Message ID | wpQl.1678887096623820376.VRAn@lists.openembedded.org |
---|---|
State | New |
Headers | show |
Series | connman: Backports for security fixes (2) #poky | expand |
Hello, On 15/03/2023 06:31:36-0700, VAUTRIN Emmanuel (Canal Plus Prestataire) wrote: > Fixes > CVE: CVE-2022-32293 > > Commit b33cf2d113d0 ("connman: Backports for security fixes") Your SoB is required here. > --- > .../connman/connman/CVE-2022-32293_p3.patch� �| 67 +++++++++++++++++++ > .../connman/connman_1.41.bb� � � � � � � � � �|� 1 + > 2 files changed, 68 insertions(+) > create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch > > diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch > new file mode 100644 > index 000000000000..0fefe3e45408 > --- /dev/null > +++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch > @@ -0,0 +1,67 @@ > +From e6523511d736667e45877d588a64988e818a06fe Mon Sep 17 00:00:00 2001 > +From: Daniel Wagner <wagi@monom.org> > +Date: Wed, 7 Sep 2022 20:52:20 +0200 > +Subject: [PATCH] wispr: Fix context refcounting in > + wispr_portal_request_portal() > + > +The wispr_portal_request_portal() function is expected to read until > +there is no data. Hence, the wp_context refcount is supposed to be > +hold on while reading. > + > +Furthermore, we should not return early when we read the > +X-ConnMan-Status header. Instead we are supposed to go through the > +normal return path so that we cleanup any added routing entries. Thus, > +we also don't need to update the refcount in this code path as we > +handle it at the main return path. > + > +Fixes: 416bfaff9888 ("wispr: Update portal context references") > +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e6523511d736667e45877d588a64988e818a06fe] > +--- > + src/wispr.c | 10 +++++----- > + 1 file changed, 5 insertions(+), 5 deletions(-) > + > +diff --git a/src/wispr.c b/src/wispr.c > +index 9b27af5fff55..a7562e8462f3 100644 > +--- a/src/wispr.c > ++++ b/src/wispr.c > +@@ -537,7 +537,8 @@ static bool wispr_route_request(const char *address, int ai_family, > + static void wispr_portal_request_portal( > + struct connman_wispr_portal_context *wp_context) > + { > +- DBG(""); > ++ DBG("wp_context %p %s", wp_context, > ++ __connman_ipconfig_type2string(wp_context->type)); > + > + wispr_portal_context_ref(wp_context); > + wp_context->request_id = g_web_request_get(wp_context->web, > +@@ -753,7 +754,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) > + if (length > 0) { > + g_web_parser_feed_data(wp_context->wispr_parser, > + chunk, length); > +- wispr_portal_context_unref(wp_context); > ++ /* read more data */ > + return true; > + } > + > +@@ -783,8 +784,6 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) > + if (g_web_result_get_header(result, "X-ConnMan-Status", > + &str)) { > + portal_manage_status(result, wp_context); > +- wispr_portal_context_unref(wp_context); > +- return false; > + } else { > + wispr_portal_context_ref(wp_context); > + __connman_agent_request_browser(wp_context->service, > +@@ -996,7 +995,8 @@ int __connman_wispr_start(struct connman_service *service, > + struct connman_wispr_portal *wispr_portal = NULL; > + int index, err; > + > +- DBG("service %p", service); > ++ DBG("service %p %s", service, > ++ __connman_ipconfig_type2string(type)); > + > + if (!wispr_portal_hash) > + return -EINVAL; > +-- > +2.25.1 > + > diff --git a/meta/recipes-connectivity/connman/connman_1.41.bb b/meta/recipes-connectivity/connman/connman_1.41.bb > index 79542b2175dc..73ba673fd0a4 100644 > --- a/meta/recipes-connectivity/connman/connman_1.41.bb > +++ b/meta/recipes-connectivity/connman/connman_1.41.bb > @@ -7,6 +7,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ > file://no-version-scripts.patch \ > file://CVE-2022-32293_p1.patch \ > file://CVE-2022-32293_p2.patch \ > +� � � � � �file://CVE-2022-32293_p3.patch \ > file://CVE-2022-32292.patch \ > " > > -- > 2.25.1 > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#178547): https://lists.openembedded.org/g/openembedded-core/message/178547 > Mute This Topic: https://lists.openembedded.org/mt/97627289/3617179 > Mute #poky:https://lists.openembedded.org/g/openembedded-core/mutehashtag/poky > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alexandre.belloni@bootlin.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Fixes
CVE: CVE-2022-32293
Commit b33cf2d113d0 ("connman: Backports for security fixes")
Signed-off-by: Emmanuel Vautrin <Emmanuel.VAUTRIN@cpexterne.org>
---
.../connman/connman/CVE-2022-32293_p3.patch | 67 +++++++++++++++++++
.../connman/connman_1.41.bb | 1 +
2 files changed, 68 insertions(+)
create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch
new file mode 100644
index 000000000000..0fefe3e45408
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch
@@ -0,0 +1,67 @@
+From e6523511d736667e45877d588a64988e818a06fe Mon Sep 17 00:00:00 2001
+From: Daniel Wagner <wagi@monom.org>
+Date: Wed, 7 Sep 2022 20:52:20 +0200
+Subject: [PATCH] wispr: Fix context refcounting in
+ wispr_portal_request_portal()
+
+The wispr_portal_request_portal() function is expected to read until
+there is no data. Hence, the wp_context refcount is supposed to be
+hold on while reading.
+
+Furthermore, we should not return early when we read the
+X-ConnMan-Status header. Instead we are supposed to go through the
+normal return path so that we cleanup any added routing entries. Thus,
+we also don't need to update the refcount in this code path as we
+handle it at the main return path.
