[dunfell,03/20] connman: fix CVE-2022-23098

Message ID	af56acf66b4196c961a20ec59faa580cc3e3ee23.1645452535.git.steve@sakoman.com
State	Accepted, archived
Commit	af56acf66b4196c961a20ec59faa580cc3e3ee23
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.216.49, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 03/20] connman: fix CVE-2022-23098 Date: Mon, 21 Feb 2022 04:14:01 -1000 Message-Id: <af56acf66b4196c961a20ec59faa580cc3e3ee23.1645452535.git.steve@sakoman.com> In-Reply-To: <cover.1645452535.git.steve@sakoman.com> References: <cover.1645452535.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[dunfell,01/20] expat: fix CVE-2022-23990 \| expand [dunfell,01/20] expat: fix CVE-2022-23990 [dunfell,02/20] connman: fix CVE-2022-23096-7 [dunfell,03/20] connman: fix CVE-2022-23098 [dunfell,04/20] connman: fix CVE-2021-33833 [dunfell,05/20] wpa-supplicant: fix CVE-2022-23303-4 [dunfell,06/20] lighttpd: backport a fix for CVE-2022-22707 [dunfell,07/20] binutils: Fix CVE-2021-45078 [dunfell,08/20] freetype: add missing CVE tag CVE-2020-15999 [dunfell,09/20] cve-check: create directory of CVE_CHECK_MANIFEST before copy [dunfell,10/20] recipetool: Fix circular reference in SRC_URI [dunfell,11/20] devtool: deploy-target: Remove stripped binaries in pseudo context [dunfell,12/20] rpm: fix intermittent compression failure in do_package_write_rpm [dunfell,13/20] cmake: remove bogus CMAKE_LDFLAGS_FLAGS definition from toolchain file [dunfell,14/20] linux-yocto/5.4: update to v5.4.173 [dunfell,15/20] linux-yocto/5.4: update to v5.4.176 [dunfell,16/20] linux-yocto/5.4: update to v5.4.178 [dunfell,17/20] linux-firmware: upgrade 20211216 -> 20220209 [dunfell,18/20] sdk: fix search for dynamic loader [dunfell,19/20] default-distrovars.inc: Switch connectivity check to a yoctoproject.org page [dunfell,20/20] ruby: correctly set native/target dependencies

Message ID

af56acf66b4196c961a20ec59faa580cc3e3ee23.1645452535.git.steve@sakoman.com

State

Accepted, archived

Commit

af56acf66b4196c961a20ec59faa580cc3e3ee23

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][dunfell 03/20] connman: fix CVE-2022-23098
Date: Mon, 21 Feb 2022 04:14:01 -1000
Message-Id: 
 <af56acf66b4196c961a20ec59faa580cc3e3ee23.1645452535.git.steve@sakoman.com>
In-Reply-To: <cover.1645452535.git.steve@sakoman.com>
References: <cover.1645452535.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[dunfell,01/20] expat: fix CVE-2022-23990 | expand

Commit Message

Steve Sakoman Feb. 21, 2022, 2:14 p.m. UTC

An issue was discovered in the DNS proxy in Connman through 1.40.
The TCP server reply implementation has an infinite loop if no
data is received.

Backport patch from:
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d8708b85c1e8fe25af7803e8a20cf20e7201d8a4

CVE: CVE-2022-23098

Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../connman/connman/CVE-2022-23098.patch      | 50 +++++++++++++++++++
 .../connman/connman_1.37.bb                   |  1 +
 2 files changed, 51 insertions(+)
 create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2022-23098.patch

diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-23098.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-23098.patch
new file mode 100644
index 0000000000..a40c9f583f
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2022-23098.patch
@@ -0,0 +1,50 @@ 
+From d8708b85c1e8fe25af7803e8a20cf20e7201d8a4 Mon Sep 17 00:00:00 2001
+From: Matthias Gerstner <mgerstner@suse.de>
+Date: Tue, 25 Jan 2022 10:00:25 +0100
+Subject: dnsproxy: Avoid 100 % busy loop in TCP server case
+
+Once the TCP socket is connected and until the remote server is
+responding (if ever) ConnMan executes a 100 % CPU loop, since
+the connected socket will always be writable (G_IO_OUT).
+
+To fix this, modify the watch after the connection is established to
+remove the G_IO_OUT from the callback conditions.
+
+Fixes: CVE-2022-23098
+
+Upstream-Status: Backport
+https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d8708b85c1e8fe25af7803e8a20cf20e7201d8a4
+
+CVE: CVE-2022-23098
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ src/dnsproxy.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index c027bcb9..1ccf36a9 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -2360,6 +2360,18 @@ hangup:
+ 			}
+ 		}
+ 
++		/*
++		 * Remove the G_IO_OUT flag from the watch, otherwise we end
++		 * up in a busy loop, because the socket is constantly writable.
++		 *
++		 * There seems to be no better way in g_io to do that than
++		 * re-adding the watch.
++		 */
++		g_source_remove(server->watch);
++		server->watch = g_io_add_watch(server->channel,
++			G_IO_IN | G_IO_HUP | G_IO_NVAL | G_IO_ERR,
++			tcp_server_event, server);
++
+ 		server->connected = true;
+ 		server_list = g_slist_append(server_list, server);
+ 
+-- 
+cgit 1.2.3-1.el7
+
diff --git a/meta/recipes-connectivity/connman/connman_1.37.bb b/meta/recipes-connectivity/connman/connman_1.37.bb
index e3ea3cd065..096981364f 100644
--- a/meta/recipes-connectivity/connman/connman_1.37.bb
+++ b/meta/recipes-connectivity/connman/connman_1.37.bb
@@ -10,6 +10,7 @@  SRC_URI  = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
             file://CVE-2021-26676-0001.patch \
             file://CVE-2021-26676-0002.patch \
             file://CVE-2022-23096-7.patch \
+            file://CVE-2022-23098.patch \
 "
 
 SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"

[dunfell,03/20] connman: fix CVE-2022-23098

Commit Message

Patch