ofono: Fix multiple CVEs

Backport fixes for: * CVE-2024-7539 - Upstream-Status: Backport from https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=389e2344f86319265fb72ae590b470716e038fdc * CVE-2024-7543 - Upstream-Status: Backport from https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=90e60ada012de42964214d8155260f5749d0dcc7 * CVE-2024-7544 - Upstream-Status: Backport from https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=a240705a0d5d41eca6de4125ab2349ecde4c873a * CVE-2024-7545 - Upstream-Status: Backport from https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=556e14548c38c2b96d85881542046ee7ed750bb5 * CVE-2024-7546 - Upstream-Status: Backport from https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=79ea6677669e50b0bb9c231765adb4f81c375f63 * CVE-2024-7547 - Upstream-Status: Backport from https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=305df050d02aea8532f7625d6642685aa530f9b0 (From OE-Core rev: d244d4d48615a7b08f1ab0231f074caa31790247) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2025-01-16 13:31:35 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-01-24 07:59:38 -0800
commit: a65e0b9646335de25a906954dec9826c091d1fe2 (patch)
tree: ab409d04b32cbd6df4dd1e066b902cf67a042133 /meta/recipes-connectivity
parent: b84adcd9471bef77fc1c33564092e1f9fc4bf9c3 (diff)
download: poky-a65e0b9646335de25a906954dec9826c091d1fe2.tar.gz
7 files changed, 245 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch
new file mode 100644
index 0000000000..7fcc620fd8
--- /dev/null
+++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch
@@ -0,0 +1,88 @@
+From 389e2344f86319265fb72ae590b470716e038fdc Mon Sep 17 00:00:00 2001
+From: "Sicelo A. Mhlongo" <absicsz@gmail.com>
+Date: Tue, 17 Dec 2024 11:31:29 +0200
+Subject: [PATCH] ussd: ensure ussd content fits in buffers
+Fixes: CVE-2024-7539
+CVE: CVE-2024-7539
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=389e2344f86319265fb72ae590b470716e038fdc]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ drivers/atmodem/ussd.c      | 5 ++++-
+ drivers/huaweimodem/ussd.c  | 5 ++++-
+ drivers/speedupmodem/ussd.c | 5 ++++-
+ 3 files changed, 12 insertions(+), 3 deletions(-)
+diff --git a/drivers/atmodem/ussd.c b/drivers/atmodem/ussd.c
+index aaf47b2..cee9bc5 100644
+--- a/drivers/atmodem/ussd.c
+++ b/drivers/atmodem/ussd.c
+@@ -107,7 +107,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
+        const char *content;
+        int dcs;
+        enum sms_charset charset;
+-       unsigned char msg[160];
+       unsigned char msg[160] = {0};
+        const unsigned char *msg_ptr = NULL;
+        long msg_len;
+ 
+@@ -127,6 +127,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
+        if (!g_at_result_iter_next_number(&iter, &dcs))
+                dcs = 0;
+ 
+       if (strlen(content) > sizeof(msg) * 2)
+               goto out;
+
+        if (!cbs_dcs_decode(dcs, NULL, NULL, &charset, NULL, NULL, NULL)) {
+                ofono_error("Unsupported USSD data coding scheme (%02x)", dcs);
+                status = 4; /* Not supported */
+diff --git a/drivers/huaweimodem/ussd.c b/drivers/huaweimodem/ussd.c
+index ffb9b2a..cfdb4ee 100644
+--- a/drivers/huaweimodem/ussd.c
+++ b/drivers/huaweimodem/ussd.c
+@@ -52,7 +52,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
+        int status;
+        int dcs = 0;
+        const char *content;
+-       unsigned char msg[160];
+       unsigned char msg[160] = {0};
+        const unsigned char *msg_ptr = NULL;
+        long msg_len;
+ 
+@@ -69,6 +69,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
+ 
