diff options
| author | Yogita Urade <yogita.urade@windriver.com> | 2024-08-08 05:22:03 +0000 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2024-08-16 08:09:14 -0700 |
| commit | 204b28c41977cac9d1b428b490aaf7441140e92a (patch) | |
| tree | f1986b19143929463c3ef640e2376ea860a6fafc /meta/recipes-connectivity | |
| parent | 6313a595f9b5e0764701db134e91e2f1d7b72fa5 (diff) | |
| download | poky-204b28c41977cac9d1b428b490aaf7441140e92a.tar.gz | |
ofono: fix CVE-2023-2794
A flaw was found in ofono, an Open Source Telephony on Linux.
A stack overflow bug is triggered within the decode_deliver()
function during the SMS decoding. It is assumed that the attack
scenario is accessible from a compromised modem, a malicious
base station, or just SMS. There is a bound check for this
memcpy length in decode_submit(), but it was forgotten in
decode_deliver().
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-2794
Upstream patches:
https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=a90421d8e45d63b304dc010baba24633e7869682
https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=7f2adfa22fbae824f8e2c3ae86a3f51da31ee400
https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=07f48b23e3877ef7d15a7b0b8b79d32ad0a3607e
https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=8fa1fdfcb54e1edb588c6a5e2688880b065a39c9
(From OE-Core rev: 5114e9064dbabd5258f512cd97c79fc40f848b98)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-connectivity')
5 files changed, 244 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0001.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0001.patch new file mode 100644 index 0000000000..a44633edd9 --- /dev/null +++ b/meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0001.patch | |||
| @@ -0,0 +1,37 @@ | |||
| 1 | From a90421d8e45d63b304dc010baba24633e7869682 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Denis Kenzior <denkenz@gmail.com> | ||
| 3 | Date: Mon, 5 Aug 2024 19:50:04 +0800 | ||
| 4 | Subject: [PATCH] smsutil: ensure the address length in bytes <= 10 | ||
| 5 | |||
| 6 | If a specially formatted SMS is received, it is conceivable that the | ||
| 7 | address length might overflow the structure it is being parsed into. | ||
| 8 | Ensure that the length in bytes of the address never exceeds 10. | ||
| 9 | |||
| 10 | CVE: CVE-2023-2794 | ||
| 11 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=a90421d8e45d63b304dc010baba24633e7869682] | ||
| 12 | |||
| 13 | Signed-off-by: Yogita Urade <yogita.urade@windriver.com> | ||
| 14 | --- | ||
| 15 | src/smsutil.c | 7 ++++++- | ||
| 16 | 1 file changed, 6 insertions(+), 1 deletion(-) | ||
| 17 | |||
| 18 | diff --git a/src/smsutil.c b/src/smsutil.c | ||
| 19 | index 8dd2126..d8170d1 100644 | ||
| 20 | --- a/src/smsutil.c | ||
| 21 | +++ b/src/smsutil.c | ||
| 22 | @@ -643,7 +643,12 @@ gboolean sms_decode_address_field(const unsigned char *pdu, int len, | ||
| 23 | else | ||
| 24 | byte_len = (addr_len + 1) / 2; | ||
| 25 | |||
| 26 | - if ((len - *offset) < byte_len) | ||
| 27 | + /* | ||
| 28 | + * 23.040: | ||
| 29 | + * The maximum length of the full address field | ||
| 30 | + * (AddressLength, TypeofAddress and AddressValue) is 12 octets. | ||
| 31 | + */ | ||
| 32 | + if ((len - *offset) < byte_len || byte_len > 10) | ||
| 33 | return FALSE; | ||
| 34 | |||
| 35 | out->number_type = bit_field(addr_type, 4, 3); | ||
| 36 | -- | ||
| 37 | 2.25.1 | ||
diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0002.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0002.patch new file mode 100644 index 0000000000..dfd6edeb7e --- /dev/null +++ b/meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0002.patch | |||
