From patchwork Thu May 15 16:35:28 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dario Binacchi X-Patchwork-Id: 4036 Return-Path: X-Original-To: linux-amarula@patchwork.amarulasolutions.com Delivered-To: linux-amarula@patchwork.amarulasolutions.com Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) by ganimede.amarulasolutions.com (Postfix) with ESMTPS id 4610E3F97E for ; Thu, 15 May 2025 18:36:45 +0200 (CEST) Received: by mail-wm1-f71.google.com with SMTP id 5b1f17b1804b1-43f251dc364sf7780085e9.2 for ; Thu, 15 May 2025 09:36:45 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1747327005; cv=pass; d=google.com; s=arc-20240605; b=MhX9LSnn9CrZOmux8rixSf1U5gxeUbsHbk5lg8l21xsx8H9MrRnIccze1/3TPYbsyN jU1UdRbzumJ037Bybib+tgLO/1p4198cRGNdEJIDrIrgCWxLZi5bwpyphRK1as7xDgZ2 kpi+Z+LCHxCfoCVVLRidEXKhhDCPHeyVXY4byKaR9qQRFmPLwtfG0Vs3vBa99qNxZE+T JYGIA50sd2FzNBbINa5aRKVBWp8fS/zOkhR5gmpWa1lB/QRDSKlNvLpjYMs2i8hkSday SRxeSzao3r6kj8dgNS6SnCgXjID/8EWsrpAddSBYY35y6YPtpSATC9w1AQ9HPk/p73G/ z13g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-archive:list-help:list-post:list-id :mailing-list:precedence:mime-version:message-id:date:subject:cc:to :from:dkim-signature; bh=5SPjyYGo4pGNAQw+VkUkTFDupr2CwfTvEWLny3Bnp6o=; fh=1XrcBbOXtoGTDpIv65TOaEHOFfjCxtYCsmQX0sohsMc=; b=Q04j4qYN7rQY2GSTSKobBjVhQZdLO6hUpOGiL80mk7dC+rDjNHEZcis/rV81UXZl3U nke1GN1vWVNj6c8wFFVqD9dt53hU/D9vGqMKy2FkTmYCdtCRNbxp2IUYNA+dvD8m7fo1 At2wCJ0QCsV/9q+C2O3gkYHAHjCBUQHHe41m4GblpkDW4ZnSYAkpRHnGyofFZNuljKrN ICbYzsSIKkU4BJivKyuDwi5CqKGfjaiWbvnR5NemwoZGfoaWpZ8OWGlEJlb8K9/n0o5E hNknLTY+A+JrYpNxgh6UXEcVsT6frJRoSxUGcbwI13Zng2evyQB7zub2pNFEdY2qPElH aSpg==; darn=patchwork.amarulasolutions.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@amarulasolutions.com header.s=google header.b=qVIMCTQa; spf=pass (google.com: domain of dario.binacchi@amarulasolutions.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=dario.binacchi@amarulasolutions.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=amarulasolutions.com; dara=pass header.i=@amarulasolutions.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amarulasolutions.com; s=google; t=1747327005; x=1747931805; darn=patchwork.amarulasolutions.com; h=list-unsubscribe:list-archive:list-help:list-post:list-id :mailing-list:precedence:x-original-authentication-results :x-original-sender:mime-version:message-id:date:subject:cc:to:from :from:to:cc:subject:date:message-id:reply-to; bh=5SPjyYGo4pGNAQw+VkUkTFDupr2CwfTvEWLny3Bnp6o=; b=OLna8H49kyZPkPRmii0c8HykkkaJKXK9nLo4aLa6nMJe9saNlXo2AYG6nBU31c+P2i 577By/RnQeztR7Jv729AZat3OAyrrbc11HYjcxRoeFlpYZAnp4t74+HAKDyv6yoIMwMC wAElFGr9IW4sWK8g9/rqgrLSmJGF1cOYE3G7o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747327005; x=1747931805; h=list-unsubscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence :x-original-authentication-results:x-original-sender:mime-version :message-id:date:subject:cc:to:from:x-beenthere:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=5SPjyYGo4pGNAQw+VkUkTFDupr2CwfTvEWLny3Bnp6o=; b=iSRBcxO3ujci2FW/1fV3/39D+zYWs2fAia3YQiqm2YixyawxYjIpdSrsAQa38rbU3p