From patchwork Tue May 13 08:09:56 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dario Binacchi X-Patchwork-Id: 4000 Return-Path: X-Original-To: linux-amarula@patchwork.amarulasolutions.com Delivered-To: linux-amarula@patchwork.amarulasolutions.com Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) by ganimede.amarulasolutions.com (Postfix) with ESMTPS id 08D933F049 for ; Tue, 13 May 2025 10:10:04 +0200 (CEST) Received: by mail-wm1-f70.google.com with SMTP id 5b1f17b1804b1-43cf446681csf28671465e9.1 for ; Tue, 13 May 2025 01:10:03 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1747123803; cv=pass; d=google.com; s=arc-20240605; b=jE2bqFl3gX7HSnUUwks73btqyHr5SDqYz8ylSlUo3zPrMpaD5B+Cq1T3nqPab/nN7H XuduoJhDGzDiKtDSMCGgASsJB1YV8QRd6+i6hcml7u9gi95WyNUl+yHX5SczgaUqxYPM WzzfRYBEUyqQnhcoxhEOIemKLzQCW2GqtCh2UoVQ9Kx+IhFiLJU8obReiuGjjpcRJVFp /l2d/XnGTgTGRZp9nBNZmN0Ma/K/UTWjvuceXtKfJ0Sqar8fm90for7KZqnEvj/YKBFY pgPDsxZc051VSRCgKFWqNKF0x6JTO+hb2eCT3pUM7tjTFYWEjTFRBSK+b07iY0XXQjCv Lh3A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-archive:list-help:list-post:list-id :mailing-list:precedence:mime-version:message-id:date:subject:cc:to :from:dkim-signature; bh=AsPoXXKCv/9AOuVC0Nh4Guky/aC5iXNuGJt70jzpsmQ=; fh=iw6jVT7NagZmyU2FqALukjPIshxjALJUvAg0a3lShAg=; b=e5lJqjtgs6IX8LHmxnZneE/6Ifbcw0u9OAXcDQJX/7x4LOpqEa4FJsjVYFfQl9eQfe 8G/pkq2WS/Eqcau0pNTHZPs+bwDdretEdEI1n72YKD2Agxzja22wRToqGFd/hJ1D998K Q4AdMHSrNRFGGs7BjbrBlkrxEJnxHOP/HtUoozBpAymIpX2H6WU14ufZ6Ht+JvjJg8TO rTituasar8uNI8UHge3p3IVQzp/Mj+3OVkJN++5efauqnM9iIVcU7enzAMNNTBYjvynJ 57fUMLJaBuwIceMqwOo8iXhTeG/xyN2pXMZDL7EDxe2N9fL+j8NTmktgLWZDPSgO8N5E 1vlQ==; darn=patchwork.amarulasolutions.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@amarulasolutions.com header.s=google header.b=oBrq1Z8d; spf=pass (google.com: domain of dario.binacchi@amarulasolutions.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=dario.binacchi@amarulasolutions.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=amarulasolutions.com; dara=pass header.i=@amarulasolutions.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amarulasolutions.com; s=google; t=1747123803; x=1747728603; darn=patchwork.amarulasolutions.com; h=list-unsubscribe:list-archive:list-help:list-post:list-id :mailing-list:precedence:x-original-authentication-results :x-original-sender:mime-version:message-id:date:subject:cc:to:from :from:to:cc:subject:date:message-id:reply-to; bh=AsPoXXKCv/9AOuVC0Nh4Guky/aC5iXNuGJt70jzpsmQ=; b=cu1eUXZ96JbtgfO7OrLvIAV2GeI0DliUz3hrzPVxK9Lw9jh2UBp5OWD6k5yULk5i9y ZlBSvjIKMmYfmOEjw2PbapfLOiziI57ouiqSK6XJB0kxJPOZT9ZT1d4bW4xsZlJfvbL7 uUH+bgcfCJJ8NVQhmMvv0wiiFLnv9JSJw0APQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747123803; x=1747728603; h=list-unsubscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence :x-original-authentication-results:x-original-sender:mime-version :message-id:date:subject:cc:to:from:x-beenthere:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=AsPoXXKCv/9AOuVC0Nh4Guky/aC5iXNuGJt70jzpsmQ=; b=Wj0JXzwXBq1sj1I1utNbBCfC+DkecEcysUgfno851y+HIt232GK4UreoF5BoW8Vb56 56SQm+DeDKLhxyBJTWtJu1+XlE+Z1cuhDkmrd4muv74CwZ2VmBBaE8VkMvqGogjqBN5V FX0JX7dndOJDBrSGncJRPIbMrA4cB6pcR3Kmo3wr22AM2z4OyuZmNGHHknZ6RdWJZFs6 p7ffrhNDFmVHOBXTPyX9UmZ51rcQfq2CLrf2bAgAvaCmDNrc3aoB+Pe3bBHA413poRLI TfgY9CcRXiGJFp0gHXzHMN5j+WEiCMOipm2M1fU6SJEeufJI8DB/CYxo+QZe74eE4wx7 AIzw== X-Forwarded-Encrypted: i=2; AJvYcCU+HC/p7WCSyW61oKKj61efLSdVyTGst2qiY427gRIorgEyG/8XRxb/BI/y7t5hvOYIvWt5B1OMz8vaeFAq@patchwork.amarulasolutions.com X-Gm-Message-State: AOJu0YyYOImmp9waUBWtgPCJAj9BsOP+1iVBRnS42q01kDxCZ4kky+UV Af9TlyZdahpYt4Ib9LndUII/zfuKys2jQ39WxUdwtqfhfgRY24OMTzAQj9WiRb2TNw== X-Google-Smtp-Source: AGHT+IHOFLZf1BfWiKv+Z0007jnY5dJWK31d3e1xCSZRonB7LeGXZ4Qf0G6jj3qgy96BQxu/L6VGPA== X-Received: by 2002:a05:600c:3483:b0:43c:f44c:72b7 with SMTP id 5b1f17b1804b1-442d6d44b23mr140089335e9.14.1747123803361; Tue, 13 May 2025 01:10:03 -0700 (PDT) X-BeenThere: linux-amarula@amarulasolutions.com; h=AVT/gBFmOWAYztYsn3scUNpZEBw23vvXA1X+fZGj57VVRvxkGg== Received: by 2002:a05:600c:3d0b:b0:43c:f19c:87b2 with SMTP id 5b1f17b1804b1-442d02e81d5ls5399905e9.0.-pod-prod-08-eu; Tue, 13 May 2025 01:10:01 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVXKODTR+QFTS/F4OHT5AsDGzriBt6jpHg2W0Ph0mE5l0UE2eePjzh2sUke8NyCpPYdi6KaO08j8Tkbxilc@amarulasolutions.com X-Received: by 2002:a05:600c:3e8c:b0:43c:f597:d589 with SMTP id 5b1f17b1804b1-442d6ddd795mr137339705e9.27.1747123800978; Tue, 13 May 2025 01:10:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1747123800; cv=none; d=google.com; s=arc-20240605; b=Vh5asFpdcoXiVwUFTGctc7UdINr9lx7/tlashcInj6jg28sWS2V4yp5brHGOBJ0LoO WEdm9nJAtV9yujHoWqQiHDCMeuf9R7JQp/iqGyVu7x8lMZI6PDNMjffAMKEP1BE/oCC5 nLdnObaQNQkSodrRRlHRUEBVyfe0KPHWJE3McP1ZrghcIciqd+GnnAM1mr3fISAe3OmP 8rYfJhgvJTDXfedTBI5UWAQTswOglT7xYIqlL7pNnvC1+giJqicO5b7ltXI/sBw4dRkn VMwzcJc/xWEJcJv5ZazqGkAmVYq7ovtNpheeuH24AsHxU5iVpeLFWCFzdHSRn8QUsAS6 SqPA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:dkim-signature; bh=hdWYi1XQfdQpmDPlkFSS6Kvy9noJCsSRJXZhzGBkeko=; fh=W0c8CJBkrbPi7/xUEr8frUDl2WmDXjniQJ/ZSEfVmzk=; b=j32vf+CFtHpRDfOOGtS12RNOBuTgGSv5ofDmOgsF9nQre/ON9rNTw7+R61T42YeKb8 zfclKCwyCIVLZQwt9iMK6BarVUUq/d64mAiWU7cy7K3SZ1GOEFfpod2tnsdF8QL+HP4Q g3rddBOhuMEGUeg5qK1Q0ENpKqxPPCAR7qQyzjpLmH2XeUo3yYlkpFFjfc1xIxRjKFOs +Ah7f0YfTKMPWR+rXUuWYfu3W5n4R8lNDhLf3wA6A9G8VmZCJ0iBV2MiMCAkgqiAr7ps e94Kmx+ZdCNv5MeYD6ec3ZgGeh680kAzVisoyJSajJkBzzhotICjy1chN1HSFC0ZxJl+ kJKQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amarulasolutions.com header.s=google header.b=oBrq1Z8d; spf=pass (google.com: domain of dario.binacchi@amarulasolutions.