summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity
diff options
context:
space:
mode:
authorYogita Urade <yogita.urade@windriver.com>2024-08-08 05:22:03 +0000
committerSteve Sakoman <steve@sakoman.com>2024-08-16 08:09:14 -0700
commit204b28c41977cac9d1b428b490aaf7441140e92a (patch)
treef1986b19143929463c3ef640e2376ea860a6fafc /meta/recipes-connectivity
parent6313a595f9b5e0764701db134e91e2f1d7b72fa5 (diff)
downloadpoky-204b28c41977cac9d1b428b490aaf7441140e92a.tar.gz
ofono: fix CVE-2023-2794
A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_deliver() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_deliver(). Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-2794 Upstream patches: https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=a90421d8e45d63b304dc010baba24633e7869682 https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=7f2adfa22fbae824f8e2c3ae86a3f51da31ee400 https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=07f48b23e3877ef7d15a7b0b8b79d32ad0a3607e https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=8fa1fdfcb54e1edb588c6a5e2688880b065a39c9 (From OE-Core rev: 5114e9064dbabd5258f512cd97c79fc40f848b98) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-connectivity')
-rw-r--r--meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0001.patch37
-rw-r--r--meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0002.patch32
-rw-r--r--meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0003.patch44
-rw-r--r--meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0004.patch127
-rw-r--r--meta/recipes-connectivity/ofono/ofono_1.34.bb4
5 files changed, 244 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0001.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0001.patch
new file mode 100644
index 0000000000..a44633edd9
--- /dev/null
+++ b/meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0001.patch
@@ -0,0 +1,37 @@
1From a90421d8e45d63b304dc010baba24633e7869682 Mon Sep 17 00:00:00 2001
2From: Denis Kenzior <denkenz@gmail.com>
3Date: Mon, 5 Aug 2024 19:50:04 +0800
4Subject: [PATCH] smsutil: ensure the address length in bytes <= 10
5
6If a specially formatted SMS is received, it is conceivable that the
7address length might overflow the structure it is being parsed into.
8Ensure that the length in bytes of the address never exceeds 10.
9
10CVE: CVE-2023-2794
11Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=a90421d8e45d63b304dc010baba24633e7869682]
12
13Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
14---
15 src/smsutil.c | 7 ++++++-
16 1 file changed, 6 insertions(+), 1 deletion(-)
17
18diff --git a/src/smsutil.c b/src/smsutil.c
19index 8dd2126..d8170d1 100644
20--- a/src/smsutil.c
21+++ b/src/smsutil.c
22@@ -643,7 +643,12 @@ gboolean sms_decode_address_field(const unsigned char *pdu, int len,
23 else
24 byte_len = (addr_len + 1) / 2;
25
26- if ((len - *offset) < byte_len)
27+ /*
28+ * 23.040:
29+ * The maximum length of the full address field
30+ * (AddressLength, TypeofAddress and AddressValue) is 12 octets.
31+ */
32+ if ((len - *offset) < byte_len || byte_len > 10)
33 return FALSE;
34
35 out->number_type = bit_field(addr_type, 4, 3);
36--
372.25.1
diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0002.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0002.patch
new file mode 100644
index 0000000000..dfd6edeb7e
--- /dev/null
+++ b/meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0002.patch
@@ -0,0 +1,32 @@
1From 7f2adfa22fbae824f8e2c3ae86a3f51da31ee400 Mon Sep 17 00:00:00 2001
2From: Denis Kenzior <denkenz@gmail.com>
3Date: Mon, 5 Aug 2024 20:06:09 +0800
4Subject: [PATCH] smsutil: Check cbs_dcs_decode return value
5
6It is better to explicitly check the return value of cbs_dcs_decode
7instead of relying on udhi not being changed due to side-effects.
