From patchwork Tue Sep 13 03:47:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chee Yang" X-Patchwork-Id: 12613 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 00B97C6FA86 for ; Tue, 13 Sep 2022 03:47:44 +0000 (UTC) Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by mx.groups.io with SMTP id smtpd.web10.782.1663040862082628879 for ; Mon, 12 Sep 2022 20:47:42 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=T7iVJ/DB; spf=pass (domain: intel.com, ip: 192.55.52.43, mailfrom: chee.yang.lee@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1663040862; x=1694576862; h=from:to:subject:date:message-id:mime-version: content-transfer-encoding; bh=MFqqUCfmj30KfwOqTB00pdLsi92HncVsIG6T/QvD0xo=; b=T7iVJ/DBlYbt4HalFuy+Yyw3T7BGeUhVb+iD+lVUOVn17ivz3MpzUda/ o5Z4ZARpSbt0WDkmWFRldO1IiXbUKpSSWq8g1AS031+7cyEOueM2gBxvb 4gJUe+zJu6zQEIudXpfZKz4ZupINufiNZ6kFrIPh105iW1A3TByV1HTM4 eOQvfysrUfUjsgAiP/fYxqkbrzDCnCsyUqikihP38BmZYP6+YsTVeFCqI mod2Y/V5s1E5H7vpCHP1Ag+gMJIPWd8R7tiWrVKyh2BHN8TFoTBpuNHtx MvsGvL5uIJtVPWWK+JWuEVu1onJLdbaBhPepwgRphMObCxemnEctci5mN g==; X-IronPort-AV: E=McAfee;i="6500,9779,10468"; a="384324359" X-IronPort-AV: E=Sophos;i="5.93,311,1654585200"; d="scan'208";a="384324359" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Sep 2022 20:47:41 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.93,311,1654585200"; d="scan'208";a="567425888" Received: from andromeda02.png.intel.com ([10.221.253.198]) by orsmga003.jf.intel.com with ESMTP; 12 Sep 2022 20:47:40 -0700 From: chee.yang.lee@intel.com To: openembedded-core@lists.openembedded.org Subject: [PATCH][dunfell 1/3] connman: fix CVE-2022-32292 Date: Tue, 13 Sep 2022 11:47:37 +0800 Message-Id: <20220913034739.45165-1-chee.yang.lee@intel.com> X-Mailer: git-send-email 2.36.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 13 Sep 2022 03:47:44 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/170557 From: Chee Yang Lee Signed-off-by: Chee Yang Lee --- .../connman/connman/CVE-2022-32292.patch | 37 +++++++++++++++++++ .../connman/connman_1.37.bb | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch new file mode 100644 index 0000000000..74a739d6a2 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch @@ -0,0 +1,37 @@ +From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001 +From: Nathan Crandall +Date: Tue, 12 Jul 2022 08:56:34 +0200 +Subject: gweb: Fix OOB write in received_data() + +There is a mismatch of handling binary vs. C-string data with memchr +and strlen, resulting in pos, count, and bytes_read to become out of +sync and result in a heap overflow. Instead, do not treat the buffer +as an ASCII C-string. We calculate the count based on the return value +of memchr, instead of strlen. + +Fixes: CVE-2022-32292 + +Upstream-Status: Backport +https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d1a5ede5d255bde8ef707f8441b997563b9312b +CVE: CVE-2022-32292 +Signed-off-by: Lee Chee Yang +--- + gweb/gweb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gweb/gweb.c b/gweb/gweb.c +index 12fcb1d8..13c6c5f2 100644 +--- a/gweb/gweb.c ++++ b/gweb/gweb.c +@@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond, + } + + *pos = '\0'; +- count = strlen((char *) ptr); ++ count = pos - ptr; + if (count > 0 && ptr[count - 1] == '\r') { + ptr[--count] = '\0'; + bytes_read--; +-- +cgit + diff --git a/meta/recipes-connectivity/connman/connman_1.37.bb b/meta/recipes-connectivity/connman/connman_1.37.bb index bdd1e590ec..4f22c7ad49 100644 --- a/meta/recipes-connectivity/connman/connman_1.37.bb +++ b/meta/recipes-connectivity/connman/connman_1.37.bb @@ -12,6 +12,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ file://CVE-2021-33833.patch \ file://CVE-2022-23096-7.patch \ file://CVE-2022-23098.patch \ + file://CVE-2022-32292.patch \ " SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch" From patchwork Tue Sep 13 03:47:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chee Yang" X-Patchwork-Id: 12612 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F320DC6FA82 for ; Tue, 13 Sep 2022 03:47:44 +0000 (UTC) Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by mx.groups.io with SMTP id smtpd.web10.782.1663040862082628879 for ; Mon, 12 Sep 2022 20:47:42 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=lJ8mFDRS; spf=pass (domain: intel.com, ip: 192.55.52.43, mailfrom: chee.yang.lee@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1663040862; x=1694576862; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=GrhisqEdmPHX05/Gx1XVDPOsypDQmP9xyJoul5Eka7I=; b=lJ8mFDRSZmvzvTMRb1pyHQZtl+1AQUbCbbcdW9OzHVrL0UhLpqXGUD9Q JMV3zPv20dC7WRa7ohplSe4ahyTYyYyPQPe5YPQUbyyK/RkDVzbZLAS93 nwFXU9wpwwO0A+Axm1Cfn5LmaXeSDgT4kP36tbofSRxMAoo35cfXMb+S2 PvMnununhg4MAiq0Y6pbRFpZvkvgQVZSw4rxRjpGzE+B1RLtXSHFqcB6c RjdcNsStJRXtauxumhJ/IxLQDD1l5zh78gEWKfUeiHSg/LocTeskkdKkC Al9ZYZRQXRa64B34dnTYEM652ynCzTCETlLuXsQ61LhpzosAZOc19lIzo Q==; X-IronPort-AV: E=McAfee;i="6500,9779,10468"; a="384324360" X-IronPort-AV: E=Sophos;i="5.93,311,1654585200"; d="scan'208";a="384324360" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Sep 2022 20:47:42 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.93,311,1654585200"; d="scan'208";a="567425892" Received: from andromeda02.png.intel.com ([10.221.253.198]) by orsmga003.jf.intel.com with ESMTP; 12 Sep 2022 20:47:41 -0700 From: chee.yang.lee@intel.com To: openembedded-core@lists.openembedded.org Subject: [PATCH][dunfell 2/3] gnutls: fix CVE-2021-4209 Date: Tue, 13 Sep 2022 11:47:38 +0800 Message-Id: <20220913034739.45165-2-chee.yang.lee@intel.com> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220913034739.45165-1-chee.yang.lee@intel.com> References: <20220913034739.45165-1-chee.yang.lee@intel.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 13 Sep 2022 03:47:44 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/170558 From: Chee Yang Lee Signed-off-by: Chee Yang Lee --- .../gnutls/gnutls/CVE-2021-4209.patch | 37 +++++++++++++++++++ meta/recipes-support/gnutls/gnutls_3.6.14.bb | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2021-4209.patch diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2021-4209.patch b/meta/recipes-support/gnutls/gnutls/CVE-2021-4209.patch new file mode 100644 index 0000000000..0bcb55e573 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2021-4209.patch @@ -0,0 +1,37 @@ +From 3db352734472d851318944db13be73da61300568 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Wed, 22 Dec 2021 09:12:25 +0100 +Subject: [PATCH] wrap_nettle_hash_fast: avoid calling _update with zero-length + input + +As Nettle's hash update functions internally call memcpy, providing +zero-length input may cause undefined behavior. + +Signed-off-by: Daiki Ueno + +https://gitlab.com/gnutls/gnutls/-/commit/3db352734472d851318944db13be73da61300568 +Upstream-Status: Backport +CVE: CVE-2021-4209 +Signed-off-by: Chee Yang Lee +--- + lib/nettle/mac.