RdmLQcNkFKOYeg32hq7BZuZgX/eWXHG8SZM8Pq/bl9l1fkhrUUZ7kRSzkZT5nnqgtt8U J6imrSxgM15nTk/Mv+C2BQ7J9rQd47t4Yvpf85BqCvndPwYGfEu+5VwZTkm/5sZBGIYY 6rKDsWsruMaQ14pscW7+JAtDyz1Te7lLZkxhuWmDDP79m+5l9ej9+r9DK5zO8qjOkfOU ayrcl+WcARu7XGDxv+AKszlX0QfAlKdbpdvGUliBgJOx6SSkXUqI1RTqq+cX0UvplsFF zW8g== X-Forwarded-Encrypted: i=2; AJvYcCVO2pszY9RDxaJpqb0vfkLgqUoWBQGsVkiuaBVXE6c07EadOFAuKBi13J3CebgEhjmt9/Mq/zBv7eF9E41R@patchwork.amarulasolutions.com X-Gm-Message-State: AOJu0YxfHFwC5+Nv91czx70bveePbNn8jJGh/fcwUgDQronRVwgJgGXF CVTHpw/N3tDEelNDSSS2I24iPHgTUb0D0MGMdVHMST2QPDnOj6zVlQMHXI4V3yyUw4w9bHUEfTY Ofw== X-Google-Smtp-Source: AGHT+IHN8guDobkSCGrKhOXriwBngHeard3JOVSkk3rmnEwOG8cuFr3HSHWYDfZx+feq9tyUrHZ3Kg== X-Received: by 2002:a05:600c:64ca:b0:43d:47b7:b32d with SMTP id 5b1f17b1804b1-442fd664a1emr2091805e9.25.1747327004616; Thu, 15 May 2025 09:36:44 -0700 (PDT) X-BeenThere: linux-amarula@amarulasolutions.com; h=AVT/gBHAcW6SHF8mAaqeXcxsviz4WOq76Pi+Yfwv1NYgomixjQ== Received: by 2002:a05:600c:350e:b0:43c:fccf:bf4c with SMTP id 5b1f17b1804b1-442f8774bb3ls5855075e9.2.-pod-prod-07-eu; Thu, 15 May 2025 09:36:42 -0700 (PDT) X-Received: by 2002:a05:600c:46c3:b0:43d:aed:f7d0 with SMTP id 5b1f17b1804b1-442fd671fe6mr1629555e9.28.1747327002273; Thu, 15 May 2025 09:36:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1747327002; cv=none; d=google.com; s=arc-20240605; b=K6dAruidNJcaENQdNjr5QG6K9De1na0XpYK90VkHt8Fag61TEzh+3QhJ8RWCbosFuF sDl3rH9E/ywAOzneneEBnwa/hvccKGbidIL8dd5R+vxxvXHQVbU5xQ4A9NJUOReVkujb KLpInj4j72a/3+m2AecbE4hUXVquZ39vOFxUnQAsaYNrETYI+KIa/BrDVtakkxDvUv1I uYBXWvd5lELopbpde4wynyxnaYwkFjYyHKOWEZ3tQZ7F8lzE7NuDCgaT2o5T1U8Y/HaE SURcO2Kfv0QrRmP1wS4+//RdJ2eyYGNqRgQjiKKP6Lmu0etcyFpwnSaLHXiXyj7zWpEd GQ3Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:dkim-signature; bh=R54rXjySdWHz/NYK5Aj2Rqe320oyZ3CoVxs0lCT5LCo=; fh=WmrJNaIHrGP10pjMSykFMaRG8yB05aer+1jA6msjLXU=; b=SztkErQIPiCGlBECk+xi3sAj/rjxUKtILn/MaM/V8TIBXFQamLqSBxFJLmX1dQQy3H yrVIWTc56Jj80ZTrM+/EjLMor130xV12MIKyRlm3Xxfrb1CtM8UQe+MVAnlm+NSABR76 i1EWDbF2Dug1qmn64fM/HvicPzKFFZQu+88MFSX6UY3Yz8SHHtZ6B3jDByUH4TOqEa4R RKuiWA1P2jMFbUhNi4cO08JsBw8mZC9NKAqBir0lhenUxwMZ4r+rjY/xn3YCXmLTIXpU Ak4mO+bLLCgQiRiHFft2AB2MQYwbe1ctb/sN7unh6LnUDzFpZq7BpjrNy5+7q1Ayu/ZX RShQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amarulasolutions.com header.s=google header.b=qVIMCTQa; spf=pass (google.com: domain of dario.binacchi@amarulasolutions.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=dario.binacchi@amarulasolutions.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=amarulasolutions.com; dara=pass header.i=@amarulasolutions.com Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41]) by mx.google.com with SMTPS id 5b1f17b1804b1-442fd5bf309sor621465e9.10.2025.05.15.09.36.42 for (Google Transport Security); Thu, 15 May 2025 09:36:42 -0700 (PDT) Received-SPF: pass (google.com: domain of dario.binacchi@amarulasolutions.com designates 209.85.220.41 as permitted sender) client-ip=209.85.220.41; X-Gm-Gg: ASbGncvnw4pxohyxq9yBmGg1NsvIsz69LO7NqGGk9FBzYJd0ni3SW4r+bqz5HyUrdNo Kqxcn9A07NCGF7yzgF5sPaWdfRaW6Hpcvw/M4ru/iW86VuAR7myrAXOdO3RuFnPwpsjtg6tXgfy