| @@ -0,0 +1,32 @@ | |||
| 1 | From 7f2adfa22fbae824f8e2c3ae86a3f51da31ee400 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Denis Kenzior <denkenz@gmail.com> | ||
| 3 | Date: Mon, 5 Aug 2024 20:06:09 +0800 | ||
| 4 | Subject: [PATCH] smsutil: Check cbs_dcs_decode return value | ||
| 5 | |||
| 6 | It is better to explicitly check the return value of cbs_dcs_decode | ||
| 7 | instead of relying on udhi not being changed due to side-effects. | ||
| 8 | |||
| 9 | CVE: CVE-2023-2794 | ||
| 10 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=7f2adfa22fbae824f8e2c3ae86a3f51da31ee400] | ||
| 11 | |||
| 12 | Signed-off-by: Yogita Urade <yogita.urade@windriver.com> | ||
| 13 | --- | ||
| 14 | src/smsutil.c | 3 ++- | ||
| 15 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
| 16 | |||
| 17 | diff --git a/src/smsutil.c b/src/smsutil.c | ||
| 18 | index d8170d1..7746a71 100644 | ||
| 19 | --- a/src/smsutil.c | ||
| 20 | +++ b/src/smsutil.c | ||
| 21 | @@ -1765,7 +1765,8 @@ gboolean sms_udh_iter_init_from_cbs(const struct cbs *cbs, | ||
| 22 | const guint8 *hdr; | ||
| 23 | guint8 max_ud_len; | ||
| 24 | |||
| 25 | - cbs_dcs_decode(cbs->dcs, &udhi, NULL, NULL, NULL, NULL, NULL); | ||
| 26 | + if (!cbs_dcs_decode(cbs->dcs, &udhi, NULL, NULL, NULL, NULL, NULL)) | ||
| 27 | + return FALSE; | ||
| 28 | |||
| 29 | if (!udhi) | ||
| 30 | return FALSE; | ||
| 31 | -- | ||
| 32 | 2.25.1 | ||
diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0003.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0003.patch new file mode 100644 index 0000000000..82b36a0193 --- /dev/null +++ b/meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0003.patch | |||
| @@ -0,0 +1,44 @@ | |||
| 1 | From 07f48b23e3877ef7d15a7b0b8b79d32ad0a3607e Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Denis Kenzior <denkenz@gmail.com> | ||
| 3 | Date: Mon, 5 Aug 2024 20:23:38 +0800 | ||
| 4 | Subject: [PATCH] simutil: Make sure set_length on the parent succeeds | ||
| 5 | |||
| 6 | CVE: CVE-2023-2794 | ||
| 7 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=07f48b23e3877ef7d15a7b0b8b79d32ad0a3607e] | ||
| 8 | |||
| 9 | Signed-off-by: Yogita Urade <yogita.urade@windriver.com> | ||
| 10 | --- | ||
| 11 | src/simutil.c | 11 ++++++----- | ||
| 12 | 1 file changed, 6 insertions(+), 5 deletions(-) | ||
| 13 | |||
| 14 | diff --git a/src/simutil.c b/src/simutil.c | ||
| 15 | index 59d8d5d..0e131e8 100644 | ||
| 16 | --- a/src/simutil.c | ||
| 17 | +++ b/src/simutil.c | ||
| 18 | @@ -588,8 +588,9 @@ gboolean ber_tlv_builder_set_length(struct ber_tlv_builder *builder, | ||
| 19 | if (new_pos > builder->max) | ||
| 20 | return FALSE; | ||
| 21 | |||
| 22 | - if (builder->parent) | ||
| 23 | - ber_tlv_builder_set_length(builder->parent, new_pos); | ||
| 24 | + if (builder->parent && | ||
| 25 | + !ber_tlv_builder_set_length(builder->parent, new_pos)) | ||
| 26 | + return FALSE; | ||
| 27 | |||
| 28 | builder->len = new_len; | ||
| 29 | |||
| 30 | @@ -730,9 +731,9 @@ gboolean comprehension_tlv_builder_set_length( | ||
| 31 | if (builder->pos + new_ctlv_len > builder->max) | ||
| 32 | return FALSE; | ||
| 33 | |||
| 34 | - if (builder->parent) | ||
| 35 | - ber_tlv_builder_set_length(builder->parent, | ||
| 36 | - builder->pos + new_ctlv_len); | ||
| 37 | + if (builder->parent && !ber_tlv_builder_set_length(builder->parent, | ||
| 38 | + builder->pos + new_ctlv_len)) | ||
| 39 | + return FALSE; | ||
| 40 | |||
| 41 | len = MIN(builder->len, new_len); | ||
| 42 | if (len > 0 && new_len_size != len_size) | ||
| 43 | -- | ||
| 44 | 2.25.1 | ||
diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0004.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0004.patch new file mode 100644 index 0000000000..3111b3007d --- /dev/null +++ b/meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0004.patch | |||
| @@ -0,0 +1,127 @@ | |||
| 1 | From 8fa1fdfcb54e1edb588c6a5e2688880b065a39c9 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Denis Kenzior <denkenz@gmail.com> | ||
| 3 | Date: Mon, 5 Aug 2024 20:38:20 +0800 | ||
| 4 | Subject: [PATCH] smsutil: Use a safer strlcpy | ||
| 5 | |||
| 6 | sms_address_from_string is meant as private API, to be used with string | ||
| 7 | form addresses that have already been sanitized. However, to be safe, | ||
| 8 | use a safe version of strcpy to avoid overflowing the buffer in case the | ||
| 9 | input was not sanitized properly. While here, add a '__' prefix to the | ||
| 10 | function name to help make it clearer that this API is private and | ||
| 11 | should be used with more care. | ||
| 12 | |||
| 13 | CVE: CVE-2023-2794 | ||
| 14 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=8fa1fdfcb54e1edb588c6a5e2688880b065a39c9] | ||
| 15 | |||
| 16 | Signed-off-by: Yogita Urade <yogita.urade@windriver.com> | ||
| 17 | --- | ||
| 18 | src/smsutil.c | 14 +++++++------- | ||
| 19 | src/smsutil.h | 2 +- | ||
| 20 | unit/test-sms.c | 6 +++--- | ||
| 21 | 3 files changed, 11 insertions(+), 11 deletions(-) | ||
| 22 | |||
| 23 | diff --git a/src/smsutil.c b/src/smsutil.c | ||
| 24 | index 7746a71..e073a06 100644 | ||
| 25 | --- a/src/smsutil.c | ||
| 26 | +++ b/src/smsutil.c | ||
| 27 | @@ -1887,15 +1887,15 @@ time_t sms_scts_to_time(const struct sms_scts *scts, struct tm *remote) | ||
| 28 | return ret; | ||
| 29 | } | ||
| 30 | |||
| 31 | -void sms_address_from_string(struct sms_address *addr, const char *str) | ||
| 32 | +void __sms_address_from_string(struct sms_address *addr, const char *str) | ||
| 33 | { | ||
| 34 | addr->numbering_plan = SMS_NUMBERING_PLAN_ISDN; | ||
| 35 | if (str[0] == '+') { | ||
| 36 | addr->number_type = SMS_NUMBER_TYPE_INTERNATIONAL; | ||
| 37 | - strcpy(addr->address, str + 1); | ||
| 38 | + l_strlcpy(addr->address, str + 1, sizeof(addr->address)); | ||
| 39 | } else { | ||
| 40 | addr->number_type = SMS_NUMBER_TYPE_UNKNOWN; | ||
| 41 | - strcpy(addr->address, str); | ||
| 42 | + l_strlcpy(addr->address, str, sizeof(addr->address)); | ||
| 43 | } | ||
| 44 | } | ||
| 45 | |||
| 46 | @@ -3087,7 +3087,7 @@ gboolean status_report_assembly_report(struct status_report_assembly *assembly, | ||
| 47 | } | ||
| 48 | } | ||
| 49 | |||
| 50 | - sms_address_from_string(&addr, straddr); | ||
| 51 | + __sms_address_from_string(&addr, straddr); | ||
| 52 | |||
| 53 | if (pending == TRUE && node->deliverable == TRUE) { | ||
| 54 | /* | ||
| 55 | @@ -3180,7 +3180,7 @@ void status_report_assembly_expire(struct status_report_assembly *assembly, | ||
| 56 | while (g_hash_table_iter_next(&iter_addr, (gpointer) &straddr, | ||
| 57 | (gpointer) &id_table)) { | ||
| 58 | |||
| 59 | - sms_address_from_string(&addr, straddr); | ||
| 60 | + __sms_address_from_string(&addr, straddr); | ||
| 61 | g_hash_table_iter_init(&iter_node, id_table); | ||
| 62 | |||
| 63 | /* Go through different messages. */ | ||
| 64 | @@ -3474,7 +3474,7 @@ GSList *sms_datagram_prepare(const char *to, | ||
| 65 | template.submit.vp.relative = 0xA7; /* 24 Hours */ | ||
| 66 | template.submit.dcs = 0x04; /* Class Unspecified, 8 Bit */ | ||
| 67 | template.submit.udhi = TRUE; | ||
| 68 | - sms_address_from_string(&template.submit.daddr, to); | ||
| 69 | + __sms_address_from_string(&template.submit.daddr, to); | ||
| 70 | |||
| 71 | offset = 1; | ||
| 72 | |||
| 73 | @@ -3601,7 +3601,7 @@ GSList *sms_text_prepare_with_alphabet(const char *to, const char *utf8, | ||
