connman: Backports for security fixes

Fixes CVE: CVE-2022-32292, CVE-2022-32293 (From OE-Core rev: 4b3caa1541d69826c14e010ce3ac1a1ca34f3c62) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Khem Raj <raj.khem@gmail.com> 2022-08-14 16:43:04 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-08-16 14:57:58 +0100
commit: b33cf2d113d0b247042d3c1491c40e0c57bdffa6 (patch)
tree: bb3b5cf832e8ddf45497848b37fa1ce57392bcc9 /meta
parent: 43bd04cf172b2b198def19a79315ce1a333cd942 (diff)
download: poky-b33cf2d113d0b247042d3c1491c40e0c57bdffa6.tar.gz
4 files changed, 355 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch
new file mode 100644
index 0000000000..182c5ca29c
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch
@@ -0,0 +1,37 @@
+From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001
+From: Nathan Crandall <ncrandall@tesla.com>
+Date: Tue, 12 Jul 2022 08:56:34 +0200
+Subject: gweb: Fix OOB write in received_data()
+There is a mismatch of handling binary vs. C-string data with memchr
+and strlen, resulting in pos, count, and bytes_read to become out of
+sync and result in a heap overflow.  Instead, do not treat the buffer
+as an ASCII C-string. We calculate the count based on the return value
+of memchr, instead of strlen.
+Fixes: CVE-2022-32292
+CVE: CVE-2022-32292
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d1a5ede5d255bde8ef707f8441b997563b9312bd]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ gweb/gweb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/gweb/gweb.c b/gweb/gweb.c
+index 12fcb1d8..13c6c5f2 100644
+--- a/gweb/gweb.c
+++ b/gweb/gweb.c
+@@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond,
+                }
+ 
+                *pos = '\0';
+-               count = strlen((char *) ptr);
+               count = pos - ptr;
+                if (count > 0 && ptr[count - 1] == '\r') {
+                        ptr[--count] = '\0';
+                        bytes_read--;
+-- 
+cgit 
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p1.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p1.patch
new file mode 100644
index 0000000000..b280203594
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p1.patch
@@ -0,0 +1,141 @@
+From 72343929836de80727a27d6744c869dff045757c Mon Sep 17 00:00:00 2001
+From: Daniel Wagner <wagi@monom.org>
+Date: Tue, 5 Jul 2022 08:32:12 +0200
+Subject: wispr: Add reference counter to portal context
+Track the connman_wispr_portal_context live time via a
+refcounter. This only adds the infrastructure to do proper reference
+counting.
+Fixes: CVE-2022-32293
+CVE: CVE-2022-32293
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=416bfaff988882c553c672e5bfc2d4f648d29e8a]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ src/wispr.c | 52 ++++++++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 42 insertions(+), 10 deletions(-)
+diff --git a/src/wispr.c b/src/wispr.c
+index a07896ca..bde7e63b 100644
+--- a/src/wispr.c
+++ b/src/wispr.c
+@@ -56,6 +56,7 @@ struct wispr_route {
+ };
+ 
+ struct connman_wispr_portal_context {
+       int refcount;
+        struct connman_service *service;
+        enum connman_ipconfig_type type;
+        struct connman_wispr_portal *wispr_portal;
+@@ -97,6 +98,11 @@ static char *online_check_ipv4_url = NULL;
+ static char *online_check_ipv6_url = NULL;
+ static bool enable_online_to_ready_transition = false;
+ 
+#define wispr_portal_context_ref(wp_context) \
+       wispr_portal_context_ref_debug(wp_context, __FILE__, __LINE__, __func__)
+#define wispr_portal_context_unref(wp_context) \
+       wispr_portal_context_unref_debug(wp_context, __FILE__, __LINE__, __func__)
+
+ static void connman_wispr_message_init(struct connman_wispr_message *msg)
+ {
+        DBG("");
+@@ -162,9 +168,6 @@ static void free_connman_wispr_portal_context(
+ {
+        DBG("context %p", wp_context);
+ 
+-       if (!wp_context)
+-               return;
+-
+        if (wp_context->wispr_portal) {
+                if (wp_context->wispr_portal->ipv4_context == wp_context)