+        g_at_result_iter_next_number(&iter, &dcs);
+ 
+       if (strlen(content) > sizeof(msg) * 2)
+               goto out;
+
+        msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg);
+ 
+ out:
+diff --git a/drivers/speedupmodem/ussd.c b/drivers/speedupmodem/ussd.c
+index 44da8ed..33441c6 100644
+--- a/drivers/speedupmodem/ussd.c
+++ b/drivers/speedupmodem/ussd.c
+@@ -51,7 +51,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
+        int status;
+        int dcs = 0;
+        const char *content;
+-       unsigned char msg[160];
+       unsigned char msg[160] = {0};
+        const unsigned char *msg_ptr = NULL;
+        long msg_len;
+ 
+@@ -68,6 +68,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
+ 
+        g_at_result_iter_next_number(&iter, &dcs);
+ 
+       if (strlen(content) > sizeof(msg) * 2)
+               goto out;
+
+        msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg);
+ 
+ out:
+-- 
+2.25.1
diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7543.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7543.patch
new file mode 100644
index 0000000000..e48579e59a
--- /dev/null
+++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7543.patch
@@ -0,0 +1,30 @@
+From 90e60ada012de42964214d8155260f5749d0dcc7 Mon Sep 17 00:00:00 2001
+From: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
+Date: Tue, 3 Dec 2024 21:43:50 +0200
+Subject: [PATCH] stkutil: Fix CVE-2024-7543
+CVE: CVE-2024-7543
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=90e60ada012de42964214d8155260f5749d0dcc7]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/stkutil.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/src/stkutil.c b/src/stkutil.c
+index 4f31af4..fdd11ad 100644
+--- a/src/stkutil.c
+++ b/src/stkutil.c
+@@ -1876,6 +1876,10 @@ static bool parse_dataobj_mms_reference(struct comprehension_tlv_iter *iter,
+ 
+        data = comprehension_tlv_iter_get_data(iter);
+        mr->len = len;
+
+       if (len > sizeof(mr->ref))
+               return false;
+
+        memcpy(mr->ref, data, len);
+ 
+        return true;
+-- 
+2.25.1
diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7544.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7544.patch
new file mode 100644
index 0000000000..7984bc6487
--- /dev/null
+++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7544.patch
@@ -0,0 +1,30 @@
+From a240705a0d5d41eca6de4125ab2349ecde4c873a Mon Sep 17 00:00:00 2001
+From: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
+Date: Tue, 3 Dec 2024 21:43:49 +0200
+Subject: [PATCH] stkutil: Fix CVE-2024-7544
+CVE: CVE-2024-7544
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=a240705a0d5d41eca6de4125ab2349ecde4c873a]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/stkutil.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/src/stkutil.c b/src/stkutil.c
+index fdd11ad..475caaa 100644
+--- a/src/stkutil.c
+++ b/src/stkutil.c
+@@ -1898,6 +1898,10 @@ static bool parse_dataobj_mms_id(struct comprehension_tlv_iter *iter,
+ 
+        data = comprehension_tlv_iter_get_data(iter);
+        mi->len = len;
+
+       if (len > sizeof(mi->id))
+               return false;
+
+        memcpy(mi->id, data, len);
+ 
+        return true;
+-- 
+2.25.1
diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7545.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7545.patch
new file mode 100644
index 0000000000..a3bf13a81e
--- /dev/null
+++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7545.patch
@@ -0,0 +1,32 @@
+From 556e14548c38c2b96d85881542046ee7ed750bb5 Mon Sep 17 00:00:00 2001
+From: Sicelo A. Mhlongo <absicsz@gmail.com>