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/nettle/mac.c b/lib/nettle/mac.c +index f9d4d7a8df..35e070fab0 100644 +--- a/lib/nettle/mac.c ++++ b/lib/nettle/mac.c +@@ -788,7 +788,9 @@ static int wrap_nettle_hash_fast(gnutls_digest_algorithm_t algo, + if (ret < 0) + return gnutls_assert_val(ret); + +- ctx.update(&ctx, text_size, text); ++ if (text_size > 0) { ++ ctx.update(&ctx, text_size, text); ++ } + ctx.digest(&ctx, ctx.length, digest); + + return 0; +-- +GitLab + diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb b/meta/recipes-support/gnutls/gnutls_3.6.14.bb index e9af71c7bd..f1757871ce 100644 --- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb +++ b/meta/recipes-support/gnutls/gnutls_3.6.14.bb @@ -26,6 +26,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://CVE-2021-20231.patch \ file://CVE-2021-20232.patch \ file://CVE-2022-2509.patch \ + file://CVE-2021-4209.patch \ " SRC_URI[sha256sum] = "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63" From patchwork Tue Sep 13 03:47:39 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chee Yang" X-Patchwork-Id: 12611 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 00FBAC54EE9 for ; Tue, 13 Sep 2022 03:47:44 +0000 (UTC) Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by mx.groups.io with SMTP id smtpd.web10.782.1663040862082628879 for ; Mon, 12 Sep 2022 20:47:43 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=CqfmeLIt; spf=pass (domain: intel.com, ip: 192.55.52.43, mailfrom: chee.yang.lee@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1663040863; x=1694576863; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=GBzOISTvshLwkXOTVyxgJo3JDX5mh1mX2GsddwGRX0g=; b=CqfmeLItlj9JGr7Ma/GO+gK5/HbPsu4QFiNOHjJ2qW4QsrGB7pwKu0b2 NEuBfkCV3mWL8+gn9UEXFrdXtS0R92jGu28wRKKiiKFadlLowFs4bHN3V jtAP0VFRRKCzmPM2LWjB494hTN9NLCUjHgSWp6JYWT8GyrBQ8GWlPclHp sXC1nLvu0VF8InFMTd4wzYTvG40z4FKEAyqcVsD3O94qIXPyK7hrrN+tj rIYwXeTrQizvQ0/BIOqexjOOmFIuUH4iLt6qSCKbmdLoUcPvr7GADbflm 98ZiAW01w8WMrDIqWiNI25YnxOYhPwDy8LM/QnZhUYmbs7RHxuY/vIsx2 Q==; X-IronPort-AV: E=McAfee;i="6500,9779,10468"; a="384324366" X-IronPort-AV: E=Sophos;i="5.93,311,1654585200"; d="scan'208";a="384324366" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Sep 2022 20:47:43 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.93,311,1654585200"; d="scan'208";a="567425900" Received: from andromeda02.png.intel.com ([10.221.253.198]) by orsmga003.jf.intel.com with ESMTP; 12 Sep 2022 20:47:42 -0700 From: chee.yang.lee@intel.com To: openembedded-core@lists.openembedded.org Subject: [PATCH][dunfell 3/3] virglrenderer: fix CVE-2022-0135 Date: Tue, 13 Sep 2022 11:47:39 +0800 Message-Id: <20220913034739.45165-3-chee.yang.lee@intel.com> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220913034739.45165-1-chee.yang.lee@intel.com> References: <20220913034739.45165-1-chee.yang.lee@intel.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 13 Sep 2022 03:47:44 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/170559 From: Chee Yang Lee Signed-off-by: Chee Yang Lee --- .../virglrenderer/CVE-2022-0135.patch | 100 ++++++++++++++++++ .../virglrenderer/virglrenderer_0.8.2.bb | 1 + 2 files changed, 101 insertions(+) create mode 100644 meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch new file mode 100644 index 0000000000..4a277bd4d0 --- /dev/null +++ b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch @@ -0,0 +1,100 @@ +From 95e581fd181b213c2ed7cdc63f2abc03eaaa77ec Mon Sep 17 00:00:00 2001 +From: Gert Wollny +Date: Tue, 30 Nov 2021 10:17:26 +0100 +Subject: [PATCH] vrend: Add