+                        wp_context->wispr_portal->ipv4_context = NULL;
+@@ -201,9 +204,38 @@ static void free_connman_wispr_portal_context(
+        g_free(wp_context);
+ }
+ 
+static struct connman_wispr_portal_context *
+wispr_portal_context_ref_debug(struct connman_wispr_portal_context *wp_context,
+                       const char *file, int line, const char *caller)
+{
+       DBG("%p ref %d by %s:%d:%s()", wp_context,
+               wp_context->refcount + 1, file, line, caller);
+
+       __sync_fetch_and_add(&wp_context->refcount, 1);
+
+       return wp_context;
+}
+
+static void wispr_portal_context_unref_debug(
+               struct connman_wispr_portal_context *wp_context,
+               const char *file, int line, const char *caller)
+{
+       if (!wp_context)
+               return;
+
+       DBG("%p ref %d by %s:%d:%s()", wp_context,
+               wp_context->refcount - 1, file, line, caller);
+
+       if (__sync_fetch_and_sub(&wp_context->refcount, 1) != 1)
+               return;
+
+       free_connman_wispr_portal_context(wp_context);
+}
+
+ static struct connman_wispr_portal_context *create_wispr_portal_context(void)
+ {
+-       return g_try_new0(struct connman_wispr_portal_context, 1);
+       return wispr_portal_context_ref(
+               g_new0(struct connman_wispr_portal_context, 1));
+ }
+ 
+ static void free_connman_wispr_portal(gpointer data)
+@@ -215,8 +247,8 @@ static void free_connman_wispr_portal(gpointer data)
+        if (!wispr_portal)
+                return;
+ 
+-       free_connman_wispr_portal_context(wispr_portal->ipv4_context);
+-       free_connman_wispr_portal_context(wispr_portal->ipv6_context);
+       wispr_portal_context_unref(wispr_portal->ipv4_context);
+       wispr_portal_context_unref(wispr_portal->ipv6_context);
+ 
+        g_free(wispr_portal);
+ }
+@@ -452,7 +484,7 @@ static void portal_manage_status(GWebResult *result,
+                connman_info("Client-Timezone: %s", str);
+ 
+        if (!enable_online_to_ready_transition)
+-               free_connman_wispr_portal_context(wp_context);
+               wispr_portal_context_unref(wp_context);
+ 
+        __connman_service_ipconfig_indicate_state(service,
+                                        CONNMAN_SERVICE_STATE_ONLINE, type);
+@@ -616,7 +648,7 @@ static void wispr_portal_request_wispr_login(struct connman_service *service,
+                                return;
+                }
+ 
+-               free_connman_wispr_portal_context(wp_context);
+               wispr_portal_context_unref(wp_context);
+                return;
+        }
+ 
+@@ -952,7 +984,7 @@ static int wispr_portal_detect(struct connman_wispr_portal_context *wp_context)
+ 
+                if (wp_context->token == 0) {
+                        err = -EINVAL;
+-                       free_connman_wispr_portal_context(wp_context);
+                       wispr_portal_context_unref(wp_context);
+                }
+        } else if (wp_context->timeout == 0) {
+                wp_context->timeout = g_idle_add(no_proxy_callback, wp_context);
+@@ -1001,7 +1033,7 @@ int __connman_wispr_start(struct connman_service *service,
+ 
+        /* If there is already an existing context, we wipe it */
+        if (wp_context)
+-               free_connman_wispr_portal_context(wp_context);
+               wispr_portal_context_unref(wp_context);
+ 
+        wp_context = create_wispr_portal_context();
+        if (!wp_context)
+-- 
+cgit 
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p2.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p2.patch
new file mode 100644
index 0000000000..56f8fc82de
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p2.patch
@@ -0,0 +1,174 @@
+From 416bfaff988882c553c672e5bfc2d4f648d29e8a Mon Sep 17 00:00:00 2001
+From: Daniel Wagner <wagi@monom.org>
+Date: Tue, 5 Jul 2022 09:11:09 +0200
+Subject: wispr: Update portal context references
+Maintain proper portal context references to avoid UAF.