+
+Fixes: 416bfaff9888 ("wispr: Update portal context references")
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e6523511d736667e45877d588a64988e818a06fe]
+---
+ src/wispr.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/wispr.c b/src/wispr.c
+index 9b27af5fff55..a7562e8462f3 100644
+--- a/src/wispr.c
++++ b/src/wispr.c
+@@ -537,7 +537,8 @@ static bool wispr_route_request(const char *address, int ai_family,
+ static void wispr_portal_request_portal(
+ struct connman_wispr_portal_context *wp_context)
+ {
+- DBG("");
++ DBG("wp_context %p %s", wp_context,
++ __connman_ipconfig_type2string(wp_context->type));
+
+ wispr_portal_context_ref(wp_context);
+ wp_context->request_id = g_web_request_get(wp_context->web,
+@@ -753,7 +754,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+ if (length > 0) {
+ g_web_parser_feed_data(wp_context->wispr_parser,
+ chunk, length);
+- wispr_portal_context_unref(wp_context);
++ /* read more data */
+ return true;
+ }
+
+@@ -783,8 +784,6 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+ if (g_web_result_get_header(result, "X-ConnMan-Status",
+ &str)) {
+ portal_manage_status(result, wp_context);
+- wispr_portal_context_unref(wp_context);
+- return false;
+ } else {
+ wispr_portal_context_ref(wp_context);
+ __connman_agent_request_browser(wp_context->service,
+@@ -996,7 +995,8 @@ int __connman_wispr_start(struct connman_service *service,
+ struct connman_wispr_portal *wispr_portal = NULL;
+ int index, err;
+
+- DBG("service %p", service);
++ DBG("service %p %s", service,
++ __connman_ipconfig_type2string(type));
+
+ if (!wispr_portal_hash)
+ return -EINVAL;
+--
+2.25.1
+
diff --git a/meta/recipes-connectivity/connman/connman_1.41.bb b/meta/recipes-connectivity/connman/connman_1.41.bb
index 79542b2175dc..73ba673fd0a4 100644
--- a/meta/recipes-connectivity/connman/connman_1.41.bb
+++ b/meta/recipes-connectivity/connman/connman_1.41.bb
@@ -7,6 +7,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
file://no-version-scripts.patch \
file://CVE-2022-32293_p1.patch \
file://CVE-2022-32293_p2.patch \
+ file://CVE-2022-32293_p3.patch \
file://CVE-2022-32292.patch \
"
--
2.25.1
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch new file mode 100644 index 000000000000..0fefe3e45408 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch @@ -0,0 +1,67 @@ +From e6523511d736667e45877d588a64988e818a06fe Mon Sep 17 00:00:00 2001 +From: Daniel Wagner <wagi@monom.org> +Date: Wed, 7 Sep 2022 20:52:20 +0200 +Subject: [PATCH] wispr: Fix context refcounting in + wispr_portal_request_portal() + +The wispr_portal_request_portal() function is expected to read until +there is no data. Hence, the wp_context refcount is supposed to be +hold on while reading. + +Furthermore, we should not return early when we read the +X-ConnMan-Status header. Instead we are supposed to go through the +normal return path so that we cleanup any added routing entries. Thus, +we also don't need to update the refcount in this code path as we +handle it at the main return path. + +Fixes: 416bfaff9888 ("wispr: Update portal context references") +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e6523511d736667e45877d588a64988e818a06fe] +--- + src/wispr.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/wispr.c b/src/wispr.c +index 9b27af5fff55..a7562e8462f3 100644 +--- a/src/wispr.c ++++ b/src/wispr.c +@@ -537,7 +537,8 @@ static bool wispr_route_request(const char *address, int ai_family, + static void wispr_portal_request_portal( + struct connman_wispr_portal_context *wp_context) + { +- DBG(""); ++ DBG("wp_context %p %s", wp_context, ++ __connman_ipconfig_type2string(wp_context->type)); + + wispr_portal_context_ref(wp_context); + wp_context->request_id = g_web_request_get(wp_context->web, +@@ -753,7 +754,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) + if (length > 0) { + g_web_parser_feed_data(wp_context->wispr_parser, + chunk, length); +- wispr_portal_context_unref(wp_context); ++ /* read more data */ + return true; + } + +@@ -783,8 +784,6 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) + if (g_web_result_get_header(result, "X-ConnMan-Status", + &str)) { + portal_manage_status(result, wp_context); +- wispr_portal_context_unref(wp_context); +- return false; + } else { + wispr_portal_context_ref(wp_context); + __connman_agent_request_browser(wp_context->service, +@@ -996,7 +995,8 @@ int __connman_wispr_start(struct connman_service *service, + struct connman_wispr_portal *wispr_portal = NULL; + int index, err; + +- DBG("service %p", service); ++ DBG("service %p %s", service, ++ __connman_ipconfig_type2string(type)); + + if (!wispr_portal_hash) + return -EINVAL; +-- +2.25.1 + diff --git a/meta/recipes-connectivity/connman/connman_1.41.bb b/meta/recipes-connectivity/connman/connman_1.41.bb index 79542b2175dc..73ba673fd0a4 100644 --- a/meta/recipes-connectivity/connman/connman_1.41.bb +++ b/meta/recipes-connectivity/connman/connman_1.41.bb @@ -7,6 +7,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ file://no-version-scripts.patch \ file://CVE-2022-32293_p1.patch \ file://CVE-2022-32293_p2.patch \ + file://CVE-2022-32293_p3.patch \ file://CVE-2022-32292.patch \ "