From e688ea771840a9868b5c7b3a7639c0a455243b1d Mon Sep 17 00:00:00 2001
From: Davide Caratti <dcaratti@redhat.com>
Date: Apr 11 2017 17:08:00 +0000
Subject: macsec: fix segmentation fault and coverity scans (rh#1428937)


---

diff --git a/macsec-0037-mka-Fix-use-after-free-when-receive-secure-channels-.patch b/macsec-0037-mka-Fix-use-after-free-when-receive-secure-channels-.patch
new file mode 100644
index 0000000..ef0056e
--- /dev/null
+++ b/macsec-0037-mka-Fix-use-after-free-when-receive-secure-channels-.patch
@@ -0,0 +1,49 @@
+From 529d6ed7262f0015552e3b8f6eed8ea4508d7c1f Mon Sep 17 00:00:00 2001
+Message-Id: <529d6ed7262f0015552e3b8f6eed8ea4508d7c1f.1491928737.git.davide.caratti@gmail.com>
+From: Davide Caratti <davide.caratti@gmail.com>
+Date: Thu, 16 Mar 2017 14:01:54 +0100
+Subject: [PATCH] mka: Fix use-after-free when receive secure channels are
+ deleted
+
+ieee802_1x_kay_deinit_receive_sc() frees the receive secure channel data,
+but secy_delete_receive_sc() still needs it. Since these two functions
+are always called sequentially, secy_delete_receive_sc() can be called
+from ieee802_1x_kay_deinit_receive_sc() before rxsc is freed.
+
+Fixes: 128f6a98b3d4 ("mka: Fix the order of operations in secure channel deletion")
+Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
+---
+ src/pae/ieee802_1x_kay.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
+index 3f9e53d..31905ed 100644
+--- a/src/pae/ieee802_1x_kay.c
++++ b/src/pae/ieee802_1x_kay.c
+@@ -532,6 +532,7 @@ ieee802_1x_kay_deinit_receive_sc(
+ 		ieee802_1x_delete_receive_sa(participant->kay, psa);
+ 
+ 	dl_list_del(&psc->list);
++	secy_delete_receive_sc(participant->kay, psc);
+ 	os_free(psc);
+ }
+ 
+@@ -2363,7 +2364,6 @@ static void ieee802_1x_participant_timer(void *eloop_ctx, void *timeout_ctx)
+ 				if (sci_equal(&rxsc->sci, &peer->sci)) {
+ 					ieee802_1x_kay_deinit_receive_sc(
+ 						participant, rxsc);
+-					secy_delete_receive_sc(kay, rxsc);
+ 				}
+ 			}
+ 			dl_list_del(&peer->list);
+@@ -3433,7 +3433,6 @@ ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay, struct mka_key_name *ckn)
+ 		rxsc = dl_list_entry(participant->rxsc_list.next,
+ 				     struct receive_sc, list);
+ 		ieee802_1x_kay_deinit_receive_sc(participant, rxsc);
+-		secy_delete_receive_sc(kay, rxsc);
+ 	}
+ 	ieee802_1x_kay_deinit_transmit_sc(participant, participant->txsc);
+ 	secy_delete_transmit_sc(kay, participant->txsc);
+-- 
+2.7.4
+
diff --git a/macsec-0038-mka-Fix-use-after-free-when-transmit-secure-channels.patch b/macsec-0038-mka-Fix-use-after-free-when-transmit-secure-channels.patch
new file mode 100644
index 0000000..5c1b815
--- /dev/null
+++ b/macsec-0038-mka-Fix-use-after-free-when-transmit-secure-channels.patch
@@ -0,0 +1,41 @@
+From e50df5d2a265a462b0efc056d360649608f160bf Mon Sep 17 00:00:00 2001
+Message-Id: <e50df5d2a265a462b0efc056d360649608f160bf.1491928635.git.davide.caratti@gmail.com>
+From: Davide Caratti <davide.caratti@gmail.com>
+Date: Thu, 16 Mar 2017 14:01:55 +0100