+Fixes: CVE-2022-32293
+CVE: CVE-2022-32293
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=72343929836de80727a27d6744c869dff045757c]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ src/wispr.c | 34 ++++++++++++++++++++++------------
+ 1 file changed, 22 insertions(+), 12 deletions(-)
+diff --git a/src/wispr.c b/src/wispr.c
+index bde7e63b..84bed33f 100644
+--- a/src/wispr.c
+++ b/src/wispr.c
+@@ -105,8 +105,6 @@ static bool enable_online_to_ready_transition = false;
+ 
+ static void connman_wispr_message_init(struct connman_wispr_message *msg)
+ {
+-       DBG("");
+-
+        msg->has_error = false;
+        msg->current_element = NULL;
+ 
+@@ -166,8 +164,6 @@ static void free_wispr_routes(struct connman_wispr_portal_context *wp_context)
+ static void free_connman_wispr_portal_context(
+                struct connman_wispr_portal_context *wp_context)
+ {
+-       DBG("context %p", wp_context);
+-
+        if (wp_context->wispr_portal) {
+                if (wp_context->wispr_portal->ipv4_context == wp_context)
+                        wp_context->wispr_portal->ipv4_context = NULL;
+@@ -483,9 +479,6 @@ static void portal_manage_status(GWebResult *result,
+                                &str))
+                connman_info("Client-Timezone: %s", str);
+ 
+-       if (!enable_online_to_ready_transition)
+-               wispr_portal_context_unref(wp_context);
+-
+        __connman_service_ipconfig_indicate_state(service,
+                                        CONNMAN_SERVICE_STATE_ONLINE, type);
+ 
+@@ -546,14 +539,17 @@ static void wispr_portal_request_portal(
+ {
+        DBG("");
+ 
+       wispr_portal_context_ref(wp_context);
+        wp_context->request_id = g_web_request_get(wp_context->web,
+                                        wp_context->status_url,
+                                        wispr_portal_web_result,
+                                        wispr_route_request,
+                                        wp_context);
+ 
+-       if (wp_context->request_id == 0)
+       if (wp_context->request_id == 0) {
+                wispr_portal_error(wp_context);
+               wispr_portal_context_unref(wp_context);
+       }
+ }
+ 
+ static bool wispr_input(const guint8 **data, gsize *length,
+@@ -618,13 +614,15 @@ static void wispr_portal_browser_reply_cb(struct connman_service *service,
+                return;
+ 
+        if (!authentication_done) {
+-               wispr_portal_error(wp_context);
+                free_wispr_routes(wp_context);
+               wispr_portal_error(wp_context);
+               wispr_portal_context_unref(wp_context);
+                return;
+        }
+ 
+        /* Restarting the test */
+        __connman_service_wispr_start(service, wp_context->type);
+       wispr_portal_context_unref(wp_context);
+ }
+ 
+ static void wispr_portal_request_wispr_login(struct connman_service *service,
+@@ -700,11 +698,13 @@ static bool wispr_manage_message(GWebResult *result,
+ 
+                wp_context->wispr_result = CONNMAN_WISPR_RESULT_LOGIN;
+ 
+               wispr_portal_context_ref(wp_context);
+                if (__connman_agent_request_login_input(wp_context->service,
+                                        wispr_portal_request_wispr_login,
+-                                       wp_context) != -EINPROGRESS)
+                                       wp_context) != -EINPROGRESS) {
+                        wispr_portal_error(wp_context);
+-               else
+                       wispr_portal_context_unref(wp_context);
+               } else
+                        return true;
+ 
+                break;
+@@ -753,6 +753,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+                if (length > 0) {
+                        g_web_parser_feed_data(wp_context->wispr_parser,
+                                                                chunk, length);
+                       wispr_portal_context_unref(wp_context);
+                        return true;
+                }
+ 
+@@ -770,6 +771,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+ 
+        switch (status) {
+        case 000:
+               wispr_portal_context_ref(wp_context);
+                __connman_agent_request_browser(wp_context->service,
+                                wispr_portal_browser_reply_cb,
+                                wp_context->status_url, wp_context);
