diff mbox series

connman: Backports for security fixes (2) #poky

Message ID wpQl.1678887096623820376.VRAn@lists.openembedded.org
State New
Headers show
Series connman: Backports for security fixes (2) #poky | expand

Commit Message

VAUTRIN Emmanuel (Canal Plus Prestataire) March 15, 2023, 1:31 p.m. UTC
Fixes
CVE: CVE-2022-32293

Commit b33cf2d113d0 ("connman: Backports for security fixes")
---
.../connman/connman/CVE-2022-32293_p3.patch   | 67 +++++++++++++++++++
.../connman/connman_1.41.bb                   |  1 +
2 files changed, 68 insertions(+)
create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch

--
2.25.1

Comments

Alexandre Belloni March 15, 2023, 2:19 p.m. UTC | #1
Hello,

On 15/03/2023 06:31:36-0700, VAUTRIN Emmanuel (Canal Plus Prestataire) wrote:
> Fixes
> CVE: CVE-2022-32293
> 
> Commit b33cf2d113d0 ("connman: Backports for security fixes")

Your SoB is required here.


> ---
> .../connman/connman/CVE-2022-32293_p3.patch� �| 67 +++++++++++++++++++
> .../connman/connman_1.41.bb� � � � � � � � � �|� 1 +
> 2 files changed, 68 insertions(+)
> create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch
> 
> diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch
> new file mode 100644
> index 000000000000..0fefe3e45408
> --- /dev/null
> +++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch
> @@ -0,0 +1,67 @@
> +From e6523511d736667e45877d588a64988e818a06fe Mon Sep 17 00:00:00 2001
> +From: Daniel Wagner <wagi@monom.org>
> +Date: Wed, 7 Sep 2022 20:52:20 +0200
> +Subject: [PATCH] wispr: Fix context refcounting in
> + wispr_portal_request_portal()
> +
> +The wispr_portal_request_portal() function is expected to read until
> +there is no data. Hence, the wp_context refcount is supposed to be
> +hold on while reading.
> +
> +Furthermore, we should not return early when we read the
> +X-ConnMan-Status header. Instead we are supposed to go through the
> +normal return path so that we cleanup any added routing entries. Thus,
> +we also don't need to update the refcount in this code path as we
> +handle it at the main return path.
> +
> +Fixes: 416bfaff9888 ("wispr: Update portal context references")
> +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e6523511d736667e45877d588a64988e818a06fe]
> +---
> + src/wispr.c | 10 +++++-----
> + 1 file changed, 5 insertions(+), 5 deletions(-)
> +
> +diff --git a/src/wispr.c b/src/wispr.c
> +index 9b27af5fff55..a7562e8462f3 100644
> +--- a/src/wispr.c
> ++++ b/src/wispr.c
> +@@ -537,7 +537,8 @@ static bool wispr_route_request(const char *address, int ai_family,
> + static void wispr_portal_request_portal(
> + struct connman_wispr_portal_context *wp_context)
> + {
> +- DBG("");
> ++ DBG("wp_context %p %s", wp_context,
> ++ __connman_ipconfig_type2string(wp_context->type));
> +
> + wispr_portal_context_ref(wp_context);
> + wp_context->request_id = g_web_request_get(wp_context->web,
> +@@ -753,7 +754,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
> + if (length > 0) {
> + g_web_parser_feed_data(wp_context->wispr_parser,
> + chunk, length);
> +- wispr_portal_context_unref(wp_context);
> ++ /* read more data */
> + return true;
> + }
> +
> +@@ -783,8 +784,6 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
> + if (g_web_result_get_header(result, "X-ConnMan-Status",
> + &str)) {
> + portal_manage_status(result, wp_context);
> +- wispr_portal_context_unref(wp_context);
> +- return false;
> + } else {
> + wispr_portal_context_ref(wp_context);
> + __connman_agent_request_browser(wp_context->service,
> +@@ -996,7 +995,8 @@ int __connman_wispr_start(struct connman_service *service,
> + struct connman_wispr_portal *wispr_portal = NULL;
> + int index, err;
> +
> +- DBG("service %p", service);
> ++ DBG("service %p %s", service,
> ++ __connman_ipconfig_type2string(type));
> +
> + if (!wispr_portal_hash)
> + return -EINVAL;
> +--
> +2.25.1
> +
> diff --git a/meta/recipes-connectivity/connman/connman_1.41.bb b/meta/recipes-connectivity/connman/connman_1.41.bb
> index 79542b2175dc..73ba673fd0a4 100644
> --- a/meta/recipes-connectivity/connman/connman_1.41.bb
> +++ b/meta/recipes-connectivity/connman/connman_1.41.bb
> @@ -7,6 +7,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
> file://no-version-scripts.patch \
> file://CVE-2022-32293_p1.patch \
> file://CVE-2022-32293_p2.patch \
> +� � � � � �file://CVE-2022-32293_p3.patch \
> file://CVE-2022-32292.patch \
> "
> 
> --
> 2.25.1