WHFo+CGxqj+WjTcqIRqBRbqq/0EmoD849ulA/YqHyY6FEDUVGYuBunneI4CErnEyU2HbJGIWSQd KpsSyRtIAGJgCZycyuFKLDS+wi8Jn8ql1+uA5klkeVYYgxb2MMtt46AvxIS0989mBIOLny+hfID 0EdPlKUedUycNkx2jbYkhT+fBui5MHgggBo1QH4cLAH09a7FbGVcRJQkodWjiP9dLgjGN2fV5yP r0DztrgHwO+nDWeZsfcOixW1ZAv4g69kXPL2ISd22NlAtKpHQpONTkQ== X-Received: by 2002:a05:600c:34cf:b0:43d:1b95:6d0e with SMTP id 5b1f17b1804b1-442fd664aa5mr1972865e9.23.1747327001769; Thu, 15 May 2025 09:36:41 -0700 (PDT) Received: from dario-ThinkPad-T14s-Gen-2i.client.m3-hotspots.de ([46.189.28.50]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-442fd4fdc73sm2631335e9.2.2025.05.15.09.36.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 May 2025 09:36:41 -0700 (PDT) From: Dario Binacchi To: openembedded-core@lists.openembedded.org Cc: linux-amarula@amarulasolutions.com, Dario Binacchi Subject: [meta-oe][PATCH 1/1] connman: patch CVE-2025-32366 and CVE-2025-32743 Date: Thu, 15 May 2025 18:35:28 +0200 Message-ID: <20250515163528.931598-1-dario.binacchi@amarulasolutions.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-Original-Sender: dario.binacchi@amarulasolutions.com X-Original-Authentication-Results: mx.google.com; dkim=pass header.i=@amarulasolutions.com header.s=google header.b=qVIMCTQa; spf=pass (google.com: domain of dario.binacchi@amarulasolutions.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=dario.binacchi@amarulasolutions.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=amarulasolutions.com; dara=pass header.i=@amarulasolutions.com Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list linux-amarula@amarulasolutions.com; contact linux-amarula+owners@amarulasolutions.com List-ID: X-Spam-Checked-In-Group: linux-amarula@amarulasolutions.com X-Google-Group-Id: 476853432473 List-Post: , List-Help: , List-Archive: List-Unsubscribe: , Cherry-pick patch mentioning these CVEs. Signed-off-by: Dario Binacchi --- .../connman/connman/CVE-2025-32366.patch | 42 +++++++++++++++++ .../connman/connman/CVE-2025-32743.patch | 47 +++++++++++++++++++ .../connman/connman_1.44.bb | 2 + 3 files changed, 91 insertions(+) create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch diff --git a/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch b/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch new file mode 100644 index 000000000000..f7cda6c07c53 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch @@ -0,0 +1,42 @@ +From 8d3be0285f1d4667bfe85dba555c663eb3d704b4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=EC=8B=A0=EC=9C=A4=EC=A0=9C=28=ED=95=99=EB=B6=80=EC=83=9D-?= + =?UTF-8?q?=EC=86=8C=ED=94=84=ED=8A=B8=EC=9B=A8=EC=96=B4=EC=A0=84=EA=B3=B5?= + =?UTF-8?q?=29?= +Date: Mon, 12 May 2025 10:48:18 +0200 +Subject: [PATCH] dnsproxy: Address CVE-2025-32366 vulnerability + +In Connman parse_rr in dnsproxy.c has a memcpy length +that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen) +and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger +than the amount of remaining packet data in the current state of +parsing. As a result, values of stack memory locations may be sent +over the network in a response. + +This patch adds a check to ensure that (*end + *rdlen) does not exceed +the valid range. If the condition is violated, the function returns +-EINVAL. + +CVE: CVE-2025-32366 +Signed-off-by: Dario Binacchi +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4] +--- + src/dnsproxy.