+Date: Wed, Dec 4 12:07:34 2024 +0200
+Subject: [PATCH] stkutil: ensure data fits in buffer
+Fixes CVE-2024-7545
+CVE: CVE-2024-7545
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=556e14548c38c2b96d85881542046ee7ed750bb5]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/stkutil.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/src/stkutil.c b/src/stkutil.c
+index 475caaa..e1fd75c 100644
+--- a/src/stkutil.c
+++ b/src/stkutil.c
+@@ -1938,6 +1938,10 @@ static bool parse_dataobj_mms_content_id(
+ 
+        data = comprehension_tlv_iter_get_data(iter);
+        mci->len = len;
+
+       if (len > sizeof(mci->id))
+               return false;
+
+        memcpy(mci->id, data, len);
+ 
+        return true;
+-- 
+2.25.1
diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7546.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7546.patch
new file mode 100644
index 0000000000..808458be2f
--- /dev/null
+++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7546.patch
@@ -0,0 +1,30 @@
+From 79ea6677669e50b0bb9c231765adb4f81c375f63 Mon Sep 17 00:00:00 2001
+From: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
+Date: Tue, 3 Dec 2024 21:43:52 +0200
+Subject: [PATCH] Fix CVE-2024-7546
+CVE: CVE-2024-7546
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=79ea6677669e50b0bb9c231765adb4f81c375f63]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/stkutil.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/src/stkutil.c b/src/stkutil.c
+index e1fd75c..88a715d 100644
+--- a/src/stkutil.c
+++ b/src/stkutil.c
+@@ -1783,6 +1783,10 @@ static bool parse_dataobj_frame_layout(struct comprehension_tlv_iter *iter,
+ 
+        fl->layout = data[0];
+        fl->len = len - 1;
+
+       if (fl->len > sizeof(fl->size))
+               return false;
+
+        memcpy(fl->size, data + 1, fl->len);
+ 
+        return true;
+-- 
+2.25.1
diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7547.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7547.patch
new file mode 100644
index 0000000000..d4feee7f7f
--- /dev/null
+++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7547.patch
@@ -0,0 +1,29 @@
+From 305df050d02aea8532f7625d6642685aa530f9b0 Mon Sep 17 00:00:00 2001
+From: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
+Date: Tue, 3 Dec 2024 21:43:51 +0200
+Subject: [PATCH] Fix CVE-2024-7547
+CVE: CVE-2024-7547
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=305df050d02aea8532f7625d6642685aa530f9b0]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/smsutil.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/src/smsutil.c b/src/smsutil.c
+index def47e8..f79f59d 100644
+--- a/src/smsutil.c
+++ b/src/smsutil.c
+@@ -1475,6 +1475,9 @@ static gboolean decode_command(const unsigned char *pdu, int len,
+        if ((len - offset) < out->command.cdl)
+                return FALSE;
+ 
+       if (out->command.cdl > sizeof(out->command.cd))
+               return FALSE;
+
+        memcpy(out->command.cd, pdu + offset, out->command.cdl);
+ 
+        return TRUE;
+-- 
+2.25.1
diff --git a/meta/recipes-connectivity/ofono/ofono_2.4.bb b/meta/recipes-connectivity/ofono/ofono_2.4.bb
index f8ade2b2f8..852c71948e 100644
--- a/meta/recipes-connectivity/ofono/ofono_2.4.bb
+++ b/meta/recipes-connectivity/ofono/ofono_2.4.bb
@@ -16,6 +16,12 @@ SRC_URI = "\
    file://CVE-2023-2794-0002.patch \
    file://CVE-2023-2794-0003.patch \
    file://CVE-2023-2794-0004.patch \
+    file://CVE-2024-7539.patch \
+    file://CVE-2024-7543.patch \
+    file://CVE-2024-7544.patch \
+    file://CVE-2024-7545.patch \