test to resource OOB write and fix it + +v2: Also check that no depth != 1 has been send when none is due + +Closes: #250 +Signed-off-by: Gert Wollny +Reviewed-by: Chia-I Wu + +https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/95e581fd181b213c2ed7cdc63f2abc03eaaa77ec +Upstream-Status: Backport +CVE: CVE-2022-0135 +Signed-off-by: Chee Yang Lee +--- + src/vrend_renderer.c | 3 +++ + tests/test_fuzzer_formats.c | 43 +++++++++++++++++++++++++++++++++++++ + 2 files changed, 46 insertions(+) + +diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c +index 28f669727..357b81b20 100644 +--- a/src/vrend_renderer.c ++++ b/src/vrend_renderer.c +@@ -7833,8 +7833,11 @@ static int vrend_renderer_transfer_write_iov(struct vrend_context *ctx, + info->box->height) * elsize; + if (res->target == GL_TEXTURE_3D || + res->target == GL_TEXTURE_2D_ARRAY || ++ res->target == GL_TEXTURE_2D_MULTISAMPLE_ARRAY || + res->target == GL_TEXTURE_CUBE_MAP_ARRAY) + send_size *= info->box->depth; ++ else if (need_temp && info->box->depth != 1) ++ return EINVAL; + + if (need_temp) { + data = malloc(send_size); +diff --git a/tests/test_fuzzer_formats.c b/tests/test_fuzzer_formats.c +index 59d6fb671..2de9a9a3f 100644 +--- a/tests/test_fuzzer_formats.c ++++ b/tests/test_fuzzer_formats.c +@@ -957,6 +957,48 @@ static void test_vrend_set_signle_abo_heap_overflow() { + virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde); + } + ++/* Test adapted from yaojun8558363@gmail.com: ++ * https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250 ++*/ ++static void test_vrend_3d_resource_overflow() { ++ ++ struct virgl_renderer_resource_create_args resource; ++ resource.handle = 0x4c474572; ++ resource.target = PIPE_TEXTURE_2D_ARRAY; ++ resource.format = VIRGL_FORMAT_Z24X8_UNORM; ++ resource.nr_samples = 2; ++ resource.last_level = 0; ++ resource.array_size = 3; ++ resource.bind = VIRGL_BIND_SAMPLER_VIEW; ++ resource.depth = 1; ++ resource.width = 8; ++ resource.height = 4; ++ resource.flags = 0; ++ ++ virgl_renderer_resource_create(&resource, NULL, 0); ++ virgl_renderer_ctx_attach_resource(ctx_id, resource.handle); ++ ++ uint32_t size = 0x400; ++ uint32_t cmd[size]; ++ int i = 0; ++ cmd[i++] = (size - 1) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE; ++ cmd[i++] = resource.handle; ++ cmd[i++] = 0; // level ++ cmd[i++] = 0; // usage ++ cmd[i++] = 0; // stride ++ cmd[i++] = 0; // layer_stride ++ cmd[i++] = 0; // x ++ cmd[i++] = 0; // y ++ cmd[i++] = 0; // z ++ cmd[i++] = 8; // w ++ cmd[i++] = 4; // h ++ cmd[i++] = 3; // d ++ memset(&cmd[i], 0, size - i); ++ ++ virgl_renderer_submit_cmd((void *) cmd, ctx_id, size); ++} ++ ++ + int main() + { + initialize_environment(); +@@ -979,6 +1021,7 @@ int main() + test_cs_nullpointer_deference(); + test_vrend_set_signle_abo_heap_overflow(); + ++ test_vrend_3d_resource_overflow(); + + virgl_renderer_context_destroy(ctx_id); + virgl_renderer_cleanup(&cookie); +-- +GitLab + diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb index 31c45ef89c..8185d6f7e8 100644 --- a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb +++ b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb @@ -13,6 +13,7 @@ SRCREV = "7d204f3927be65fb3365dce01dbcd04d447a4985" SRC_URI = "git://anongit.freedesktop.org/git/virglrenderer;branch=master \ file://0001-gallium-Expand-libc-check-to-be-platform-OS-check.patch \ file://0001-meson.build-use-python3-directly-for-python.patch \ + file://CVE-2022-0135.patch \ " S = "${WORKDIR}/git"