+@@ -781,11 +783,14 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+                if (g_web_result_get_header(result, "X-ConnMan-Status",
+                                                &str)) {
+                        portal_manage_status(result, wp_context);
+                       wispr_portal_context_unref(wp_context);
+                        return false;
+-               } else
+               } else {
+                       wispr_portal_context_ref(wp_context);
+                        __connman_agent_request_browser(wp_context->service,
+                                        wispr_portal_browser_reply_cb,
+                                        wp_context->redirect_url, wp_context);
+               }
+ 
+                break;
+        case 300:
+@@ -798,6 +803,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+                        !g_web_result_get_header(result, "Location",
+                                                        &redirect)) {
+ 
+                       wispr_portal_context_ref(wp_context);
+                        __connman_agent_request_browser(wp_context->service,
+                                        wispr_portal_browser_reply_cb,
+                                        wp_context->status_url, wp_context);
+@@ -808,6 +814,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+ 
+                wp_context->redirect_url = g_strdup(redirect);
+ 
+               wispr_portal_context_ref(wp_context);
+                wp_context->request_id = g_web_request_get(wp_context->web,
+                                redirect, wispr_portal_web_result,
+                                wispr_route_request, wp_context);
+@@ -820,6 +827,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+ 
+                break;
+        case 505:
+               wispr_portal_context_ref(wp_context);
+                __connman_agent_request_browser(wp_context->service,
+                                wispr_portal_browser_reply_cb,
+                                wp_context->status_url, wp_context);
+@@ -832,6 +840,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+        wp_context->request_id = 0;
+ done:
+        wp_context->wispr_msg.message_type = -1;
+       wispr_portal_context_unref(wp_context);
+        return false;
+ }
+ 
+@@ -890,6 +899,7 @@ static void proxy_callback(const char *proxy, void *user_data)
+                                        xml_wispr_parser_callback, wp_context);
+ 
+        wispr_portal_request_portal(wp_context);
+       wispr_portal_context_unref(wp_context);
+ }
+ 
+ static gboolean no_proxy_callback(gpointer user_data)
+-- 
+cgit 
diff --git a/meta/recipes-connectivity/connman/connman_1.41.bb b/meta/recipes-connectivity/connman/connman_1.41.bb
index 736b78eaeb..79542b2175 100644
--- a/meta/recipes-connectivity/connman/connman_1.41.bb
+++ b/meta/recipes-connectivity/connman/connman_1.41.bb
@@ -5,6 +5,9 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
           file://0001-connman.service-stop-systemd-resolved-when-we-use-co.patch \
           file://connman \
           file://no-version-scripts.patch \
+           file://CVE-2022-32293_p1.patch \
+           file://CVE-2022-32293_p2.patch \
+           file://CVE-2022-32292.patch \
           "
 SRC_URI:append:libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"
author	Khem Raj <raj.khem@gmail.com>	2022-08-14 16:43:04 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-08-16 14:57:58 +0100
commit	b33cf2d113d0b247042d3c1491c40e0c57bdffa6 (patch)
tree	bb3b5cf832e8ddf45497848b37fa1ce57392bcc9 /meta
parent	43bd04cf172b2b198def19a79315ce1a333cd942 (diff)
download	poky-b33cf2d113d0b247042d3c1491c40e0c57bdffa6.tar.gz

diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch new file mode 100644 index 0000000000..182c5ca29c --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch
@@ -0,0 +1,37 @@
		1	From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001
		2	From: Nathan Crandall <ncrandall@tesla.com>
		3	Date: Tue, 12 Jul 2022 08:56:34 +0200
		4	Subject: gweb: Fix OOB write in received_data()
		5
		6	There is a mismatch of handling binary vs. C-string data with memchr
		7	and strlen, resulting in pos, count, and bytes_read to become out of
		8	sync and result in a heap overflow. Instead, do not treat the buffer
		9	as an ASCII C-string. We calculate the count based on the return value
		10	of memchr, instead of strlen.
