summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorArchana Polampalli <archana.polampalli@windriver.com>2024-05-03 11:41:52 +0000
committerSteve Sakoman <steve@sakoman.com>2024-05-15 09:44:14 -0700
commit88287ba5217fc564e7f61ecfd95d3c8056995c82 (patch)
tree7cac42ce3c2d32fd5d5e4f64f5b201b2c3911678 /meta
parent2b21c6009aa6b955e1a0e7312c3c0ad66557681b (diff)
downloadpoky-88287ba5217fc564e7f61ecfd95d3c8056995c82.tar.gz
ofono: fix CVE-2023-4234
A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_submit_report() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_submit_report(). (From OE-Core rev: 51cf006ac7b5b97e65864fb1cb6f5b47192c4ebf) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-connectivity/ofono/ofono/CVE-2023-4234.patch39
-rw-r--r--meta/recipes-connectivity/ofono/ofono_1.34.bb1
2 files changed, 40 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2023-4234.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2023-4234.patch
new file mode 100644
index 0000000000..9d7b56c1ae
--- /dev/null
+++ b/meta/recipes-connectivity/ofono/ofono/CVE-2023-4234.patch
@@ -0,0 +1,39 @@
1From 8d74bc66146ea78620d140640a0a57af86fc8936 Mon Sep 17 00:00:00 2001
2From: Denis Grigorev <d.grigorev@omp.ru>
3Date: Thu, 21 Dec 2023 17:16:38 +0300
4Subject: [PATCH] smsutil: Check that submit report fits in memory
5
6This addresses CVE-2023-4234.
7
8CVE: CVE-2023-4234.
9
10Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=8d74bc66146ea786]
11
12Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
13---
14 src/smsutil.c | 6 ++++++
15 1 file changed, 6 insertions(+)
16
17diff --git a/src/smsutil.c b/src/smsutil.c
18index 8e57a06..5a12708 100644
19--- a/src/smsutil.c
20+++ b/src/smsutil.c
21@@ -938,10 +938,16 @@ static gboolean decode_submit_report(const unsigned char *pdu, int len,
22 return FALSE;
23
24 if (out->type == SMS_TYPE_SUBMIT_REPORT_ERROR) {
25+ if (expected > (int) sizeof(out->submit_err_report.ud))
26+ return FALSE;
27+
28 out->submit_err_report.udl = udl;
29 memcpy(out->submit_err_report.ud,
30 pdu + offset, expected);
31 } else {
32+ if (expected > (int) sizeof(out->submit_ack_report.ud))
33+ return FALSE;
34+
35 out->submit_ack_report.udl = udl;
36 memcpy(out->submit_ack_report.ud,
37 pdu + offset, expected);
38--
392.40.0
diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb b/meta/recipes-connectivity/ofono/ofono_1.34.bb
index 23631747a7..8aab312ff8 100644
--- a/meta/recipes-connectivity/ofono/ofono_1.34.bb
+++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb
@@ -12,6 +12,7 @@ SRC_URI = "\
12 file://ofono \ 12 file://ofono \
13 file://0001-mbim-add-an-optional-TEMP_FAILURE_RETRY-macro-copy.patch \ 13 file://0001-mbim-add-an-optional-TEMP_FAILURE_RETRY-macro-copy.patch \
14 file://0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch \ 14 file://0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch \
15 file://CVE-2023-4234.patch \
15" 16"
16SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7" 17SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7"
17 18