| 74 | template.submit.srr = use_delivery_reports; | ||
| 75 | template.submit.mr = 0; | ||
| 76 | template.submit.vp.relative = 0xA7; /* 24 Hours */ | ||
| 77 | - sms_address_from_string(&template.submit.daddr, to); | ||
| 78 | + __sms_address_from_string(&template.submit.daddr, to); | ||
| 79 | |||
| 80 | /* There are two enums for the same thing */ | ||
| 81 | dialect = (enum gsm_dialect)alphabet; | ||
| 82 | diff --git a/src/smsutil.h b/src/smsutil.h | ||
| 83 | index 01487de..bc21504 100644 | ||
| 84 | --- a/src/smsutil.h | ||
| 85 | +++ b/src/smsutil.h | ||
| 86 | @@ -487,7 +487,7 @@ int sms_udl_in_bytes(guint8 ud_len, guint8 dcs); | ||
| 87 | time_t sms_scts_to_time(const struct sms_scts *scts, struct tm *remote); | ||
| 88 | |||
| 89 | const char *sms_address_to_string(const struct sms_address *addr); | ||
| 90 | -void sms_address_from_string(struct sms_address *addr, const char *str); | ||
| 91 | +void __sms_address_from_string(struct sms_address *addr, const char *str); | ||
| 92 | |||
| 93 | const guint8 *sms_extract_common(const struct sms *sms, gboolean *out_udhi, | ||
| 94 | guint8 *out_dcs, guint8 *out_udl, | ||
| 95 | diff --git a/unit/test-sms.c b/unit/test-sms.c | ||
| 96 | index 3bc099b..88293d5 100644 | ||
| 97 | --- a/unit/test-sms.c | ||
| 98 | +++ b/unit/test-sms.c | ||
| 99 | @@ -1603,7 +1603,7 @@ static void test_sr_assembly(void) | ||
| 100 | sr3.status_report.mr); | ||
| 101 | } | ||
| 102 | |||
| 103 | - sms_address_from_string(&addr, "+4915259911630"); | ||
| 104 | + __sms_address_from_string(&addr, "+4915259911630"); | ||
| 105 | |||
| 106 | sra = status_report_assembly_new(NULL); | ||
| 107 | |||
| 108 | @@ -1626,7 +1626,7 @@ static void test_sr_assembly(void) | ||
| 109 | * Send sms-message in the national address-format, | ||
| 110 | * but receive in the international address-format. | ||
| 111 | */ | ||
| 112 | - sms_address_from_string(&addr, "9911630"); | ||
| 113 | + __sms_address_from_string(&addr, "9911630"); | ||
| 114 | status_report_assembly_add_fragment(sra, sha1, &addr, 4, time(NULL), 2); | ||
| 115 | status_report_assembly_add_fragment(sra, sha1, &addr, 5, time(NULL), 2); | ||
| 116 | |||
| 117 | @@ -1641,7 +1641,7 @@ static void test_sr_assembly(void) | ||
| 118 | * Send sms-message in the international address-format, | ||
| 119 | * but receive in the national address-format. | ||
| 120 | */ | ||
| 121 | - sms_address_from_string(&addr, "+358123456789"); | ||
| 122 | + __sms_address_from_string(&addr, "+358123456789"); | ||
| 123 | status_report_assembly_add_fragment(sra, sha1, &addr, 6, time(NULL), 1); | ||
| 124 | |||
| 125 | g_assert(status_report_assembly_report(sra, &sr3, id, &delivered)); | ||
| 126 | -- | ||
| 127 | 2.25.1 | ||
diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb b/meta/recipes-connectivity/ofono/ofono_1.34.bb index f4548b8a30..3ffb713472 100644 --- a/meta/recipes-connectivity/ofono/ofono_1.34.bb +++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb | |||
| @@ -14,6 +14,10 @@ SRC_URI = "\ | |||
| 14 | file://0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch \ | 14 | file://0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch \ |
| 15 | file://CVE-2023-4234.patch \ | 15 | file://CVE-2023-4234.patch \ |
| 16 | file://CVE-2023-4233.patch \ | 16 | file://CVE-2023-4233.patch \ |
| 17 | file://CVE-2023-2794-0001.patch \ | ||
| 18 | file://CVE-2023-2794-0002.patch \ | ||
| 19 | file://CVE-2023-2794-0003.patch \ | ||
| 20 | file://CVE-2023-2794-0004.patch \ | ||
| 17 | " | 21 | " |
| 18 | SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7" | 22 | SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7" |
| 19 | 23 | ||