		11
		12	Fixes: CVE-2022-32292
		13
		14	CVE: CVE-2022-32292
		15
		16	Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d1a5ede5d255bde8ef707f8441b997563b9312bd]
		17	Signed-off-by: Khem Raj <raj.khem@gmail.com>
		18	---
		19	gweb/gweb.c \| 2 +-
		20	1 file changed, 1 insertion(+), 1 deletion(-)
		21
		22	diff --git a/gweb/gweb.c b/gweb/gweb.c
		23	index 12fcb1d8..13c6c5f2 100644
		24	--- a/gweb/gweb.c
		25	+++ b/gweb/gweb.c
		26	@@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond,
		27	}
		28
		29	*pos = '\0';
		30	- count = strlen((char *) ptr);
		31	+ count = pos - ptr;
		32	if (count > 0 && ptr[count - 1] == '\r') {
		33	ptr[--count] = '\0';
		34	bytes_read--;
		35	--
		36	cgit
		37


diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p1.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p1.patch new file mode 100644 index 0000000000..b280203594 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p1.patch
@@ -0,0 +1,141 @@
		1	From 72343929836de80727a27d6744c869dff045757c Mon Sep 17 00:00:00 2001
		2	From: Daniel Wagner <wagi@monom.org>
		3	Date: Tue, 5 Jul 2022 08:32:12 +0200
		4	Subject: wispr: Add reference counter to portal context
		5
		6	Track the connman_wispr_portal_context live time via a
		7	refcounter. This only adds the infrastructure to do proper reference
		8	counting.
		9
		10	Fixes: CVE-2022-32293
		11	CVE: CVE-2022-32293
		12	Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=416bfaff988882c553c672e5bfc2d4f648d29e8a]
		13	Signed-off-by: Khem Raj <raj.khem@gmail.com>
		14	---
		15	src/wispr.c \| 52 ++++++++++++++++++++++++++++++++++++++++++----------
		16	1 file changed, 42 insertions(+), 10 deletions(-)
		17
		18	diff --git a/src/wispr.c b/src/wispr.c
		19	index a07896ca..bde7e63b 100644
		20	--- a/src/wispr.c
		21	+++ b/src/wispr.c
		22	@@ -56,6 +56,7 @@ struct wispr_route {
		23	};
		24
		25	struct connman_wispr_portal_context {
		26	+ int refcount;
		27	struct connman_service *service;
		28	enum connman_ipconfig_type type;
		29	struct connman_wispr_portal *wispr_portal;
		30	@@ -97,6 +98,11 @@ static char *online_check_ipv4_url = NULL;
		31	static char *online_check_ipv6_url = NULL;
		32	static bool enable_online_to_ready_transition = false;
		33
		34	+#define wispr_portal_context_ref(wp_context) \
		35	+ wispr_portal_context_ref_debug(wp_context, __FILE__, __LINE__, __func__)
		36	+#define wispr_portal_context_unref(wp_context) \
		37	+ wispr_portal_context_unref_debug(wp_context, __FILE__, __LINE__, __func__)
		38	+
		39	static void connman_wispr_message_init(struct connman_wispr_message *msg)
		40	{
		41	DBG("");
		42	@@ -162,9 +168,6 @@ static void free_connman_wispr_portal_context(
		43	{
		44	DBG("context %p", wp_context);
		45
		46	- if (!wp_context)
		47	- return;
		48	-
		49	if (wp_context->wispr_portal) {
		50	if (wp_context->wispr_portal->ipv4_context == wp_context)
		51	wp_context->wispr_portal->ipv4_context = NULL;
		52	@@ -201,9 +204,38 @@ static void free_connman_wispr_portal_context(
		53	g_free(wp_context);
		54	}
		55
		56	+static struct connman_wispr_portal_context *
		57	+wispr_portal_context_ref_debug(struct connman_wispr_portal_context *wp_context,