+Subject: [PATCH] mka: Fix use-after-free when transmit secure channels are
+ deleted
+
+ieee802_1x_kay_deinit_transmit_sc() frees the transmit secure channel
+data, but secy_delete_transmit_sc() still needs it. Since this functions
+are called sequentially, secy_delete_transmit_sc() can be called from
+ieee802_1x_kay_deinit_transmit_sc() before txsc is freed.
+
+Fixes: 128f6a98b3d4 ("mka: Fix the order of operations in secure channel deletion")
+Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
+---
+ src/pae/ieee802_1x_kay.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
+index 31905ed..1d4ed89 100644
+--- a/src/pae/ieee802_1x_kay.c
++++ b/src/pae/ieee802_1x_kay.c
+@@ -2546,6 +2546,7 @@ ieee802_1x_kay_deinit_transmit_sc(
+ 	dl_list_for_each_safe(psa, tmp, &psc->sa_list, struct transmit_sa, list)
+ 		ieee802_1x_delete_transmit_sa(participant->kay, psa);
+ 
++	secy_delete_transmit_sc(participant->kay, psc);
+ 	os_free(psc);
+ }
+ 
+@@ -3435,7 +3436,6 @@ ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay, struct mka_key_name *ckn)
+ 		ieee802_1x_kay_deinit_receive_sc(participant, rxsc);
+ 	}
+ 	ieee802_1x_kay_deinit_transmit_sc(participant, participant->txsc);
+-	secy_delete_transmit_sc(kay, participant->txsc);
+ 
+ 	os_memset(&participant->cak, 0, sizeof(participant->cak));
+ 	os_memset(&participant->kek, 0, sizeof(participant->kek));
+-- 
+2.7.4
+
diff --git a/macsec-0039-macsec_linux-Fix-NULL-pointer-dereference-on-error-c.patch b/macsec-0039-macsec_linux-Fix-NULL-pointer-dereference-on-error-c.patch
new file mode 100644
index 0000000..338b766
--- /dev/null
+++ b/macsec-0039-macsec_linux-Fix-NULL-pointer-dereference-on-error-c.patch
@@ -0,0 +1,74 @@
+From 5db86df6a849684fda6a7ee53978a1ba931848cb Mon Sep 17 00:00:00 2001
+Message-Id: <5db86df6a849684fda6a7ee53978a1ba931848cb.1491601565.git.davide.caratti@gmail.com>
+From: Davide Caratti <davide.caratti@gmail.com>
+Date: Fri, 24 Mar 2017 10:25:24 +0100
+Subject: [PATCH] macsec_linux: Fix NULL pointer dereference on error cases
+
+In case wpa_supplicant is using driver_macsec_linux, but macsec module
+is not (yet) loaded in the kernel, nl_socket_alloc() fails and drv->sk
+is NULL. In this case, don't call libnl functions rntl_link_add() or
+rtnl_link_change() using such NULL pointer, to prevent program from
+getting segmentation faults like:
+
+ Program received signal SIGSEGV, Segmentation fault.
+ nl_socket_get_local_port (sk=sk@entry=0x0) at socket.c:365
+ 365             if (sk->s_local.nl_pid == 0) {
+ (gdb) p sk
+ $1 = (const struct nl_sock *) 0x0
+ (gdb) bt
+ #0  nl_socket_get_local_port (sk=sk@entry=0x0) at socket.c:365
+ #1  0x00007ffff79c56a0 in nl_complete_msg (sk=sk@entry=0x0,
+  msg=msg@entry=0x55555595a1f0) at nl.c:491
+ #2  0x00007ffff79c56d1 in nl_send_auto (sk=sk@entry=0x0,
+  msg=msg@entry=0x55555595a1f0) at nl.c:522
+ #3  0x00007ffff79c652f in nl_send_sync (sk=sk@entry=0x0,
+  msg=0x55555595a1f0) at nl.c:556
+ #4  0x00007ffff755faf5 in rtnl_link_add (sk=0x0,
+  link=link@entry=0x55555595b0f0, flags=flags@entry=1024) at route/link.c:1548
