From: Archana Polampalli <archana.polampa...@windriver.com> A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_submit_report() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_submit_report().
Signed-off-by: Archana Polampalli <archana.polampa...@windriver.com> --- .../ofono/ofono/CVE-2023-4234.patch | 39 +++++++++++++++++++ meta/recipes-connectivity/ofono/ofono_1.34.bb | 1 + 2 files changed, 40 insertions(+) create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2023-4234.patch diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2023-4234.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2023-4234.patch new file mode 100644 index 0000000000..9d7b56c1ae --- /dev/null +++ b/meta/recipes-connectivity/ofono/ofono/CVE-2023-4234.patch @@ -0,0 +1,39 @@ +From 8d74bc66146ea78620d140640a0a57af86fc8936 Mon Sep 17 00:00:00 2001 +From: Denis Grigorev <d.grigo...@omp.ru> +Date: Thu, 21 Dec 2023 17:16:38 +0300 +Subject: [PATCH] smsutil: Check that submit report fits in memory + +This addresses CVE-2023-4234. + +CVE: CVE-2023-4234. + +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=8d74bc66146ea786] + +Signed-off-by: Archana Polampalli <archana.polampa...@windriver.com> +--- + src/smsutil.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/smsutil.c b/src/smsutil.c +index 8e57a06..5a12708 100644 +--- a/src/smsutil.c ++++ b/src/smsutil.c +@@ -938,10 +938,16 @@ static gboolean decode_submit_report(const unsigned char *pdu, int len, + return FALSE; + + if (out->type == SMS_TYPE_SUBMIT_REPORT_ERROR) { ++ if (expected > (int) sizeof(out->submit_err_report.ud)) ++ return FALSE; ++ + out->submit_err_report.udl = udl; + memcpy(out->submit_err_report.ud, + pdu + offset, expected); + } else { ++ if (expected > (int) sizeof(out->submit_ack_report.ud)) ++ return FALSE; ++ + out->submit_ack_report.udl = udl; + memcpy(out->submit_ack_report.ud, + pdu + offset, expected); +-- +2.40.0 diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb b/meta/recipes-connectivity/ofono/ofono_1.34.bb index 23631747a7..8aab312ff8 100644 --- a/meta/recipes-connectivity/ofono/ofono_1.34.bb +++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb @@ -12,6 +12,7 @@ SRC_URI = "\ file://ofono \ file://0001-mbim-add-an-optional-TEMP_FAILURE_RETRY-macro-copy.patch \ file://0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch \ + file://CVE-2023-4234.patch \ " SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7" -- 2.40.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#198977): https://lists.openembedded.org/g/openembedded-core/message/198977 Mute This Topic: https://lists.openembedded.org/mt/105886011/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-