		58	+ const char file, int line, const char caller)
		59	+{
		60	+ DBG("%p ref %d by %s:%d:%s()", wp_context,
		61	+ wp_context->refcount + 1, file, line, caller);
		62	+
		63	+ __sync_fetch_and_add(&wp_context->refcount, 1);
		64	+
		65	+ return wp_context;
		66	+}
		67	+
		68	+static void wispr_portal_context_unref_debug(
		69	+ struct connman_wispr_portal_context *wp_context,
		70	+ const char file, int line, const char caller)
		71	+{
		72	+ if (!wp_context)
		73	+ return;
		74	+
		75	+ DBG("%p ref %d by %s:%d:%s()", wp_context,
		76	+ wp_context->refcount - 1, file, line, caller);
		77	+
		78	+ if (__sync_fetch_and_sub(&wp_context->refcount, 1) != 1)
		79	+ return;
		80	+
		81	+ free_connman_wispr_portal_context(wp_context);
		82	+}
		83	+
		84	static struct connman_wispr_portal_context *create_wispr_portal_context(void)
		85	{
		86	- return g_try_new0(struct connman_wispr_portal_context, 1);
		87	+ return wispr_portal_context_ref(
		88	+ g_new0(struct connman_wispr_portal_context, 1));
		89	}
		90
		91	static void free_connman_wispr_portal(gpointer data)
		92	@@ -215,8 +247,8 @@ static void free_connman_wispr_portal(gpointer data)
		93	if (!wispr_portal)
		94	return;
		95
		96	- free_connman_wispr_portal_context(wispr_portal->ipv4_context);
		97	- free_connman_wispr_portal_context(wispr_portal->ipv6_context);
		98	+ wispr_portal_context_unref(wispr_portal->ipv4_context);
		99	+ wispr_portal_context_unref(wispr_portal->ipv6_context);
		100
		101	g_free(wispr_portal);
		102	}
		103	@@ -452,7 +484,7 @@ static void portal_manage_status(GWebResult *result,
		104	connman_info("Client-Timezone: %s", str);
		105
		106	if (!enable_online_to_ready_transition)
		107	- free_connman_wispr_portal_context(wp_context);
		108	+ wispr_portal_context_unref(wp_context);
		109
		110	__connman_service_ipconfig_indicate_state(service,
		111	CONNMAN_SERVICE_STATE_ONLINE, type);
		112	@@ -616,7 +648,7 @@ static void wispr_portal_request_wispr_login(struct connman_service *service,
		113	return;
		114	}
		115
		116	- free_connman_wispr_portal_context(wp_context);
		117	+ wispr_portal_context_unref(wp_context);
		118	return;
		119	}
		120
		121	@@ -952,7 +984,7 @@ static int wispr_portal_detect(struct connman_wispr_portal_context *wp_context)
		122
		123	if (wp_context->token == 0) {
		124	err = -EINVAL;
		125	- free_connman_wispr_portal_context(wp_context);
		126	+ wispr_portal_context_unref(wp_context);
		127	}
		128	} else if (wp_context->timeout == 0) {
		129	wp_context->timeout = g_idle_add(no_proxy_callback, wp_context);
		130	@@ -1001,7 +1033,7 @@ int __connman_wispr_start(struct connman_service *service,
		131
		132	/* If there is already an existing context, we wipe it */
		133	if (wp_context)
		134	- free_connman_wispr_portal_context(wp_context);
		135	+ wispr_portal_context_unref(wp_context);
		136
		137	wp_context = create_wispr_portal_context();
		138	if (!wp_context)
		139	--
		140	cgit
		141


diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p2.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p2.patch new file mode 100644 index 0000000000..56f8fc82de --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p2.patch