+ #5  0x000055555567a298 in macsec_drv_create_transmit_sc (priv=0x55555593b130,
+  sc=0x55555593b320, conf_offset=<optimized out>) at ../src/drivers/driver_macsec_linux.c:998
+
+Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
+---
+ src/drivers/driver_macsec_linux.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/src/drivers/driver_macsec_linux.c b/src/drivers/driver_macsec_linux.c
+index 5dab77a..0694e60 100644
+--- a/src/drivers/driver_macsec_linux.c
++++ b/src/drivers/driver_macsec_linux.c
+@@ -168,6 +168,9 @@ static int try_commit(struct macsec_drv_data *drv)
+ {
+ 	int err;
+ 
++	if (!drv->sk)
++		return 0;
++
+ 	if (!drv->link)
+ 		return 0;
+ 
+@@ -982,6 +985,11 @@ static int macsec_drv_create_transmit_sc(
+ 
+ 	wpa_printf(MSG_DEBUG, "%s", __func__);
+ 
++	if (!drv->sk) {
++		wpa_printf(MSG_ERROR, DRV_PREFIX "NULL rtnl socket");
++		return -1;
++	}
++
+ 	link = rtnl_link_macsec_alloc();
+ 	if (!link) {
+ 		wpa_printf(MSG_ERROR, DRV_PREFIX "couldn't allocate link");
+@@ -1048,6 +1056,9 @@ static int macsec_drv_delete_transmit_sc(void *priv, struct transmit_sc *sc)
+ 
+ 	wpa_printf(MSG_DEBUG, "%s", __func__);
+ 
++	if (!drv->sk)
++		return 0;
++
+ 	if (!drv->created_link) {
+ 		rtnl_link_put(drv->link);
+ 		drv->link = NULL;
+-- 
+2.7.4
+
diff --git a/wpa_supplicant.spec b/wpa_supplicant.spec
index 3fdfb92..fd0128b 100644
--- a/wpa_supplicant.spec
+++ b/wpa_supplicant.spec
@@ -7,7 +7,7 @@ Summary: WPA/WPA2/IEEE 802.1X Supplicant
 Name: wpa_supplicant
 Epoch: 1
 Version: 2.6
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: BSD
 Group: System Environment/Base
 Source0: http://w1.fi/releases/%{name}-%{version}%{rcver}%{snapshot}.tar.gz
@@ -72,6 +72,9 @@ Patch41: macsec-0033-mka-Fix-an-incorrect-update-of-participant-to_use_sa.patch
 Patch42: macsec-0034-mka-Some-bug-fixes-for-MACsec-in-PSK-mode.patch
 Patch43: macsec-0035-mka-Send-MKPDUs-forever-if-mode-is-PSK.patch
 Patch44: macsec-0036-mka-Fix-the-order-of-operations-in-secure-channel-de.patch
+Patch45: macsec-0037-mka-Fix-use-after-free-when-receive-secure-channels-.patch
+Patch46: macsec-0038-mka-Fix-use-after-free-when-transmit-secure-channels.patch
+Patch47: macsec-0039-macsec_linux-Fix-NULL-pointer-dereference-on-error-c.patch
 
 URL: http://w1.fi/wpa_supplicant/
 
@@ -158,6 +161,9 @@ Graphical User Interface for wpa_supplicant written using QT
 %patch42 -p1 -b .macsec-0034
 %patch43 -p1 -b .macsec-0035
 %patch44 -p1 -b .macsec-0036
+%patch45 -p1 -b .macsec-0037
+%patch46 -p1 -b .macsec-0038
+%patch47 -p1 -b .macsec-0039
 
 %build
 pushd wpa_supplicant
@@ -258,6 +264,10 @@ chmod -R 0644 %{name}/examples/*.py
 %endif
 
 %changelog
+* Wed Apr 11 2017 Davide Caratti <dcaratti@redhat.com> - 1:2.6-6
+- Fix use-after-free when macsec secure channels are deleted
+- Fix segmentation fault in case macsec module is not loaded (rh#1428937)
+
 * Mon Mar 13 2017 Thomas Haller <thaller@redhat.com> - 1:2.6-5
 - Enable IEEE 802.11w (management frame protection, PMF) (rh#909499)