connman: fix CVE-2022-32292

(From OE-Core rev: 380b6fb2583f875aad0cb28c91b1531e63eb2eeb) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Chee Yang Lee <chee.yang.lee@intel.com> 2022-09-13 11:47:37 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-09-16 17:53:28 +0100
commit: 459d081bf82c5a9a19221e7700517399526729f6 (patch)
tree: e0a4c66fe4acf353850cc60eeb6b0462a1618db7
parent: 5e7c237200c6319e17191cc93df4d0e19f5a73be (diff)
download: poky-459d081bf82c5a9a19221e7700517399526729f6.tar.gz
2 files changed, 38 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch
new file mode 100644
index 0000000000..74a739d6a2
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch
@@ -0,0 +1,37 @@
+From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001
+From: Nathan Crandall <ncrandall@tesla.com>
+Date: Tue, 12 Jul 2022 08:56:34 +0200
+Subject: gweb: Fix OOB write in received_data()
+There is a mismatch of handling binary vs. C-string data with memchr
+and strlen, resulting in pos, count, and bytes_read to become out of
+sync and result in a heap overflow.  Instead, do not treat the buffer
+as an ASCII C-string. We calculate the count based on the return value
+of memchr, instead of strlen.
+Fixes: CVE-2022-32292
+Upstream-Status: Backport
+https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d1a5ede5d255bde8ef707f8441b997563b9312b
+CVE: CVE-2022-32292
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ gweb/gweb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/gweb/gweb.c b/gweb/gweb.c
+index 12fcb1d8..13c6c5f2 100644
+--- a/gweb/gweb.c
+++ b/gweb/gweb.c
+@@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond,
+                }
+ 
+                *pos = '\0';
+-               count = strlen((char *) ptr);
+               count = pos - ptr;
+                if (count > 0 && ptr[count - 1] == '\r') {
+                        ptr[--count] = '\0';
+                        bytes_read--;
+-- 
+cgit 
diff --git a/meta/recipes-connectivity/connman/connman_1.37.bb b/meta/recipes-connectivity/connman/connman_1.37.bb
index bdd1e590ec..4f22c7ad49 100644
--- a/meta/recipes-connectivity/connman/connman_1.37.bb
+++ b/meta/recipes-connectivity/connman/connman_1.37.bb
@@ -12,6 +12,7 @@ SRC_URI  = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
            file://CVE-2021-33833.patch \
            file://CVE-2022-23096-7.patch \
            file://CVE-2022-23098.patch \
+            file://CVE-2022-32292.patch \
 "
 SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"
author	Chee Yang Lee <chee.yang.lee@intel.com>	2022-09-13 11:47:37 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-09-16 17:53:28 +0100
commit	459d081bf82c5a9a19221e7700517399526729f6 (patch)
tree	e0a4c66fe4acf353850cc60eeb6b0462a1618db7
parent	5e7c237200c6319e17191cc93df4d0e19f5a73be (diff)
download	poky-459d081bf82c5a9a19221e7700517399526729f6.tar.gz

diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch new file mode 100644 index 0000000000..74a739d6a2 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch
@@ -0,0 +1,37 @@
		1	From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001
		2	From: Nathan Crandall <ncrandall@tesla.com>
		3	Date: Tue, 12 Jul 2022 08:56:34 +0200
		4	Subject: gweb: Fix OOB write in received_data()
		5
		6	There is a mismatch of handling binary vs. C-string data with memchr
		7	and strlen, resulting in pos, count, and bytes_read to become out of
		8	sync and result in a heap overflow. Instead, do not treat the buffer
		9	as an ASCII C-string. We calculate the count based on the return value
		10	of memchr, instead of strlen.
		11
		12	Fixes: CVE-2022-32292
		13
		14	Upstream-Status: Backport
		15	https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d1a5ede5d255bde8ef707f8441b997563b9312b
		16	CVE: CVE-2022-32292
		17	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		18	---
		19	gweb/gweb.c \| 2 +-
		20	1 file changed, 1 insertion(+), 1 deletion(-)
		21
		22	diff --git a/gweb/gweb.c b/gweb/gweb.c
		23	index 12fcb1d8..13c6c5f2 100644
		24	--- a/gweb/gweb.c
		25	+++ b/gweb/gweb.c
		26	@@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond,
		27	}
		28
		29	*pos = '\0';
		30	- count = strlen((char *) ptr);
		31	+ count = pos - ptr;
		32	if (count > 0 && ptr[count - 1] == '\r') {
		33	ptr[--count] = '\0';
		34	bytes_read--;
		35	--
		36	cgit
		37


diff --git a/meta/recipes-connectivity/connman/connman_1.37.bb b/meta/recipes-connectivity/connman/connman_1.37.bb index bdd1e590ec..4f22c7ad49 100644 --- a/meta/recipes-connectivity/connman/connman_1.37.bb +++ b/meta/recipes-connectivity/connman/connman_1.37.bb
@@ -12,6 +12,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
12	file://CVE-2021-33833.patch \	12	file://CVE-2021-33833.patch \
13	file://CVE-2022-23096-7.patch \	13	file://CVE-2022-23096-7.patch \
14	file://CVE-2022-23098.patch \	14	file://CVE-2022-23098.patch \
		15	file://CVE-2022-32292.patch \
15	"	16	"
16		17
17	SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"	18	SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"