8
9CVE: CVE-2023-2794
10Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=7f2adfa22fbae824f8e2c3ae86a3f51da31ee400]
11
12Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
13---
14 src/smsutil.c | 3 ++-
15 1 file changed, 2 insertions(+), 1 deletion(-)
16
17diff --git a/src/smsutil.c b/src/smsutil.c
18index d8170d1..7746a71 100644
19--- a/src/smsutil.c
20+++ b/src/smsutil.c
21@@ -1765,7 +1765,8 @@ gboolean sms_udh_iter_init_from_cbs(const struct cbs *cbs,
22 const guint8 *hdr;
23 guint8 max_ud_len;
24
25- cbs_dcs_decode(cbs->dcs, &udhi, NULL, NULL, NULL, NULL, NULL);
26+ if (!cbs_dcs_decode(cbs->dcs, &udhi, NULL, NULL, NULL, NULL, NULL))
27+ return FALSE;
28
29 if (!udhi)
30 return FALSE;
31--
322.25.1
diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0003.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0003.patch
new file mode 100644
index 0000000000..82b36a0193
--- /dev/null
+++ b/meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0003.patch
@@ -0,0 +1,44 @@
1From 07f48b23e3877ef7d15a7b0b8b79d32ad0a3607e Mon Sep 17 00:00:00 2001
2From: Denis Kenzior <denkenz@gmail.com>
3Date: Mon, 5 Aug 2024 20:23:38 +0800
4Subject: [PATCH] simutil: Make sure set_length on the parent succeeds
5
6CVE: CVE-2023-2794
7Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=07f48b23e3877ef7d15a7b0b8b79d32ad0a3607e]
8
9Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
10---
11 src/simutil.c | 11 ++++++-----
12 1 file changed, 6 insertions(+), 5 deletions(-)
13
14diff --git a/src/simutil.c b/src/simutil.c
15index 59d8d5d..0e131e8 100644
16--- a/src/simutil.c
17+++ b/src/simutil.c
18@@ -588,8 +588,9 @@ gboolean ber_tlv_builder_set_length(struct ber_tlv_builder *builder,
19 if (new_pos > builder->max)
20 return FALSE;
21
22- if (builder->parent)
23- ber_tlv_builder_set_length(builder->parent, new_pos);
24+ if (builder->parent &&
25+ !ber_tlv_builder_set_length(builder->parent, new_pos))
26+ return FALSE;
27
28 builder->len = new_len;
29
30@@ -730,9 +731,9 @@ gboolean comprehension_tlv_builder_set_length(
31 if (builder->pos + new_ctlv_len > builder->max)
32 return FALSE;
33
34- if (builder->parent)
35- ber_tlv_builder_set_length(builder->parent,
36- builder->pos + new_ctlv_len);
37+ if (builder->parent && !ber_tlv_builder_set_length(builder->parent,
38+ builder->pos + new_ctlv_len))
39+ return FALSE;
40
41 len = MIN(builder->len, new_len);
42 if (len > 0 && new_len_size != len_size)
43--
442.25.1
diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0004.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0004.patch
new file mode 100644
index 0000000000..3111b3007d
--- /dev/null
+++ b/meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0004.patch
@@ -0,0 +1,127 @@
1From 8fa1fdfcb54e1edb588c6a5e2688880b065a39c9 Mon Sep 17 00:00:00 2001
2From: Denis Kenzior <denkenz@gmail.com>
3Date: Mon, 5 Aug 2024 20:38:20 +0800
4Subject: [PATCH] smsutil: Use a safer strlcpy
5
6sms_address_from_string is meant as private API, to be used with string
7form addresses that have already been sanitized. However, to be safe,
8use a safe version of strcpy to avoid overflowing the buffer in case the
9input was not sanitized properly. While here, add a '__' prefix to the
10function name to help make it clearer that this API is private and
11should be used with more care.
12
13CVE: CVE-2023-2794
14Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=8fa1fdfcb54e1edb588c6a5e2688880b065a39c9]
15
16Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
17---
18 src/smsutil.c | 14 +++++++-------
19 src/smsutil.h | 2 +-
20 unit/test-sms.c | 6 +++---
21 3 files changed, 11 insertions(+), 11 deletions(-)
22
23diff --git a/src/smsutil.c b/src/smsutil.c
24index 7746a71..e073a06 100644
25--- a/src/smsutil.c
26+++ b/src/smsutil.c
27@@ -1887,15 +1887,15 @@ time_t sms_scts_to_time(const struct sms_scts *scts, struct tm *remote)
28 return ret;
29 }
30
31-void sms_address_from_string(struct sms_address *addr, const char *str)
32+void __sms_address_from_string(struct sms_address *addr, const char *str)
33 {
34 addr->numbering_plan = SMS_NUMBERING_PLAN_ISDN;
35 if (str[0] == '+') {
36 addr->number_type = SMS_NUMBER_TYPE_INTERNATIONAL;
37- strcpy(addr->address, str + 1);
38+ l_strlcpy(addr->address, str + 1, sizeof(addr->address));
39 } else {