@@ -0,0 +1,174 @@
		1	From 416bfaff988882c553c672e5bfc2d4f648d29e8a Mon Sep 17 00:00:00 2001
		2	From: Daniel Wagner <wagi@monom.org>
		3	Date: Tue, 5 Jul 2022 09:11:09 +0200
		4	Subject: wispr: Update portal context references
		5
		6	Maintain proper portal context references to avoid UAF.
		7
		8	Fixes: CVE-2022-32293
		9	CVE: CVE-2022-32293
		10	Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=72343929836de80727a27d6744c869dff045757c]
		11	Signed-off-by: Khem Raj <raj.khem@gmail.com>
		12	---
		13	src/wispr.c \| 34 ++++++++++++++++++++++------------
		14	1 file changed, 22 insertions(+), 12 deletions(-)
		15
		16	diff --git a/src/wispr.c b/src/wispr.c
		17	index bde7e63b..84bed33f 100644
		18	--- a/src/wispr.c
		19	+++ b/src/wispr.c
		20	@@ -105,8 +105,6 @@ static bool enable_online_to_ready_transition = false;
		21
		22	static void connman_wispr_message_init(struct connman_wispr_message *msg)
		23	{
		24	- DBG("");
		25	-
		26	msg->has_error = false;
		27	msg->current_element = NULL;
		28
		29	@@ -166,8 +164,6 @@ static void free_wispr_routes(struct connman_wispr_portal_context *wp_context)
		30	static void free_connman_wispr_portal_context(
		31	struct connman_wispr_portal_context *wp_context)
		32	{
		33	- DBG("context %p", wp_context);
		34	-
		35	if (wp_context->wispr_portal) {
		36	if (wp_context->wispr_portal->ipv4_context == wp_context)
		37	wp_context->wispr_portal->ipv4_context = NULL;
		38	@@ -483,9 +479,6 @@ static void portal_manage_status(GWebResult *result,
		39	&str))
		40	connman_info("Client-Timezone: %s", str);
		41
		42	- if (!enable_online_to_ready_transition)
		43	- wispr_portal_context_unref(wp_context);
		44	-
		45	__connman_service_ipconfig_indicate_state(service,
		46	CONNMAN_SERVICE_STATE_ONLINE, type);
		47
		48	@@ -546,14 +539,17 @@ static void wispr_portal_request_portal(
		49	{
		50	DBG("");
		51
		52	+ wispr_portal_context_ref(wp_context);
		53	wp_context->request_id = g_web_request_get(wp_context->web,
		54	wp_context->status_url,
		55	wispr_portal_web_result,
		56	wispr_route_request,
		57	wp_context);
		58
		59	- if (wp_context->request_id == 0)
		60	+ if (wp_context->request_id == 0) {
		61	wispr_portal_error(wp_context);
		62	+ wispr_portal_context_unref(wp_context);
		63	+ }
		64	}
		65
		66	static bool wispr_input(const guint8 *data, gsize length,
		67	@@ -618,13 +614,15 @@ static void wispr_portal_browser_reply_cb(struct connman_service *service,
		68	return;
		69
		70	if (!authentication_done) {
		71	- wispr_portal_error(wp_context);
		72	free_wispr_routes(wp_context);
		73	+ wispr_portal_error(wp_context);
		74	+ wispr_portal_context_unref(wp_context);
		75	return;
		76	}
		77
		78	/* Restarting the test */
		79	__connman_service_wispr_start(service, wp_context->type);
		80	+ wispr_portal_context_unref(wp_context);
		81	}
		82
		83	static void wispr_portal_request_wispr_login(struct connman_service *service,
		84	@@ -700,11 +698,13 @@ static bool wispr_manage_message(GWebResult *result,
		85
		86	wp_context->wispr_result = CONNMAN_WISPR_RESULT_LOGIN;
		87
		88	+ wispr_portal_context_ref(wp_context);
		89	if (__connman_agent_request_login_input(wp_context->service,
		90	wispr_portal_request_wispr_login,
		91	- wp_context) != -EINPROGRESS)
		92	+ wp_context) != -EINPROGRESS) {
		93	wispr_portal_error(wp_context);
		94	- else
		95	+ wispr_portal_context_unref(wp_context);
		96	+ } else
		97	return true;
		98
		99	break;
		100	@@ -753,6 +753,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