+    file://CVE-2024-7546.patch \
+    file://CVE-2024-7547.patch \
 "
 SRC_URI[sha256sum] = "93580adc1afd1890dc516efb069de0c5cdfef014415256ddfb28ab172df2d11d"
author	Hitendra Prajapati <hprajapati@mvista.com>	2025-01-16 13:31:35 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-01-24 07:59:38 -0800
commit	a65e0b9646335de25a906954dec9826c091d1fe2 (patch)
tree	ab409d04b32cbd6df4dd1e066b902cf67a042133 /meta/recipes-connectivity
parent	b84adcd9471bef77fc1c33564092e1f9fc4bf9c3 (diff)
download	poky-a65e0b9646335de25a906954dec9826c091d1fe2.tar.gz

diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch new file mode 100644 index 0000000000..7fcc620fd8 --- /dev/null +++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch
@@ -0,0 +1,88 @@
		1	From 389e2344f86319265fb72ae590b470716e038fdc Mon Sep 17 00:00:00 2001
		2	From: "Sicelo A. Mhlongo" <absicsz@gmail.com>
		3	Date: Tue, 17 Dec 2024 11:31:29 +0200
		4	Subject: [PATCH] ussd: ensure ussd content fits in buffers
		5
		6	Fixes: CVE-2024-7539
		7
		8	CVE: CVE-2024-7539
		9	Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=389e2344f86319265fb72ae590b470716e038fdc]
		10	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		11	---
		12	drivers/atmodem/ussd.c \| 5 ++++-
		13	drivers/huaweimodem/ussd.c \| 5 ++++-
		14	drivers/speedupmodem/ussd.c \| 5 ++++-
		15	3 files changed, 12 insertions(+), 3 deletions(-)
		16
		17	diff --git a/drivers/atmodem/ussd.c b/drivers/atmodem/ussd.c
		18	index aaf47b2..cee9bc5 100644
		19	--- a/drivers/atmodem/ussd.c
		20	+++ b/drivers/atmodem/ussd.c
		21	@@ -107,7 +107,7 @@ static void cusd_parse(GAtResult result, struct ofono_ussd ussd)
		22	const char *content;
		23	int dcs;
		24	enum sms_charset charset;
		25	- unsigned char msg[160];
		26	+ unsigned char msg[160] = {0};
		27	const unsigned char *msg_ptr = NULL;
		28	long msg_len;
		29
		30	@@ -127,6 +127,9 @@ static void cusd_parse(GAtResult result, struct ofono_ussd ussd)
		31	if (!g_at_result_iter_next_number(&iter, &dcs))
		32	dcs = 0;
		33
		34	+ if (strlen(content) > sizeof(msg) * 2)
		35	+ goto out;
		36	+
		37	if (!cbs_dcs_decode(dcs, NULL, NULL, &charset, NULL, NULL, NULL)) {
		38	ofono_error("Unsupported USSD data coding scheme (%02x)", dcs);
		39	status = 4; /* Not supported */
		40	diff --git a/drivers/huaweimodem/ussd.c b/drivers/huaweimodem/ussd.c
		41	index ffb9b2a..cfdb4ee 100644
		42	--- a/drivers/huaweimodem/ussd.c
		43	+++ b/drivers/huaweimodem/ussd.c
		44	@@ -52,7 +52,7 @@ static void cusd_parse(GAtResult result, struct ofono_ussd ussd)
		45	int status;
		46	int dcs = 0;
		47	const char *content;
		48	- unsigned char msg[160];
		49	+ unsigned char msg[160] = {0};
		50	const unsigned char *msg_ptr = NULL;
		51	long msg_len;
		52
		53	@@ -69,6 +69,9 @@ static void cusd_parse(GAtResult result, struct ofono_ussd ussd)
		54
		55	g_at_result_iter_next_number(&iter, &dcs);
		56
		57	+ if (strlen(content) > sizeof(msg) * 2)
		58	+ goto out;
		59	+
		60	msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg);
		61
		62	out:
		63	diff --git a/drivers/speedupmodem/ussd.c b/drivers/speedupmodem/ussd.c
		64	index 44da8ed..33441c6 100644
		65	--- a/drivers/speedupmodem/ussd.c
		66	+++ b/drivers/speedupmodem/ussd.c
		67	@@ -51,7 +51,7 @@ static void cusd_parse(GAtResult result, struct ofono_ussd ussd)
		68	int status;
		69	int dcs = 0;
		70	const char *content;
		71	- unsigned char msg[160];
		72	+ unsigned char msg[160] = {0};
		73	const unsigned char *msg_ptr = NULL;
		74	long msg_len;
		75
		76	@@ -68,6 +68,9 @@ static void cusd_parse(GAtResult result, struct ofono_ussd ussd)
		77
		78	g_at_result_iter_next_number(&iter, &dcs);