40 addr->number_type = SMS_NUMBER_TYPE_UNKNOWN;
41- strcpy(addr->address, str);
42+ l_strlcpy(addr->address, str, sizeof(addr->address));
43 }
44 }
45
46@@ -3087,7 +3087,7 @@ gboolean status_report_assembly_report(struct status_report_assembly *assembly,
47 }
48 }
49
50- sms_address_from_string(&addr, straddr);
51+ __sms_address_from_string(&addr, straddr);
52
53 if (pending == TRUE && node->deliverable == TRUE) {
54 /*
55@@ -3180,7 +3180,7 @@ void status_report_assembly_expire(struct status_report_assembly *assembly,
56 while (g_hash_table_iter_next(&iter_addr, (gpointer) &straddr,
57 (gpointer) &id_table)) {
58
59- sms_address_from_string(&addr, straddr);
60+ __sms_address_from_string(&addr, straddr);
61 g_hash_table_iter_init(&iter_node, id_table);
62
63 /* Go through different messages. */
64@@ -3474,7 +3474,7 @@ GSList *sms_datagram_prepare(const char *to,
65 template.submit.vp.relative = 0xA7; /* 24 Hours */
66 template.submit.dcs = 0x04; /* Class Unspecified, 8 Bit */
67 template.submit.udhi = TRUE;
68- sms_address_from_string(&template.submit.daddr, to);
69+ __sms_address_from_string(&template.submit.daddr, to);
70
71 offset = 1;
72
73@@ -3601,7 +3601,7 @@ GSList *sms_text_prepare_with_alphabet(const char *to, const char *utf8,
74 template.submit.srr = use_delivery_reports;
75 template.submit.mr = 0;
76 template.submit.vp.relative = 0xA7; /* 24 Hours */
77- sms_address_from_string(&template.submit.daddr, to);
78+ __sms_address_from_string(&template.submit.daddr, to);
79
80 /* There are two enums for the same thing */
81 dialect = (enum gsm_dialect)alphabet;
82diff --git a/src/smsutil.h b/src/smsutil.h
83index 01487de..bc21504 100644
84--- a/src/smsutil.h
85+++ b/src/smsutil.h
86@@ -487,7 +487,7 @@ int sms_udl_in_bytes(guint8 ud_len, guint8 dcs);
87 time_t sms_scts_to_time(const struct sms_scts *scts, struct tm *remote);
88
89 const char *sms_address_to_string(const struct sms_address *addr);
90-void sms_address_from_string(struct sms_address *addr, const char *str);
91+void __sms_address_from_string(struct sms_address *addr, const char *str);
92
93 const guint8 *sms_extract_common(const struct sms *sms, gboolean *out_udhi,
94 guint8 *out_dcs, guint8 *out_udl,
95diff --git a/unit/test-sms.c b/unit/test-sms.c
96index 3bc099b..88293d5 100644
97--- a/unit/test-sms.c
98+++ b/unit/test-sms.c
99@@ -1603,7 +1603,7 @@ static void test_sr_assembly(void)
100 sr3.status_report.mr);
101 }
102
103- sms_address_from_string(&addr, "+4915259911630");
104+ __sms_address_from_string(&addr, "+4915259911630");
105
106 sra = status_report_assembly_new(NULL);
107
108@@ -1626,7 +1626,7 @@ static void test_sr_assembly(void)
109 * Send sms-message in the national address-format,
110 * but receive in the international address-format.
111 */
112- sms_address_from_string(&addr, "9911630");
113+ __sms_address_from_string(&addr, "9911630");
114 status_report_assembly_add_fragment(sra, sha1, &addr, 4, time(NULL), 2);
115 status_report_assembly_add_fragment(sra, sha1, &addr, 5, time(NULL), 2);
116
117@@ -1641,7 +1641,7 @@ static void test_sr_assembly(void)
118 * Send sms-message in the international address-format,
119 * but receive in the national address-format.
120 */
121- sms_address_from_string(&addr, "+358123456789");
122+ __sms_address_from_string(&addr, "+358123456789");
123 status_report_assembly_add_fragment(sra, sha1, &addr, 6, time(NULL), 1);
124
125 g_assert(status_report_assembly_report(sra, &sr3, id, &delivered));
126--
1272.25.1
diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb b/meta/recipes-connectivity/ofono/ofono_1.34.bb
index f4548b8a30..3ffb713472 100644
--- a/meta/recipes-connectivity/ofono/ofono_1.34.bb
+++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb
@@ -14,6 +14,10 @@ SRC_URI = "\
14 file://0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch \ 14 file://0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch \
15 file://CVE-2023-4234.patch \ 15 file://CVE-2023-4234.patch \
16 file://CVE-2023-4233.patch \ 16 file://CVE-2023-4233.patch \
17 file://CVE-2023-2794-0001.patch \
18 file://CVE-2023-2794-0002.patch \
19 file://CVE-2023-2794-0003.patch \
20 file://CVE-2023-2794-0004.patch \
17" 21"
18SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7" 22SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7"
19 23