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/dnsproxy.c b/src/dnsproxy.c +index 7ee26d9ff886..1dd2f7f5d47e 100644 +--- a/src/dnsproxy.c ++++ b/src/dnsproxy.c +@@ -998,6 +998,9 @@ static int parse_rr(const unsigned char *buf, const unsigned char *start, + if ((offset + *rdlen) > *response_size) + return -ENOBUFS; + ++ if ((*end + *rdlen) > max) ++ return -EINVAL; ++ + memcpy(response + offset, *end, *rdlen); + + *end += *rdlen; +-- +2.43.0 + diff --git a/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch b/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch new file mode 100644 index 000000000000..87ad240e4273 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch @@ -0,0 +1,47 @@ +From d90b911f6760959bdf1393c39fe8d1118315490f Mon Sep 17 00:00:00 2001 +From: Praveen Kumar +Date: Thu, 24 Apr 2025 11:39:29 +0000 +Subject: [PATCH] dnsproxy: Fix NULL/empty lookup causing potential crash + +In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c +can be NULL or an empty string when the TC (Truncated) bit is set in +a DNS response. This allows attackers to cause a denial of service +(application crash) or possibly execute arbitrary code, because those +lookup values lead to incorrect length calculations and incorrect +memcpy operations. + +This patch includes a check to make sure loookup value is valid before +using it. This helps avoid unexpected value when the input is empty or +incorrect. + +Fixes: CVE-2025-32743 + +CVE: CVE-2025-32743 +Signed-off-by: Dario Binacchi +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f] +--- + src/dnsproxy.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/dnsproxy.c b/src/dnsproxy.c +index f28a5d7551a4..7ee26d9ff886 100644 +--- a/src/dnsproxy.c ++++ b/src/dnsproxy.c +@@ -1685,8 +1685,13 @@ static int ns_resolv(struct server_data *server, struct request_data *req, + gpointer request, gpointer name) + { + int sk = -1; ++ int err; + const char *lookup = (const char *)name; +- int err = ns_try_resolv_from_cache(req, request, lookup); ++ ++ if (!lookup || strlen(lookup) == 0) ++ return -EINVAL; ++ ++ err = ns_try_resolv_from_cache(req, request, lookup); + + if (err > 0) + /* cache hit */ +-- +2.43.0 + diff --git a/meta/recipes-connectivity/connman/connman_1.44.bb b/meta/recipes-connectivity/connman/connman_1.44.bb index 00e69182d789..cdb1065628b8 100644 --- a/meta/recipes-connectivity/connman/connman_1.44.bb +++ b/meta/recipes-connectivity/connman/connman_1.44.bb @@ -21,6 +21,8 @@ DEPENDS = "dbus glib-2.0" SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ file://connman \ file://0002-resolve-musl-does-not-implement-res_ninit.patch \ + file://CVE-2025-32366.patch \ + file://CVE-2025-32743.patch \ " SRC_URI[sha256sum] = "2be2b00321632b775f9eff713acd04ef21e31fbf388f6ebf45512ff4289574ff"