From patchwork Wed Mar 15 13:31:36 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: "VAUTRIN Emmanuel (Canal Plus Prestataire)"
 <Emmanuel.VAUTRIN@cpexterne.org>
X-Patchwork-Id: 20976
Return-Path: <Emmanuel.VAUTRIN@cpexterne.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9BFB8C6FD1D
	for <webhook@archiver.kernel.org>; Wed, 15 Mar 2023 13:31:40 +0000 (UTC)
Subject: [PATCH] connman: Backports for security fixes (2) #poky 
To: openembedded-core@lists.openembedded.org
From: "VAUTRIN Emmanuel (Canal Plus Prestataire)"
 <Emmanuel.VAUTRIN@cpexterne.org>
X-Originating-Location: =?unknown-8bit?b?UGFudGluLCDDjmxlLWRlLUZyYW5jZSwg?=
	=?unknown-8bit?b?RlIgKDE5NC40LjI0My4yMik=?=
X-Originating-Platform: Linux Chrome 111
User-Agent: GROUPS.IO Web Poster
MIME-Version: 1.0
Date: Wed, 15 Mar 2023 06:31:36 -0700
Message-ID: <wpQl.1678887096623820376.VRAn@lists.openembedded.org>
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Wed, 15 Mar 2023 13:31:40 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/178547

Fixes
CVE: CVE-2022-32293

Commit b33cf2d113d0 ("connman: Backports for security fixes")
Signed-off-by: Emmanuel Vautrin <Emmanuel.VAUTRIN@cpexterne.org>
---
.../connman/connman/CVE-2022-32293_p3.patch   | 67 +++++++++++++++++++
.../connman/connman_1.41.bb                   |  1 +
2 files changed, 68 insertions(+)
create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch

--
2.25.1

diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch
new file mode 100644
index 000000000000..0fefe3e45408
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p3.patch
@@ -0,0 +1,67 @@
+From e6523511d736667e45877d588a64988e818a06fe Mon Sep 17 00:00:00 2001
+From: Daniel Wagner <wagi@monom.org>
+Date: Wed, 7 Sep 2022 20:52:20 +0200
+Subject: [PATCH] wispr: Fix context refcounting in
+ wispr_portal_request_portal()
+
+The wispr_portal_request_portal() function is expected to read until
+there is no data. Hence, the wp_context refcount is supposed to be
+hold on while reading.
+
+Furthermore, we should not return early when we read the
+X-ConnMan-Status header. Instead we are supposed to go through the
+normal return path so that we cleanup any added routing entries. Thus,
+we also don't need to update the refcount in this code path as we
+handle it at the main return path.
+
+Fixes: 416bfaff9888 ("wispr: Update portal context references")
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e6523511d736667e45877d588a64988e818a06fe]
+---
+ src/wispr.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/wispr.c b/src/wispr.c
+index 9b27af5fff55..a7562e8462f3 100644
+--- a/src/wispr.c
++++ b/src/wispr.c
+@@ -537,7 +537,8 @@ static bool wispr_route_request(const char *address, int ai_family,
+ static void wispr_portal_request_portal(
+ struct connman_wispr_portal_context *wp_context)
+ {
+- DBG("");
++ DBG("wp_context %p %s", wp_context,
++ __connman_ipconfig_type2string(wp_context->type));
+
+ wispr_portal_context_ref(wp_context);
+ wp_context->request_id = g_web_request_get(wp_context->web,
+@@ -753,7 +754,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+ if (length > 0) {
+ g_web_parser_feed_data(wp_context->wispr_parser,
+ chunk, length);
+- wispr_portal_context_unref(wp_context);
++ /* read more data */
+ return true;
+ }
+
+@@ -783,8 +784,6 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+ if (g_web_result_get_header(result, "X-ConnMan-Status",
+ &str)) {
+ portal_manage_status(result, wp_context);
+- wispr_portal_context_unref(wp_context);
+- return false;
+ } else {
+ wispr_portal_context_ref(wp_context);
+ __connman_agent_request_browser(wp_context->service,
+@@ -996,7 +995,8 @@ int __connman_wispr_start(struct connman_service *service,
+ struct connman_wispr_portal *wispr_portal = NULL;
+ int index, err;
+
+- DBG("service %p", service);
++ DBG("service %p %s", service,
++ __connman_ipconfig_type2string(type));
+
+ if (!wispr_portal_hash)
+ return -EINVAL;
+--
+2.25.1
+
diff --git a/meta/recipes-connectivity/connman/connman_1.41.bb b/meta/recipes-connectivity/connman/connman_1.41.bb
index 79542b2175dc..73ba673fd0a4 100644
--- a/meta/recipes-connectivity/connman/connman_1.41.bb
+++ b/meta/recipes-connectivity/connman/connman_1.41.bb
@@ -7,6 +7,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
file://no-version-scripts.patch \
file://CVE-2022-32293_p1.patch \
file://CVE-2022-32293_p2.patch \
+           file://CVE-2022-32293_p3.patch \
file://CVE-2022-32292.patch \
"