpp_connection *conn; + struct sockaddr_storage saddr; + socklen_t addrlen; +- const u8 *hdr, *pos, *end; + char txt[100]; + + wpa_printf(MSG_DEBUG, "DPP: Initialize TCP connection to %s port %d", +@@ -1620,14 +1877,8 @@ int dpp_tcp_init(struct dpp_global *dpp, struct dpp_authentication *auth, + goto fail; + conn->write_eloop = 1; + +- hdr = wpabuf_head(auth->req_msg); +- end = hdr + wpabuf_len(auth->req_msg); +- hdr += 2; /* skip Category and Actiom */ +- pos = hdr + DPP_HDR_LEN; +- conn->msg_out = dpp_tcp_encaps(hdr, pos, end - pos); +- if (!conn->msg_out) ++ if (dpp_tcp_auth_start(conn, auth) < 0) + goto fail; +- /* Message will be sent in dpp_conn_tx_ready() */ + + /* TODO: eloop timeout to clear a connection if it does not complete + * properly */ +@@ -1639,6 +1890,30 @@ fail: + } + + ++int dpp_tcp_auth(struct dpp_global *dpp, void *_conn, ++ struct dpp_authentication *auth, const char *name, ++ enum dpp_netrole netrole, ++ int (*process_conf_obj)(void *ctx, ++ struct dpp_authentication *auth)) ++{ ++ struct dpp_connection *conn = _conn; ++ ++ /* Continue with Authentication exchange on an existing TCP connection. ++ */ ++ conn->process_conf_obj = process_conf_obj; ++ os_free(conn->name); ++ conn->name = os_strdup(name ? name : "Test"); ++ conn->netrole = netrole; ++ conn->auth = auth; ++ ++ if (dpp_tcp_auth_start(conn, auth) < 0) ++ return -1; ++ ++ dpp_conn_tx_ready(conn->sock, conn, NULL); ++ return 0; ++} ++ ++ + int dpp_controller_start(struct dpp_global *dpp, + struct dpp_controller_config *config) + { +@@ -1789,6 +2064,23 @@ void dpp_controller_new_qr_code(struct dpp_global *dpp, + } + + ++void dpp_controller_pkex_add(struct dpp_global *dpp, ++ struct dpp_bootstrap_info *bi, ++ const char *code, const char *identifier) ++{ ++ struct dpp_controller *ctrl = dpp->controller; ++ ++ if (!ctrl) ++ return; ++ ++ ctrl->pkex_bi = bi; ++ os_free(ctrl->pkex_code); ++ ctrl->pkex_code = code ? os_strdup(code) : NULL; ++ os_free(ctrl->pkex_identifier); ++ ctrl->pkex_identifier = identifier ? os_strdup(identifier) : NULL; ++} ++ ++ + void dpp_tcp_init_flush(struct dpp_global *dpp) + { + struct dpp_connection *conn, *tmp; +diff --git a/wpa_supplicant/dpp_supplicant.c b/wpa_supplicant/dpp_supplicant.c +index 61b300f..aab94cb 100644 +--- a/wpa_supplicant/dpp_supplicant.c ++++ b/wpa_supplicant/dpp_supplicant.c +@@ -2557,6 +2557,71 @@ static int wpas_dpp_pkex_next_channel(struct wpa_supplicant *wpa_s, + } + + ++#ifdef CONFIG_DPP2 ++static int wpas_dpp_pkex_done(void *ctx, void *conn, ++ struct dpp_bootstrap_info *peer_bi) ++{ ++ struct wpa_supplicant *wpa_s = ctx; ++ const char *cmd = wpa_s->dpp_pkex_auth_cmd; ++ const char *pos; ++ u8 allowed_roles = DPP_CAPAB_CONFIGURATOR; ++ struct dpp_bootstrap_info *own_bi = NULL; ++ struct dpp_authentication *auth; ++ ++ if (!cmd) ++ cmd = ""; ++ wpa_printf(MSG_DEBUG, "DPP: Start authentication after PKEX (cmd: %s)", ++ cmd); ++ ++ pos = os_strstr(cmd, " own="); ++ if (pos) { ++ pos += 5; ++ own_bi = dpp_bootstrap_get_id(wpa_s->dpp, atoi(pos)); ++ if (!own_bi) { ++ wpa_printf(MSG_INFO, ++ "DPP: Could not find bootstrapping info for the identified local entry"); ++ return -1; ++ } ++ ++ if (peer_bi->curve != own_bi->curve) { ++ wpa_printf(MSG_INFO, ++ "DPP: Mismatching curves in bootstrapping info (peer=%s own=%s)", ++ peer_bi->curve->name, own_bi->curve->name); ++ return -1; ++ } ++ } ++ ++ pos = os_strstr(cmd, " role="); ++ if (pos) { ++ pos += 6; ++ if (os_strncmp(pos, "configurator", 12) == 0) ++ allowed_roles = DPP_CAPAB_CONFIGURATOR; ++ else if (os_strncmp(pos, "enrollee", 8) == 0) ++ allowed_roles = DPP_CAPAB_ENROLLEE; ++ else if (os_strncmp(pos, "either", 6) == 0) ++ allowed_roles = DPP_CAPAB_CONFIGURATOR | ++ DPP_CAPAB_ENROLLEE; ++ else ++ return -1; ++ } ++ ++ auth = dpp_auth_init(wpa_s->dpp, wpa_s, peer_bi, own_bi, allowed_roles, ++ 0, wpa_s->hw.modes, wpa_s->hw.num_modes); ++ if (!auth) ++ return -1; ++ ++ wpas_dpp_set_testing_options(wpa_s, auth); ++ if (dpp_set_configurator(auth, cmd) < 0) { ++ dpp_auth_deinit(auth); ++ return -1; ++ } ++ ++ return dpp_tcp_auth(wpa_s->dpp, conn, auth, wpa_s->conf->dpp_name, ++ DPP_NETROLE_STA, wpas_dpp_process_conf_obj); ++} ++#endif /* CONFIG_DPP2 */ ++ ++ + enum wpas_dpp_pkex_ver { + PKEX_VER_AUTO, + PKEX_VER_ONLY_1, +@@ -2564,7 +2629,9 @@ enum wpas_dpp_pkex_ver { + }; + + static int wpas_dpp_pkex_init(struct wpa_supplicant *wpa_s, +- enum wpas_dpp_pkex_ver ver) ++ enum wpas_dpp_pkex_ver ver, ++ const struct hostapd_ip_addr *ipaddr, ++ int tcp_port) + { + struct dpp_pkex *pkex; + struct wpabuf *msg; +@@ -2573,15 +2640,24 @@ static int wpas_dpp_pkex_init(struct wpa_supplicant *wpa_s, + + wpa_printf(MSG_DEBUG, "DPP: Initiating PKEXv%d", v2 ? 2 : 1); + dpp_pkex_free(wpa_s->dpp_pkex); +- wpa_s->dpp_pkex = dpp_pkex_init(wpa_s, wpa_s->dpp_pkex_bi, +- wpa_s->own_addr, +- wpa_s->dpp_pkex_identifier, +- wpa_s->dpp_pkex_code, v2); +- pkex = wpa_s->dpp_pkex; ++ wpa_s->dpp_pkex = NULL; ++ pkex = dpp_pkex_init(wpa_s, wpa_s->dpp_pkex_bi, wpa_s->own_addr, ++ wpa_s->dpp_pkex_identifier, ++ wpa_s->dpp_pkex_code, v2); + if (!pkex) + return -1; + pkex->forced_ver = ver != PKEX_VER_AUTO; + ++ if (ipaddr) { ++#ifdef CONFIG_DPP2 ++ return dpp_tcp_pkex_init(wpa_s->dpp, pkex, ipaddr, tcp_port, ++ wpa_s, wpa_s, wpas_dpp_pkex_done); ++#else /* CONFIG_DPP2 */ ++ return -1; ++#endif /* CONFIG_DPP2 */ ++ } ++ ++ wpa_s->dpp_pkex = pkex; + msg = pkex->exchange_req; + wait_time = wpa_s->max_remain_on_chan; + if (wait_time > 2000) +@@ -2618,7 +2694,8 @@ static void wpas_dpp_pkex_retry_timeout(void *eloop_ctx, void *timeout_ctx) + if (pkex->v2 && !pkex->forced_ver) { + wpa_printf(MSG_DEBUG, + "DPP: Fall back to PKEXv1"); +- wpas_dpp_pkex_init(wpa_s, PKEX_VER_ONLY_1); ++ wpas_dpp_pkex_init(wpa_s, PKEX_VER_ONLY_1, ++ NULL, 0); + return; + } + #endif /* CONFIG_DPP3 */ +@@ -3327,6 +3404,29 @@ int wpas_dpp_pkex_add(struct wpa_supplicant *wpa_s, const char *cmd) + { + struct dpp_bootstrap_info *own_bi; + const char *pos, *end; ++ int tcp_port = DPP_TCP_PORT; ++ struct hostapd_ip_addr *ipaddr = NULL; ++#ifdef CONFIG_DPP2 ++ struct hostapd_ip_addr ipaddr_buf; ++ char *addr; ++ ++ pos = os_strstr(cmd, " tcp_port="); ++ if (pos) { ++ pos += 10; ++ tcp_port = atoi(pos); ++ } ++ ++ addr = get_param(cmd, " tcp_addr="); ++ if (addr) { ++ int res; ++ ++ res = hostapd_parse_ip_addr(addr, &ipaddr_buf); ++ os_free(addr); ++ if (res) ++ return -1; ++ ipaddr = &ipaddr_buf; ++ } ++#endif /* CONFIG_DPP2 */ + + pos = os_strstr(cmd, " own="); + if (!pos) +@@ -3390,8 +3490,14 @@ int wpas_dpp_pkex_add(struct wpa_supplicant *wpa_s, const char *cmd) + return -1; + } + +- if (wpas_dpp_pkex_init(wpa_s, ver) < 0) ++ if (wpas_dpp_pkex_init(wpa_s, ver, ipaddr, tcp_port) < 0) + return -1; ++ } else { ++#ifdef CONFIG_DPP2 ++ dpp_controller_pkex_add(wpa_s->dpp, own_bi, ++ wpa_s->dpp_pkex_code, ++ wpa_s->dpp_pkex_identifier); ++#endif /* CONFIG_DPP2 */ + } + + /* TODO: Support multiple PKEX info entries */ +-- +2.40.0 + diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0005.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0005.patch new file mode 100644 index 0000000000..92828fbbbb --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-37660-0005.patch @@ -0,0 +1,144 @@ +From 15af83cf1846870873a011ed4d714732f01cd2e4 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Tue, 19 Jul 2022 21:23:04 +0300 +Subject: [PATCH] DPP: Delete PKEX code and identifier on success completion of + PKEX + +We are not supposed to reuse these without being explicitly requested to +perform PKEX again. There is not a strong use case for being able to +provision an Enrollee multiple times with PKEX, so this should have no +issues on the Enrollee. For a Configurator, there might be some use +cases that would benefit from being able to use the same code with +multiple Enrollee devices, e.g., for guess access with a laptop and a +smart phone. That case will now require a new DPP_PKEX_ADD command on +the Configurator after each completion of the provisioning exchange. + +Signed-off-by: Jouni Malinen + +CVE: CVE-2022-37660 + +Upstream-Status: Backport [https://git.w1.fi/cgit/hostap/commit/?id=15af83cf1846870873a011ed4d714732f01cd2e4] + +Signed-off-by: Divya Chellam +--- + src/ap/dpp_hostapd.c | 22 +++++++++++++++++++++- + wpa_supplicant/dpp_supplicant.c | 21 ++++++++++++++++++++- + 2 files changed, 41 insertions(+), 2 deletions(-) + +diff --git a/src/ap/dpp_hostapd.c b/src/ap/dpp_hostapd.c +index d956be9..73b09ba 100644 +--- a/src/ap/dpp_hostapd.c ++++ b/src/ap/dpp_hostapd.c +@@ -276,6 +276,22 @@ static int hostapd_dpp_pkex_next_channel(struct hostapd_data *hapd, + } + + ++static void hostapd_dpp_pkex_clear_code(struct hostapd_data *hapd) ++{ ++ if (!hapd->dpp_pkex_code && !hapd->dpp_pkex_identifier) ++ return; ++ ++ /* Delete PKEX code and identifier on successful completion of ++ * PKEX. We are not supposed to reuse these without being ++ * explicitly requested to perform PKEX again. */ ++ wpa_printf(MSG_DEBUG, "DPP: Delete PKEX code/identifier"); ++ os_free(hapd->dpp_pkex_code); ++ hapd->dpp_pkex_code = NULL; ++ os_free(hapd->dpp_pkex_identifier); ++ hapd->dpp_pkex_identifier = NULL; ++} ++ ++ + #ifdef CONFIG_DPP2 + static int hostapd_dpp_pkex_done(void *ctx, void *conn, + struct dpp_bootstrap_info *peer_bi) +@@ -287,6 +303,8 @@ static int hostapd_dpp_pkex_done(void *ctx, void *conn, + struct dpp_bootstrap_info *own_bi = NULL; + struct dpp_authentication *auth; + ++ hostapd_dpp_pkex_clear_code(hapd); ++ + if (!cmd) + cmd = ""; + wpa_printf(MSG_DEBUG, "DPP: Start authentication after PKEX (cmd: %s)", +@@ -2114,6 +2132,7 @@ hostapd_dpp_rx_pkex_commit_reveal_req(struct hostapd_data *hapd, const u8 *src, + wpabuf_head(msg), wpabuf_len(msg)); + wpabuf_free(msg); + ++ hostapd_dpp_pkex_clear_code(hapd); + bi = dpp_pkex_finish(hapd->iface->interfaces->dpp, pkex, src, freq); + if (!bi) + return; +@@ -2145,6 +2164,7 @@ hostapd_dpp_rx_pkex_commit_reveal_resp(struct hostapd_data *hapd, const u8 *src, + return; + } + ++ hostapd_dpp_pkex_clear_code(hapd); + bi = dpp_pkex_finish(hapd->iface->interfaces->dpp, pkex, src, freq); + if (!bi) + return; +@@ -2518,7 +2538,7 @@ int hostapd_dpp_pkex_remove(struct hostapd_data *hapd, const char *id) + return -1; + } + +- if ((id_val != 0 && id_val != 1) || !hapd->dpp_pkex_code) ++ if ((id_val != 0 && id_val != 1)) + return -1; + + /* TODO: Support multiple PKEX entries */ +diff --git a/wpa_supplicant/dpp_supplicant.c b/wpa_supplicant/dpp_supplicant.c +index aab94cb..015ae66 100644 +--- a/wpa_supplicant/dpp_supplicant.c ++++ b/wpa_supplicant/dpp_supplicant.c +@@ -2557,6 +2557,22 @@ static int wpas_dpp_pkex_next_channel(struct wpa_supplicant *wpa_s, + } + + ++static void wpas_dpp_pkex_clear_code(struct wpa_supplicant *wpa_s) ++{ ++ if (!wpa_s->dpp_pkex_code && !wpa_s->dpp_pkex_identifier) ++ return; ++ ++ /* Delete PKEX code and identifier on successful completion of ++ * PKEX. We are not supposed to reuse these without being ++ * explicitly requested to perform PKEX again. */ ++ os_free(wpa_s->dpp_pkex_code); ++ wpa_s->dpp_pkex_code = NULL; ++ os_free(wpa_s->dpp_pkex_identifier); ++ wpa_s->dpp_pkex_identifier = NULL; ++ ++} ++ ++ + #ifdef CONFIG_DPP2 + static int wpas_dpp_pkex_done(void *ctx, void *conn, + struct dpp_bootstrap_info *peer_bi) +@@ -2568,6 +2584,8 @@ static int wpas_dpp_pkex_done(void *ctx, void *conn, + struct dpp_bootstrap_info *own_bi = NULL; + struct dpp_authentication *auth; + ++ wpas_dpp_pkex_clear_code(wpa_s); ++ + if (!cmd) + cmd = ""; + wpa_printf(MSG_DEBUG, "DPP: Start authentication after PKEX (cmd: %s)", +@@ -2872,6 +2890,7 @@ wpas_dpp_pkex_finish(struct wpa_supplicant *wpa_s, const u8 *peer, + { + struct dpp_bootstrap_info *bi; + ++ wpas_dpp_pkex_clear_code(wpa_s); + bi = dpp_pkex_finish(wpa_s->dpp, wpa_s->dpp_pkex, peer, freq); + if (!bi) + return NULL; +@@ -3521,7 +3540,7 @@ int wpas_dpp_pkex_remove(struct wpa_supplicant *wpa_s, const char *id) + return -1; + } + +- if ((id_val != 0 && id_val != 1) || !wpa_s->dpp_pkex_code) ++ if ((id_val != 0 && id_val != 1)) + return -1; + + /* TODO: Support multiple PKEX entries */ +-- +2.40.0 + diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb index 459039d01e..fbbbebc450 100644 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb @@ -38,6 +38,11 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ file://0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch \ file://0002-SAE-Check-for-invalid-Rejected-Groups-element-length.patch \ file://0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch \ + file://CVE-2022-37660-0001.patch \ + file://CVE-2022-37660-0002.patch \ + file://CVE-2022-37660-0003.patch \ + file://CVE-2022-37660-0004.patch \ + file://CVE-2022-37660-0005.patch \ " SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f"