diff options
| author | Steve Sakoman <steve@sakoman.com> | 2022-02-07 07:09:03 -1000 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-02-23 23:43:42 +0000 |
| commit | 0c48142849daf40f85ad4c03887158e6854870b3 (patch) | |
| tree | 804bf3a52e24a82376592e9716b80bf82b15ca06 | |
| parent | 9c8b42009673796bd6e7c553203346576c1723e2 (diff) | |
| download | poky-0c48142849daf40f85ad4c03887158e6854870b3.tar.gz | |
connman: fix CVE-2021-33833
ConnMan (aka Connection Manager) 1.30 through 1.39 has a stack-based
buffer overflow in uncompress in dnsproxy.c via NAME, RDATA, or
RDLENGTH (for A or AAAA).
Backport patch from:
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=eceb2e8d2341c041df55a5e2f047d9a8c491463c
CVE: CVE-2021-33833
(From OE-Core rev: 8eb4fdd19fe4b275c26c49120b364cd24ec151d5)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch | 72 | ||||
| -rw-r--r-- | meta/recipes-connectivity/connman/connman_1.37.bb | 1 |
2 files changed, 73 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch new file mode 100644 index 0000000000..770948fb69 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch | |||
| @@ -0,0 +1,72 @@ | |||
| 1 | From eceb2e8d2341c041df55a5e2f047d9a8c491463c Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Valery Kashcheev <v.kascheev@omp.ru> | ||
| 3 | Date: Mon, 7 Jun 2021 18:58:24 +0200 | ||
| 4 | Subject: dnsproxy: Check the length of buffers before memcpy | ||
| 5 | |||
| 6 | Fix using a stack-based buffer overflow attack by checking the length of | ||
| 7 | the ptr and uptr buffers. | ||
| 8 | |||
| 9 | Fix debug message output. | ||
| 10 | |||
| 11 | Fixes: CVE-2021-33833 | ||
| 12 | |||
| 13 | Upstream-Status: Backport | ||
| 14 | https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=eceb2e8d2341c041df55a5e2f047d9a8c491463c | ||
| 15 | CVE: CVE-2021-33833 | ||
| 16 | Signed-off-by: Steve Sakoman <steve@sakoman.com> | ||
| 17 | |||
| 18 | --- | ||
| 19 | src/dnsproxy.c | 20 +++++++++++--------- | ||
| 20 | 1 file changed, 11 insertions(+), 9 deletions(-) | ||
| 21 | |||
| 22 | diff --git a/src/dnsproxy.c b/src/dnsproxy.c | ||
| 23 | index de52df5a..38dbdd71 100644 | ||
| 24 | --- a/src/dnsproxy.c | ||
| 25 | +++ b/src/dnsproxy.c | ||
| 26 | @@ -1788,17 +1788,15 @@ static char *uncompress(int16_t field_count, char *start, char *end, | ||
| 27 | * tmp buffer. | ||
| 28 | */ | ||
| 29 | |||
| 30 | - debug("pos %d ulen %d left %d name %s", pos, ulen, | ||
| 31 | - (int)(uncomp_len - (uptr - uncompressed)), uptr); | ||
| 32 | - | ||
| 33 | - ulen = strlen(name); | ||
| 34 | - if ((uptr + ulen + 1) > uncomp_end) { | ||
| 35 | + ulen = strlen(name) + 1; | ||
| 36 | + if ((uptr + ulen) > uncomp_end) | ||
| 37 | goto out; | ||
| 38 | - } | ||
| 39 | - strncpy(uptr, name, uncomp_len - (uptr - uncompressed)); | ||
| 40 | + strncpy(uptr, name, ulen); | ||
| 41 | + | ||
| 42 | + debug("pos %d ulen %d left %d name %s", pos, ulen, | ||
| 43 | + (int)(uncomp_end - (uptr + ulen)), uptr); | ||
| 44 | |||
| 45 | uptr += ulen; | ||
| 46 | - *uptr++ = '\0'; | ||
| 47 | |||
| 48 | ptr += pos; | ||
| 49 | |||
| 50 | @@ -1841,7 +1839,7 @@ static char *uncompress(int16_t field_count, char *start, char *end, | ||
| 51 | } else if (dns_type == ns_t_a || dns_type == ns_t_aaaa) { | ||
| 52 | dlen = uptr[-2] << 8 | uptr[-1]; | ||
| 53 | |||
| 54 | - if (ptr + dlen > end) { | ||
| 55 | + if ((ptr + dlen) > end || (uptr + dlen) > uncomp_end) { | ||
| 56 | debug("data len %d too long", dlen); | ||
| 57 | goto out; | ||
| 58 | } | ||
| 59 | @@ -1880,6 +1878,10 @@ static char *uncompress(int16_t field_count, char *start, char *end, | ||
| 60 | * refresh interval, retry interval, expiration | ||
| 61 | * limit and minimum ttl). They are 20 bytes long. | ||
| 62 | */ | ||
| 63 | + if ((uptr + 20) > uncomp_end || (ptr + 20) > end) { | ||
| 64 | + debug("soa record too long"); | ||
| 65 | + goto out; | ||
| 66 | + } | ||
| 67 | memcpy(uptr, ptr, 20); | ||
| 68 | uptr += 20; | ||
| 69 | ptr += 20; | ||
| 70 | -- | ||
| 71 | cgit 1.2.3-1.el7 | ||
| 72 | |||
diff --git a/meta/recipes-connectivity/connman/connman_1.37.bb b/meta/recipes-connectivity/connman/connman_1.37.bb index 096981364f..bdd1e590ec 100644 --- a/meta/recipes-connectivity/connman/connman_1.37.bb +++ b/meta/recipes-connectivity/connman/connman_1.37.bb | |||
| @@ -9,6 +9,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ | |||
| 9 | file://CVE-2021-26675.patch \ | 9 | file://CVE-2021-26675.patch \ |
| 10 | file://CVE-2021-26676-0001.patch \ | 10 | file://CVE-2021-26676-0001.patch \ |
| 11 | file://CVE-2021-26676-0002.patch \ | 11 | file://CVE-2021-26676-0002.patch \ |
| 12 | file://CVE-2021-33833.patch \ | ||
| 12 | file://CVE-2022-23096-7.patch \ | 13 | file://CVE-2022-23096-7.patch \ |
| 13 | file://CVE-2022-23098.patch \ | 14 | file://CVE-2022-23098.patch \ |
| 14 | " | 15 | " |