		79
		80	+ if (strlen(content) > sizeof(msg) * 2)
		81	+ goto out;
		82	+
		83	msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg);
		84
		85	out:
		86	--
		87	2.25.1
		88


diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7543.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7543.patch new file mode 100644 index 0000000000..e48579e59a --- /dev/null +++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7543.patch
@@ -0,0 +1,30 @@
		1	From 90e60ada012de42964214d8155260f5749d0dcc7 Mon Sep 17 00:00:00 2001
		2	From: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
		3	Date: Tue, 3 Dec 2024 21:43:50 +0200
		4	Subject: [PATCH] stkutil: Fix CVE-2024-7543
		5
		6	CVE: CVE-2024-7543
		7	Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=90e60ada012de42964214d8155260f5749d0dcc7]
		8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		9	---
		10	src/stkutil.c \| 4 ++++
		11	1 file changed, 4 insertions(+)
		12
		13	diff --git a/src/stkutil.c b/src/stkutil.c
		14	index 4f31af4..fdd11ad 100644
		15	--- a/src/stkutil.c
		16	+++ b/src/stkutil.c
		17	@@ -1876,6 +1876,10 @@ static bool parse_dataobj_mms_reference(struct comprehension_tlv_iter *iter,
		18
		19	data = comprehension_tlv_iter_get_data(iter);
		20	mr->len = len;
		21	+
		22	+ if (len > sizeof(mr->ref))
		23	+ return false;
		24	+
		25	memcpy(mr->ref, data, len);
		26
		27	return true;
		28	--
		29	2.25.1
		30


diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7544.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7544.patch new file mode 100644 index 0000000000..7984bc6487 --- /dev/null +++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7544.patch
@@ -0,0 +1,30 @@
		1	From a240705a0d5d41eca6de4125ab2349ecde4c873a Mon Sep 17 00:00:00 2001
		2	From: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
		3	Date: Tue, 3 Dec 2024 21:43:49 +0200
		4	Subject: [PATCH] stkutil: Fix CVE-2024-7544
		5
		6	CVE: CVE-2024-7544
		7	Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=a240705a0d5d41eca6de4125ab2349ecde4c873a]
		8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		9	---
		10	src/stkutil.c \| 4 ++++
		11	1 file changed, 4 insertions(+)
		12
		13	diff --git a/src/stkutil.c b/src/stkutil.c
		14	index fdd11ad..475caaa 100644
		15	--- a/src/stkutil.c
		16	+++ b/src/stkutil.c
		17	@@ -1898,6 +1898,10 @@ static bool parse_dataobj_mms_id(struct comprehension_tlv_iter *iter,
		18
		19	data = comprehension_tlv_iter_get_data(iter);
		20	mi->len = len;
		21	+
		22	+ if (len > sizeof(mi->id))
		23	+ return false;
		24	+
		25	memcpy(mi->id, data, len);
		26
		27	return true;
		28	--
		29	2.25.1
		30


diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7545.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7545.patch new file mode 100644 index 0000000000..a3bf13a81e --- /dev/null +++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7545.patch
@@ -0,0 +1,32 @@
		1	From 556e14548c38c2b96d85881542046ee7ed750bb5 Mon Sep 17 00:00:00 2001
		2	From: Sicelo A. Mhlongo <absicsz@gmail.com>
		3	Date: Wed, Dec 4 12:07:34 2024 +0200
		4	Subject: [PATCH] stkutil: ensure data fits in buffer
		5
		6	Fixes CVE-2024-7545
		7
		8	CVE: CVE-2024-7545
		9	Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=556e14548c38c2b96d85881542046ee7ed750bb5]
		10	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		11	---
		12	src/stkutil.c \| 4 ++++
		13	1 file changed, 4 insertions(+)
		14
		15	diff --git a/src/stkutil.c b/src/stkutil.c
		16	index 475caaa..e1fd75c 100644
		17	--- a/src/stkutil.c
		18	+++ b/src/stkutil.c
		19	@@ -1938,6 +1938,10 @@ static bool parse_dataobj_mms_content_id(
