diff options
author | Chee Yang Lee <chee.yang.lee@intel.com> | 2022-09-13 11:47:37 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-09-16 17:53:28 +0100 |
commit | 459d081bf82c5a9a19221e7700517399526729f6 (patch) | |
tree | e0a4c66fe4acf353850cc60eeb6b0462a1618db7 | |
parent | 5e7c237200c6319e17191cc93df4d0e19f5a73be (diff) | |
download | poky-459d081bf82c5a9a19221e7700517399526729f6.tar.gz |
connman: fix CVE-2022-32292
(From OE-Core rev: 380b6fb2583f875aad0cb28c91b1531e63eb2eeb)
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch | 37 | ||||
-rw-r--r-- | meta/recipes-connectivity/connman/connman_1.37.bb | 1 |
2 files changed, 38 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch new file mode 100644 index 0000000000..74a739d6a2 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001 | ||
2 | From: Nathan Crandall <ncrandall@tesla.com> | ||
3 | Date: Tue, 12 Jul 2022 08:56:34 +0200 | ||
4 | Subject: gweb: Fix OOB write in received_data() | ||
5 | |||
6 | There is a mismatch of handling binary vs. C-string data with memchr | ||
7 | and strlen, resulting in pos, count, and bytes_read to become out of | ||
8 | sync and result in a heap overflow. Instead, do not treat the buffer | ||
9 | as an ASCII C-string. We calculate the count based on the return value | ||
10 | of memchr, instead of strlen. | ||
11 | |||
12 | Fixes: CVE-2022-32292 | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d1a5ede5d255bde8ef707f8441b997563b9312b | ||
16 | CVE: CVE-2022-32292 | ||
17 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
18 | --- | ||
19 | gweb/gweb.c | 2 +- | ||
20 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
21 | |||
22 | diff --git a/gweb/gweb.c b/gweb/gweb.c | ||
23 | index 12fcb1d8..13c6c5f2 100644 | ||
24 | --- a/gweb/gweb.c | ||
25 | +++ b/gweb/gweb.c | ||
26 | @@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond, | ||
27 | } | ||
28 | |||
29 | *pos = '\0'; | ||
30 | - count = strlen((char *) ptr); | ||
31 | + count = pos - ptr; | ||
32 | if (count > 0 && ptr[count - 1] == '\r') { | ||
33 | ptr[--count] = '\0'; | ||
34 | bytes_read--; | ||
35 | -- | ||
36 | cgit | ||
37 | |||
diff --git a/meta/recipes-connectivity/connman/connman_1.37.bb b/meta/recipes-connectivity/connman/connman_1.37.bb index bdd1e590ec..4f22c7ad49 100644 --- a/meta/recipes-connectivity/connman/connman_1.37.bb +++ b/meta/recipes-connectivity/connman/connman_1.37.bb | |||
@@ -12,6 +12,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ | |||
12 | file://CVE-2021-33833.patch \ | 12 | file://CVE-2021-33833.patch \ |
13 | file://CVE-2022-23096-7.patch \ | 13 | file://CVE-2022-23096-7.patch \ |
14 | file://CVE-2022-23098.patch \ | 14 | file://CVE-2022-23098.patch \ |
15 | file://CVE-2022-32292.patch \ | ||
15 | " | 16 | " |
16 | 17 | ||
17 | SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch" | 18 | SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch" |