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=dario.binacchi@amarulasolutions.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=amarulasolutions.com; dara=pass header.i=@amarulasolutions.com Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41]) by mx.google.com with SMTPS id 5b1f17b1804b1-442d67e35a3sor28664265e9.4.2025.05.13.01.10.00 for (Google Transport Security); Tue, 13 May 2025 01:10:00 -0700 (PDT) Received-SPF: pass (google.com: domain of dario.binacchi@amarulasolutions.com designates 209.85.220.41 as permitted sender) client-ip=209.85.220.41; X-Forwarded-Encrypted: i=1; AJvYcCVWrk4MshfT1Os9kDltxhQdMzUxsm4j0iMcqZqMvtwwhtmbov2GDeW7XVODyiSaaFTcv2nC6SFzZF3p2fD7@amarulasolutions.com X-Gm-Gg: ASbGncsPf+smsASMypIBLlc0ThgRIbiodmlWWnSAHZYzTteIpPvXv/i7uplIOFKm+vS axFR/pYKzH8cAVLiYvLMM6QOsADqz7id33kcXOkRPntktZdF1c8TopaDN17aXp6g6UO8JK7U4pD jxJ5p4S4Zi6TPMIiXcC3IUXONngYyKeONPikP3t8pzb8rWqRG4bH+PoDanEuf1CMKIFcBgWPgYR uBcgfCIzzMCVt6slZ2UjpA8flZsW+YmAXmj+SHGDR2pjCYDUX/D8YWvsjqPemxrvNC2yw+wEoB5 QOutX0Hv5lqvNebwo5OqCBcL1Hi7w16O0+3jpEJxXW/CTIpOxq/wQtmEIx62WtmxLhVQy2dFNzT kbzRwf+sLV1lgHm3sJwkr1nFZqL705MFaA2VPS5OOLumaqoZKmn+UHw== X-Received: by 2002:a05:600c:6488:b0:43c:fffc:786c with SMTP id 5b1f17b1804b1-442d6d6ace2mr156353405e9.19.1747123800494; Tue, 13 May 2025 01:10:00 -0700 (PDT) Received: from dario-ThinkPad-T14s-Gen-2i.client.m3-hotspots.de ([46.189.28.43]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-442cd34bd84sm198530565e9.22.2025.05.13.01.09.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 May 2025 01:09:59 -0700 (PDT) From: Dario Binacchi To: buildroot@buildroot.org Cc: Martin Bark , linux-amarula@amarulasolutions.com, Dario Binacchi Subject: [PATCH 1/1] package/connman: fix CVE-2025-32366 Date: Tue, 13 May 2025 10:09:56 +0200 Message-ID: <20250513080956.1578804-1-dario.binacchi@amarulasolutions.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-Original-Sender: dario.binacchi@amarulasolutions.com X-Original-Authentication-Results: mx.google.com; dkim=pass header.i=@amarulasolutions.com header.s=google header.b=oBrq1Z8d; spf=pass (google.com: domain of dario.binacchi@amarulasolutions.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=dario.binacchi@amarulasolutions.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=amarulasolutions.com; dara=pass header.i=@amarulasolutions.com Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list linux-amarula@amarulasolutions.com; contact linux-amarula+owners@amarulasolutions.com List-ID: X-Spam-Checked-In-Group: linux-amarula@amarulasolutions.com X-Google-Group-Id: 476853432473 List-Post: , List-Help: , List-Archive: List-Unsubscribe: , In ConnMan through 1.44, parse_rr in dnsproxy.c has a memcpy length that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen) and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger than the amount of remaining packet data in the current state of parsing. As a result, values of stack memory locations may be sent over the network in a response. Fixes: https://www.cve.org/CVERecord?id=CVE-2025-32366 Signed-off-by: Dario Binacchi --- ...Address-CVE-2025-32366-vulnerability.patch | 41 +++++++++++++++++++ package/connman/connman.mk | 3 ++ 2 files changed, 44 insertions(+) create mode 100644 package/connman/0002-dnsproxy-Address-CVE-2025-32366-vulnerability.patch diff --git a/package/connman/0002-dnsproxy-Address-CVE-2025-32366-vulnerability.patch b/package/connman/0002-dnsproxy-Address-CVE-2025-32366-vulnerability.patch new file mode 100644 index 000000000000..9651b2dfe473 --- /dev/null +++ b/package/connman/0002-dnsproxy-Address-CVE-2025-32366-vulnerability.patch @@ -0,0 +1,41 @@ +From 8d3be0285f1d4667bfe85dba555c663eb3d704b4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=EC=8B=A0=EC=9C=A4=EC=A0=9C=28=ED=95=99=EB=B6=80=EC=83=9D-?= + =?UTF-8?q?=EC=86=8C=ED=94=84=ED=8A=B8=EC=9B=A8=EC=96=B4=EC=A0=84=EA=B3=B5?= + =?UTF-8?q?=29?= +Date: Mon, 12 May 2025 10:48:18 +0200 +Subject: [PATCH] dnsproxy: Address CVE-2025-32366 vulnerability + +In Connman parse_rr in dnsproxy.c has a memcpy length +that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen) +and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger +than the amount of remaining packet data in the current state of +parsing. As a result, values of stack memory locations may be sent +over the network in a response. + +This patch adds a check to ensure that (*end + *rdlen) does not exceed +the valid range. If the condition is violated, the function returns +-EINVAL. + +Signed-off-by: Dario Binacchi +Upstream: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4 +--- + src/dnsproxy.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/dnsproxy.c b/src/dnsproxy.c +index 7ee26d9ff886..1dd2f7f5d47e 100644 +--- a/src/dnsproxy.c ++++ b/src/dnsproxy.c +@@ -998,6 +998,9 @@ static int parse_rr(const unsigned char *buf, const unsigned char *start, + if ((offset + *rdlen) > *response_size) + return -ENOBUFS; + ++ if ((*end + *rdlen) > max) ++ return -EINVAL; ++ + memcpy(response + offset, *end, *rdlen); + + *end += *rdlen; +-- +2.43.0 + diff --git a/package/connman/connman.mk b/package/connman/connman.mk index 5d515c296319..c9637eadf5aa 100644 --- a/package/connman/connman.mk +++ b/package/connman/connman.mk @@ -16,6 +16,9 @@ CONNMAN_CPE_ID_VENDOR = intel # 0001-dnsproxy-Fix-NULL-empty-lookup-causing-potential-cra.patch CONNMAN_IGNORE_CVES += CVE-2025-32743 +# 0002-dnsproxy-Address-CVE-2025-32366-vulnerability.patch +CONNMAN_IGNORE_CVES += CVE-2025-32366 + CONNMAN_CONF_OPTS = --with-dbusconfdir=/etc ifeq ($(BR2_INIT_SYSTEMD),y)