ofono: fix CVE-2023-4233

A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the sms_decode_address_field() function during the SMS PDU decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. (From OE-Core rev: 996c03dfb5295ec38286dee37c70c700b88e0a1e) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Archana Polampalli <archana.polampalli@windriver.com> 2024-05-03 11:41:53 +0000
committer: Steve Sakoman <steve@sakoman.com> 2024-05-15 09:44:14 -0700
commit: 645aff93b3468dbe8907b1ebd0567c28c3ddff3c (patch)
tree: 908f20d0cc480c6f3962384fd8d5c918950933b9 /meta
parent: 88287ba5217fc564e7f61ecfd95d3c8056995c82 (diff)
download: poky-645aff93b3468dbe8907b1ebd0567c28c3ddff3c.tar.gz
2 files changed, 33 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2023-4233.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2023-4233.patch
new file mode 100644
index 0000000000..d047a0d87a
--- /dev/null
+++ b/meta/recipes-connectivity/ofono/ofono/CVE-2023-4233.patch
@@ -0,0 +1,32 @@
+From 1a5fbefa59465bec80425add562bdb1d36ec8e23 Mon Sep 17 00:00:00 2001
+From: Denis Grigorev <d.grigorev@omp.ru>
+Date: Fri, 29 Dec 2023 13:30:04 +0300
+Subject: [PATCH] smsutil: Validate the length of the address field
+This addresses CVE-2023-4233.
+CVE: CVE-2023-4233
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=1a5fbefa59465bec]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/smsutil.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/src/smsutil.c b/src/smsutil.c
+index 5a12708..8dd2126 100644
+--- a/src/smsutil.c
+++ b/src/smsutil.c
+@@ -626,6 +626,9 @@ gboolean sms_decode_address_field(const unsigned char *pdu, int len,
+        if (!next_octet(pdu, len, offset, &addr_len))
+                return FALSE;
+       /* According to 23.040 9.1.2.5 Address-Length must not exceed 20 */
+        if (addr_len > 20)
+                return FALSE;
+        if (sc && addr_len == 0) {
+                out->address[0] = '\0';
+--
+2.40.0
diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb b/meta/recipes-connectivity/ofono/ofono_1.34.bb
index 8aab312ff8..f4548b8a30 100644
--- a/meta/recipes-connectivity/ofono/ofono_1.34.bb
+++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb
@@ -13,6 +13,7 @@ SRC_URI = "\
    file://0001-mbim-add-an-optional-TEMP_FAILURE_RETRY-macro-copy.patch \
    file://0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch \
    file://CVE-2023-4234.patch \
+    file://CVE-2023-4233.patch \
 "
 SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7"
author	Archana Polampalli <archana.polampalli@windriver.com>	2024-05-03 11:41:53 +0000
committer	Steve Sakoman <steve@sakoman.com>	2024-05-15 09:44:14 -0700
commit	645aff93b3468dbe8907b1ebd0567c28c3ddff3c (patch)
tree	908f20d0cc480c6f3962384fd8d5c918950933b9 /meta
parent	88287ba5217fc564e7f61ecfd95d3c8056995c82 (diff)
download	poky-645aff93b3468dbe8907b1ebd0567c28c3ddff3c.tar.gz

diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2023-4233.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2023-4233.patch new file mode 100644 index 0000000000..d047a0d87a --- /dev/null +++ b/meta/recipes-connectivity/ofono/ofono/CVE-2023-4233.patch
@@ -0,0 +1,32 @@
		1	From 1a5fbefa59465bec80425add562bdb1d36ec8e23 Mon Sep 17 00:00:00 2001
		2	From: Denis Grigorev <d.grigorev@omp.ru>
		3	Date: Fri, 29 Dec 2023 13:30:04 +0300
		4	Subject: [PATCH] smsutil: Validate the length of the address field
		5
		6	This addresses CVE-2023-4233.
		7
		8	CVE: CVE-2023-4233
		9
		10	Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=1a5fbefa59465bec]
		11
		12	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		13	---
		14	src/smsutil.c \| 3 +++
		15	1 file changed, 3 insertions(+)
		16
		17	diff --git a/src/smsutil.c b/src/smsutil.c
		18	index 5a12708..8dd2126 100644
		19	--- a/src/smsutil.c
		20	+++ b/src/smsutil.c
		21	@@ -626,6 +626,9 @@ gboolean sms_decode_address_field(const unsigned char *pdu, int len,
		22
		23	if (!next_octet(pdu, len, offset, &addr_len))
		24	return FALSE;
		25	+ /* According to 23.040 9.1.2.5 Address-Length must not exceed 20 */
		26	+ if (addr_len > 20)
		27	+ return FALSE;
		28
		29	if (sc && addr_len == 0) {
		30	out->address[0] = '\0';
		31	--
		32	2.40.0


diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb b/meta/recipes-connectivity/ofono/ofono_1.34.bb index 8aab312ff8..f4548b8a30 100644 --- a/meta/recipes-connectivity/ofono/ofono_1.34.bb +++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb
@@ -13,6 +13,7 @@ SRC_URI = "\
13	file://0001-mbim-add-an-optional-TEMP_FAILURE_RETRY-macro-copy.patch \	13	file://0001-mbim-add-an-optional-TEMP_FAILURE_RETRY-macro-copy.patch \
14	file://0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch \	14	file://0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch \
15	file://CVE-2023-4234.patch \	15	file://CVE-2023-4234.patch \
		16	file://CVE-2023-4233.patch \
16	"	17	"
17	SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7"	18	SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7"
18		19