[dunfell,1/3] connman: fix CVE-2022-32292

Message ID	20220913034739.45165-1-chee.yang.lee@intel.com
State	Accepted, archived
Commit	380b6fb2583f875aad0cb28c91b1531e63eb2eeb
Headers	show Return-Path: <chee.yang.lee@intel.com> ip: 192.55.52.43, mailfrom: chee.yang.lee@intel.com) From: chee.yang.lee@intel.com To: openembedded-core@lists.openembedded.org Subject: [PATCH][dunfell 1/3] connman: fix CVE-2022-32292 Date: Tue, 13 Sep 2022 11:47:37 +0800 Message-Id: <20220913034739.45165-1-chee.yang.lee@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[dunfell,1/3] connman: fix CVE-2022-32292 \| expand [dunfell,1/3] connman: fix CVE-2022-32292 [dunfell,2/3] gnutls: fix CVE-2021-4209 [dunfell,3/3] virglrenderer: fix CVE-2022-0135

Message ID

20220913034739.45165-1-chee.yang.lee@intel.com

State

Accepted, archived

Commit

380b6fb2583f875aad0cb28c91b1531e63eb2eeb

Headers

From: chee.yang.lee@intel.com
To: openembedded-core@lists.openembedded.org
Subject: [PATCH][dunfell 1/3] connman: fix CVE-2022-32292
Date: Tue, 13 Sep 2022 11:47:37 +0800
Message-Id: <20220913034739.45165-1-chee.yang.lee@intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[dunfell,1/3] connman: fix CVE-2022-32292 | expand

Commit Message

Lee, Chee Yang Sept. 13, 2022, 3:47 a.m. UTC

From: Chee Yang Lee <chee.yang.lee@intel.com>

Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
---
 .../connman/connman/CVE-2022-32292.patch      | 37 +++++++++++++++++++
 .../connman/connman_1.37.bb                   |  1 +
 2 files changed, 38 insertions(+)
 create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch

diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch
new file mode 100644
index 0000000000..74a739d6a2
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch
@@ -0,0 +1,37 @@ 
+From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001
+From: Nathan Crandall <ncrandall@tesla.com>
+Date: Tue, 12 Jul 2022 08:56:34 +0200
+Subject: gweb: Fix OOB write in received_data()
+
+There is a mismatch of handling binary vs. C-string data with memchr
+and strlen, resulting in pos, count, and bytes_read to become out of
+sync and result in a heap overflow.  Instead, do not treat the buffer
+as an ASCII C-string. We calculate the count based on the return value
+of memchr, instead of strlen.
+
+Fixes: CVE-2022-32292
+
+Upstream-Status: Backport
+https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d1a5ede5d255bde8ef707f8441b997563b9312b
+CVE: CVE-2022-32292
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ gweb/gweb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gweb/gweb.c b/gweb/gweb.c
+index 12fcb1d8..13c6c5f2 100644
+--- a/gweb/gweb.c
++++ b/gweb/gweb.c
+@@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond,
+ 		}
+ 
+ 		*pos = '\0';
+-		count = strlen((char *) ptr);
++		count = pos - ptr;
+ 		if (count > 0 && ptr[count - 1] == '\r') {
+ 			ptr[--count] = '\0';
+ 			bytes_read--;
+-- 
+cgit 
+
diff --git a/meta/recipes-connectivity/connman/connman_1.37.bb b/meta/recipes-connectivity/connman/connman_1.37.bb
index bdd1e590ec..4f22c7ad49 100644
--- a/meta/recipes-connectivity/connman/connman_1.37.bb
+++ b/meta/recipes-connectivity/connman/connman_1.37.bb
@@ -12,6 +12,7 @@  SRC_URI  = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
             file://CVE-2021-33833.patch \
             file://CVE-2022-23096-7.patch \
             file://CVE-2022-23098.patch \
+            file://CVE-2022-32292.patch \
 "
 
 SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"

[dunfell,1/3] connman: fix CVE-2022-32292

Commit Message

Patch