		101	if (length > 0) {
		102	g_web_parser_feed_data(wp_context->wispr_parser,
		103	chunk, length);
		104	+ wispr_portal_context_unref(wp_context);
		105	return true;
		106	}
		107
		108	@@ -770,6 +771,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
		109
		110	switch (status) {
		111	case 000:
		112	+ wispr_portal_context_ref(wp_context);
		113	__connman_agent_request_browser(wp_context->service,
		114	wispr_portal_browser_reply_cb,
		115	wp_context->status_url, wp_context);
		116	@@ -781,11 +783,14 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
		117	if (g_web_result_get_header(result, "X-ConnMan-Status",
		118	&str)) {
		119	portal_manage_status(result, wp_context);
		120	+ wispr_portal_context_unref(wp_context);
		121	return false;
		122	- } else
		123	+ } else {
		124	+ wispr_portal_context_ref(wp_context);
		125	__connman_agent_request_browser(wp_context->service,
		126	wispr_portal_browser_reply_cb,
		127	wp_context->redirect_url, wp_context);
		128	+ }
		129
		130	break;
		131	case 300:
		132	@@ -798,6 +803,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
		133	!g_web_result_get_header(result, "Location",
		134	&redirect)) {
		135
		136	+ wispr_portal_context_ref(wp_context);
		137	__connman_agent_request_browser(wp_context->service,
		138	wispr_portal_browser_reply_cb,
		139	wp_context->status_url, wp_context);
		140	@@ -808,6 +814,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
		141
		142	wp_context->redirect_url = g_strdup(redirect);
		143
		144	+ wispr_portal_context_ref(wp_context);
		145	wp_context->request_id = g_web_request_get(wp_context->web,
		146	redirect, wispr_portal_web_result,
		147	wispr_route_request, wp_context);
		148	@@ -820,6 +827,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
		149
		150	break;
		151	case 505:
		152	+ wispr_portal_context_ref(wp_context);
		153	__connman_agent_request_browser(wp_context->service,
		154	wispr_portal_browser_reply_cb,
		155	wp_context->status_url, wp_context);
		156	@@ -832,6 +840,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
		157	wp_context->request_id = 0;
		158	done:
		159	wp_context->wispr_msg.message_type = -1;
		160	+ wispr_portal_context_unref(wp_context);
		161	return false;
		162	}
		163
		164	@@ -890,6 +899,7 @@ static void proxy_callback(const char proxy, void user_data)
		165	xml_wispr_parser_callback, wp_context);
		166
		167	wispr_portal_request_portal(wp_context);
		168	+ wispr_portal_context_unref(wp_context);
		169	}
		170
		171	static gboolean no_proxy_callback(gpointer user_data)
		172	--
		173	cgit
		174


diff --git a/meta/recipes-connectivity/connman/connman_1.41.bb b/meta/recipes-connectivity/connman/connman_1.41.bb index 736b78eaeb..79542b2175 100644 --- a/meta/recipes-connectivity/connman/connman_1.41.bb +++ b/meta/recipes-connectivity/connman/connman_1.41.bb
@@ -5,6 +5,9 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
5	file://0001-connman.service-stop-systemd-resolved-when-we-use-co.patch \	5	file://0001-connman.service-stop-systemd-resolved-when-we-use-co.patch \
6	file://connman \	6	file://connman \
7	file://no-version-scripts.patch \	7	file://no-version-scripts.patch \
		8	file://CVE-2022-32293_p1.patch \
		9	file://CVE-2022-32293_p2.patch \
		10	file://CVE-2022-32292.patch \
8	"	11	"
9		12
10	SRC_URI:append:libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"	13	SRC_URI:append:libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"