		20
		21	data = comprehension_tlv_iter_get_data(iter);
		22	mci->len = len;
		23	+
		24	+ if (len > sizeof(mci->id))
		25	+ return false;
		26	+
		27	memcpy(mci->id, data, len);
		28
		29	return true;
		30	--
		31	2.25.1
		32


diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7546.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7546.patch new file mode 100644 index 0000000000..808458be2f --- /dev/null +++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7546.patch
@@ -0,0 +1,30 @@
		1	From 79ea6677669e50b0bb9c231765adb4f81c375f63 Mon Sep 17 00:00:00 2001
		2	From: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
		3	Date: Tue, 3 Dec 2024 21:43:52 +0200
		4	Subject: [PATCH] Fix CVE-2024-7546
		5
		6	CVE: CVE-2024-7546
		7	Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=79ea6677669e50b0bb9c231765adb4f81c375f63]
		8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		9	---
		10	src/stkutil.c \| 4 ++++
		11	1 file changed, 4 insertions(+)
		12
		13	diff --git a/src/stkutil.c b/src/stkutil.c
		14	index e1fd75c..88a715d 100644
		15	--- a/src/stkutil.c
		16	+++ b/src/stkutil.c
		17	@@ -1783,6 +1783,10 @@ static bool parse_dataobj_frame_layout(struct comprehension_tlv_iter *iter,
		18
		19	fl->layout = data[0];
		20	fl->len = len - 1;
		21	+
		22	+ if (fl->len > sizeof(fl->size))
		23	+ return false;
		24	+
		25	memcpy(fl->size, data + 1, fl->len);
		26
		27	return true;
		28	--
		29	2.25.1
		30


diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7547.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7547.patch new file mode 100644 index 0000000000..d4feee7f7f --- /dev/null +++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7547.patch
@@ -0,0 +1,29 @@
		1	From 305df050d02aea8532f7625d6642685aa530f9b0 Mon Sep 17 00:00:00 2001
		2	From: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
		3	Date: Tue, 3 Dec 2024 21:43:51 +0200
		4	Subject: [PATCH] Fix CVE-2024-7547
		5
		6	CVE: CVE-2024-7547
		7	Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=305df050d02aea8532f7625d6642685aa530f9b0]
		8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		9	---
		10	src/smsutil.c \| 3 +++
		11	1 file changed, 3 insertions(+)
		12
		13	diff --git a/src/smsutil.c b/src/smsutil.c
		14	index def47e8..f79f59d 100644
		15	--- a/src/smsutil.c
		16	+++ b/src/smsutil.c
		17	@@ -1475,6 +1475,9 @@ static gboolean decode_command(const unsigned char *pdu, int len,
		18	if ((len - offset) < out->command.cdl)
		19	return FALSE;
		20
		21	+ if (out->command.cdl > sizeof(out->command.cd))
		22	+ return FALSE;
		23	+
		24	memcpy(out->command.cd, pdu + offset, out->command.cdl);
		25
		26	return TRUE;
		27	--
		28	2.25.1
		29


diff --git a/meta/recipes-connectivity/ofono/ofono_2.4.bb b/meta/recipes-connectivity/ofono/ofono_2.4.bb index f8ade2b2f8..852c71948e 100644 --- a/meta/recipes-connectivity/ofono/ofono_2.4.bb +++ b/meta/recipes-connectivity/ofono/ofono_2.4.bb
@@ -16,6 +16,12 @@ SRC_URI = "\
16	file://CVE-2023-2794-0002.patch \	16	file://CVE-2023-2794-0002.patch \
17	file://CVE-2023-2794-0003.patch \	17	file://CVE-2023-2794-0003.patch \
18	file://CVE-2023-2794-0004.patch \	18	file://CVE-2023-2794-0004.patch \
		19	file://CVE-2024-7539.patch \
		20	file://CVE-2024-7543.patch \
		21	file://CVE-2024-7544.patch \
		22	file://CVE-2024-7545.patch \
		23	file://CVE-2024-7546.patch \
		24	file://CVE-2024-7547.patch \
19	"	25	"
20	SRC_URI[sha256sum] = "93580adc1afd1890dc516efb069de0c5cdfef014415256ddfb28ab172df2d11d"	26	SRC_URI[sha256sum] = "93580adc1afd1890dc516efb069de0c5cdfef014415256ddfb28ab172df2d11d"
21		27