Re: [OE-core] [dunfell][PATCH] connman: fix CVE-2021-26675, CVE-2021-26676

2021-03-23 Thread Randy MacLeod 

On 2021-03-23 7:37 p.m., Randy MacLeod wrote:

From: Catalin Enache 

A stack-based buffer overflow in dnsproxy in ConnMan before 1.39
could be used by network adjacent attackers to execute code.

gdhcp in ConnMan before 1.39 could be used by network-adjacent.
attackers to leak sensitive stack information, allowing further
exploitation of bugs in gdhcp.

References:
https://nvd.nist.gov/vuln/detail/CVE-2021-26675
https://nvd.nist.gov/vuln/detail/CVE-2021-26676

Upstream patches:
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e4079a20f617a4b076af503f6e4e8b0304c9f2cb
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=58d397ba74873384aee449690a9070bacd5676fa
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=a74524b3e3fad81b0fd1084ffdf9f2ea469cd9b1

Signed-off-by: Catalin Enache 
Signed-off-by: Randy MacLeod 


BUILDALL-QEMU LOG FOR connman
START TIME: 2021-03-23_11:13:40
HOSTNAME: ala-lpggp3
HOST OS: Ubuntu 18.04.3 LTS
HOST KERNEL: 5.4.0-67-generic
===
BUILD RESULTS:
[glibc]
PASS: qemuarmv5
PASS: qemumips
PASS: qemux86-64
PASS: qemuarm64
PASS: qemumips64
PASS: qemuarm
PASS: qemuppc
PASS: qemuriscv64
PASS: qemux86
[musl]
PASS: qemuarmv5
PASS: qemumips
PASS: qemux86-64
PASS: qemuarm64
PASS: qemumips64
PASS: qemuarm
PASS: qemuppc
PASS: qemuriscv64
PASS: qemux86
===
PASSED: 18
FAILED: 0


I didn't do any run-time testing but I suspect that Catalin did.
Catalin?

--
# Randy MacLeod
# Wind River Linux

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#149853): 
https://lists.openembedded.org/g/openembedded-core/message/149853
Mute This Topic: https://lists.openembedded.org/mt/81565246/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [dunfell][PATCH] connman: fix CVE-2021-26675, CVE-2021-26676

2021-03-23 Thread Randy MacLeod 
From: Catalin Enache 

A stack-based buffer overflow in dnsproxy in ConnMan before 1.39
could be used by network adjacent attackers to execute code.

gdhcp in ConnMan before 1.39 could be used by network-adjacent.
attackers to leak sensitive stack information, allowing further
exploitation of bugs in gdhcp.

References:
https://nvd.nist.gov/vuln/detail/CVE-2021-26675
https://nvd.nist.gov/vuln/detail/CVE-2021-26676

Upstream patches:
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e4079a20f617a4b076af503f6e4e8b0304c9f2cb
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=58d397ba74873384aee449690a9070bacd5676fa
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=a74524b3e3fad81b0fd1084ffdf9f2ea469cd9b1

Signed-off-by: Catalin Enache 
Signed-off-by: Randy MacLeod 
---
 .../connman/connman/CVE-2021-26675.patch  |  62 +
 .../connman/connman/CVE-2021-26676-0001.patch | 231 ++
 .../connman/connman/CVE-2021-26676-0002.patch |  33 +++
 .../connman/connman_1.37.bb   |   3 +
 4 files changed, 329 insertions(+)
 create mode 100644 
meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch
 create mode 100644 
meta/recipes-connectivity/connman/connman/CVE-2021-26676-0001.patch
 create mode 100644 
meta/recipes-connectivity/connman/connman/CVE-2021-26676-0002.patch

diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch 
b/meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch
new file mode 100644
index 00..2648a832ca
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch
@@ -0,0 +1,62 @@
+From e4079a20f617a4b076af503f6e4e8b0304c9f2cb Mon Sep 17 00:00:00 2001
+From: Colin Wee 
+Date: Thu, 28 Jan 2021 19:41:53 +0100
+Subject: [PATCH] dnsproxy: Add length checks to prevent buffer overflow
+
+Fixes: CVE-2021-26675
+
+Upstream-Status: Backport
+CVE: CVE-2021-26675
+
+Reference to upstream patch:
+https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e4079a20f617a4b076af503f6e4e8b0304c9f2cb
+
+Signed-off-by: Catalin Enache 
+---
+ src/dnsproxy.c | 14 +++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index a7bf87a1..4f5c897f 100644
+--- a/src/dnsproxy.c
 b/src/dnsproxy.c
+@@ -1767,6 +1767,7 @@ static char *uncompress(int16_t field_count, char 
*start, char *end,
+   char **uncompressed_ptr)
+ {
+   char *uptr = *uncompressed_ptr; /* position in result buffer */
++  char * const uncomp_end = uncompressed + uncomp_len - 1;
+
+   debug("count %d ptr %p end %p uptr %p", field_count, ptr, end, uptr);
+
+@@ -1787,12 +1788,15 @@ static char *uncompress(int16_t field_count, char 
*start, char *end,
+* tmp buffer.
+*/
+
+-  ulen = strlen(name);
+-  strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
+-
+   debug("pos %d ulen %d left %d name %s", pos, ulen,
+   (int)(uncomp_len - (uptr - uncompressed)), uptr);
+
++  ulen = strlen(name);
++  if ((uptr + ulen + 1) > uncomp_end) {
++  goto out;
++  }
++  strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
++
+   uptr += ulen;
+   *uptr++ = '\0';
+
+@@ -1802,6 +1806,10 @@ static char *uncompress(int16_t field_count, char 
*start, char *end,
+* We copy also the fixed portion of the result (type, class,
+* ttl, address length and the address)
+*/
++  if ((uptr + NS_RRFIXEDSZ) > uncomp_end) {
++  debug("uncompressed data too large for buffer");
++  goto out;
++  }
+   memcpy(uptr, ptr, NS_RRFIXEDSZ);
+
+   dns_type = uptr[0] << 8 | uptr[1];
+--
+2.17.1
diff --git 
a/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0001.patch 
b/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0001.patch
new file mode 100644
index 00..4104e4bfc6
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0001.patch
@@ -0,0 +1,231 @@
+From 58d397ba74873384aee449690a9070bacd5676fa Mon Sep 17 00:00:00 2001
+From: Colin Wee 
+Date: Thu, 28 Jan 2021 19:39:14 +0100
+Subject: [PATCH] gdhcp: Avoid reading invalid data in dhcp_get_option
+
+Upstream-Status: Backport
+CVE: CVE-2021-26676
+
+Reference to upstream patch:
+https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=58d397ba74873384aee449690a9070bacd5676fa
+
+Signed-off-by: Catalin Enache 
+---
+ gdhcp/client.c | 20 +++-
+ gdhcp/common.c | 24 +++-
+ gdhcp/common.h |  2 +-
+ gdhcp/server.c | 12 +++-
+ 4 files changed, 38 insertions(+), 20 deletions(-)
+
+diff --git a/gdhcp/client.c b/gdhcp/client.c
+index 09dfe5ec..6a5613e7 100644
+--- a/gdhcp/client.c