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#178547): https://lists.openembedded.org/g/openembedded-core/message/178547
> Mute This Topic: https://lists.openembedded.org/mt/97627289/3617179
> Mute #poky:https://lists.openembedded.org/g/openembedded-core/mutehashtag/poky
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alexandre.belloni@bootlin.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
VAUTRIN Emmanuel (Canal Plus Prestataire) March 15, 2023, 2:30 p.m. UTC | #2
Fixes
CVE: CVE-2022-32293

Commit b33cf2d113d0 ("connman: Backports for security fixes")
Signed-off-by: Emmanuel Vautrin <Emmanuel.VAUTRIN@cpexterne.org>
---
.../connman/connman/CVE-2022-32293_p3.patch   | 67 +++++++++++++++++++
.../connman/connman_1.41.bb                   |  1 +
2 files changed, 68 insertions(+)
create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch

diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch
new file mode 100644
index 000000000000..0fefe3e45408
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch
@@ -0,0 +1,67 @@
+From e6523511d736667e45877d588a64988e818a06fe Mon Sep 17 00:00:00 2001
+From: Daniel Wagner <wagi@monom.org>
+Date: Wed, 7 Sep 2022 20:52:20 +0200
+Subject: [PATCH] wispr: Fix context refcounting in
+ wispr_portal_request_portal()
+
+The wispr_portal_request_portal() function is expected to read until
+there is no data. Hence, the wp_context refcount is supposed to be
+hold on while reading.
+
+Furthermore, we should not return early when we read the
+X-ConnMan-Status header. Instead we are supposed to go through the
+normal return path so that we cleanup any added routing entries. Thus,
+we also don't need to update the refcount in this code path as we
+handle it at the main return path.
+
+Fixes: 416bfaff9888 ("wispr: Update portal context references")
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e6523511d736667e45877d588a64988e818a06fe]
+---
+ src/wispr.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/wispr.c b/src/wispr.c
+index 9b27af5fff55..a7562e8462f3 100644
+--- a/src/wispr.c
++++ b/src/wispr.c
+@@ -537,7 +537,8 @@ static bool wispr_route_request(const char *address, int ai_family,
+ static void wispr_portal_request_portal(
+ struct connman_wispr_portal_context *wp_context)
+ {
+- DBG("");
++ DBG("wp_context %p %s", wp_context,
++ __connman_ipconfig_type2string(wp_context->type));
+
+ wispr_portal_context_ref(wp_context);
+ wp_context->request_id = g_web_request_get(wp_context->web,
+@@ -753,7 +754,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+ if (length > 0) {
+ g_web_parser_feed_data(wp_context->wispr_parser,
+ chunk, length);
+- wispr_portal_context_unref(wp_context);
++ /* read more data */
+ return true;
+ }
+
+@@ -783,8 +784,6 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+ if (g_web_result_get_header(result, "X-ConnMan-Status",
+ &str)) {
+ portal_manage_status(result, wp_context);
+- wispr_portal_context_unref(wp_context);
+- return false;
+ } else {
+ wispr_portal_context_ref(wp_context);
+ __connman_agent_request_browser(wp_context->service,
+@@ -996,7 +995,8 @@ int __connman_wispr_start(struct connman_service *service,
+ struct connman_wispr_portal *wispr_portal = NULL;
+ int index, err;
+
+- DBG("service %p", service);
++ DBG("service %p %s", service,
++ __connman_ipconfig_type2string(type));
+
+ if (!wispr_portal_hash)
+ return -EINVAL;
+--
+2.25.1
+
diff --git a/meta/recipes-connectivity/connman/connman_1.41.bb b/meta/recipes-connectivity/connman/connman_1.41.bb
index 79542b2175dc..73ba673fd0a4 100644
--- a/meta/recipes-connectivity/connman/connman_1.41.bb
+++ b/meta/recipes-connectivity/connman/connman_1.41.bb
@@ -7,6 +7,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
file://no-version-scripts.patch \
file://CVE-2022-32293_p1.patch \
file://CVE-2022-32293_p2.patch \
+           file://CVE-2022-32293_p3.patch \
file://CVE-2022-32292.patch \
"

--
2.25.1
diff mbox series

Patch

diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch
new file mode 100644
index 000000000000..0fefe3e45408
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch
@@ -0,0 +1,67 @@ 
+From e6523511d736667e45877d588a64988e818a06fe Mon Sep 17 00:00:00 2001
+From: Daniel Wagner <wagi@monom.org>
+Date: Wed, 7 Sep 2022 20:52:20 +0200
+Subject: [PATCH] wispr: Fix context refcounting in
+ wispr_portal_request_portal()
+
+The wispr_portal_request_portal() function is expected to read until
+there is no data. Hence, the wp_context refcount is supposed to be
+hold on while reading.
+
+Furthermore, we should not return early when we read the
+X-ConnMan-Status header. Instead we are supposed to go through the
+normal return path so that we cleanup any added routing entries. Thus,
+we also don't need to update the refcount in this code path as we
+handle it at the main return path.
+
+Fixes: 416bfaff9888 ("wispr: Update portal context references")
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e6523511d736667e45877d588a64988e818a06fe]
+---
+ src/wispr.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/wispr.c b/src/wispr.c
+index 9b27af5fff55..a7562e8462f3 100644
+--- a/src/wispr.c
++++ b/src/wispr.c
+@@ -537,7 +537,8 @@ static bool wispr_route_request(const char *address, int ai_family,
+ static void wispr_portal_request_portal(
+ struct connman_wispr_portal_context *wp_context)
+ {
+- DBG("");
++ DBG("wp_context %p %s", wp_context,
++ __connman_ipconfig_type2string(wp_context->type));
+
+ wispr_portal_context_ref(wp_context);
+ wp_context->request_id = g_web_request_get(wp_context->web,
+@@ -753,7 +754,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+ if (length > 0) {
+ g_web_parser_feed_data(wp_context->wispr_parser,
+ chunk, length);
+- wispr_portal_context_unref(wp_context);
++ /* read more data */
+ return true;
+ }
+
+@@ -783,8 +784,6 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+ if (g_web_result_get_header(result, "X-ConnMan-Status",
+ &str)) {
+ portal_manage_status(result, wp_context);
+- wispr_portal_context_unref(wp_context);
+- return false;
+ } else {
+ wispr_portal_context_ref(wp_context);
+ __connman_agent_request_browser(wp_context->service,
+@@ -996,7 +995,8 @@ int __connman_wispr_start(struct connman_service *service,
+ struct connman_wispr_portal *wispr_portal = NULL;
+ int index, err;
+
+- DBG("service %p", service);
++ DBG("service %p %s", service,
++ __connman_ipconfig_type2string(type));
+
+ if (!wispr_portal_hash)
+ return -EINVAL;
+--
+2.25.1
+
diff --git a/meta/recipes-connectivity/connman/connman_1.41.bb b/meta/recipes-connectivity/connman/connman_1.41.bb
index 79542b2175dc..73ba673fd0a4 100644
--- a/meta/recipes-connectivity/connman/connman_1.41.bb
+++ b/meta/recipes-connectivity/connman/connman_1.41.bb
@@ -7,6 +7,7 @@  SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
file://no-version-scripts.patch \
file://CVE-2022-32293_p1.patch \
file://CVE-2022-32293_p2.patch \
+           file://CVE-2022-32293_p3.patch \
file://CVE-2022-32292.patch \
"