* [PATCH][dunfell 1/3] connman: fix CVE-2022-32292
@ 2022-09-13 3:47 chee.yang.lee
2022-09-13 3:47 ` [PATCH][dunfell 2/3] gnutls: fix CVE-2021-4209 chee.yang.lee
2022-09-13 3:47 ` [PATCH][dunfell 3/3] virglrenderer: fix CVE-2022-0135 chee.yang.lee
0 siblings, 2 replies; 3+ messages in thread
From: chee.yang.lee @ 2022-09-13 3:47 UTC (permalink / raw)
To: openembedded-core
From: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
---
.../connman/connman/CVE-2022-32292.patch | 37 +++++++++++++++++++
.../connman/connman_1.37.bb | 1 +
2 files changed, 38 insertions(+)
create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch
new file mode 100644
index 0000000000..74a739d6a2
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch
@@ -0,0 +1,37 @@
+From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001
+From: Nathan Crandall <ncrandall@tesla.com>
+Date: Tue, 12 Jul 2022 08:56:34 +0200
+Subject: gweb: Fix OOB write in received_data()
+
+There is a mismatch of handling binary vs. C-string data with memchr
+and strlen, resulting in pos, count, and bytes_read to become out of
+sync and result in a heap overflow. Instead, do not treat the buffer
+as an ASCII C-string. We calculate the count based on the return value
+of memchr, instead of strlen.
+
+Fixes: CVE-2022-32292
+
+Upstream-Status: Backport
+https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d1a5ede5d255bde8ef707f8441b997563b9312b
+CVE: CVE-2022-32292
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ gweb/gweb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gweb/gweb.c b/gweb/gweb.c
+index 12fcb1d8..13c6c5f2 100644
+--- a/gweb/gweb.c
++++ b/gweb/gweb.c
+@@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond,
+ }
+
+ *pos = '\0';
+- count = strlen((char *) ptr);
++ count = pos - ptr;
+ if (count > 0 && ptr[count - 1] == '\r') {
+ ptr[--count] = '\0';
+ bytes_read--;
+--
+cgit
+
diff --git a/meta/recipes-connectivity/connman/connman_1.37.bb b/meta/recipes-connectivity/connman/connman_1.37.bb
index bdd1e590ec..4f22c7ad49 100644
--- a/meta/recipes-connectivity/connman/connman_1.37.bb
+++ b/meta/recipes-connectivity/connman/connman_1.37.bb
@@ -12,6 +12,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
file://CVE-2021-33833.patch \
file://CVE-2022-23096-7.patch \
file://CVE-2022-23098.patch \
+ file://CVE-2022-32292.patch \
"
SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"
--
2.36.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH][dunfell 2/3] gnutls: fix CVE-2021-4209
2022-09-13 3:47 [PATCH][dunfell 1/3] connman: fix CVE-2022-32292 chee.yang.lee
@ 2022-09-13 3:47 ` chee.yang.lee
2022-09-13 3:47 ` [PATCH][dunfell 3/3] virglrenderer: fix CVE-2022-0135 chee.yang.lee
1 sibling, 0 replies; 3+ messages in thread
From: chee.yang.lee @ 2022-09-13 3:47 UTC (permalink / raw)
To: openembedded-core
From: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
---
.../gnutls/gnutls/CVE-2021-4209.patch | 37 +++++++++++++++++++
meta/recipes-support/gnutls/gnutls_3.6.14.bb | 1 +
2 files changed, 38 insertions(+)
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2021-4209.patch
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2021-4209.patch b/meta/recipes-support/gnutls/gnutls/CVE-2021-4209.patch
new file mode 100644
index 0000000000..0bcb55e573
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2021-4209.patch
@@ -0,0 +1,37 @@
+From 3db352734472d851318944db13be73da61300568 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Wed, 22 Dec 2021 09:12:25 +0100
+Subject: [PATCH] wrap_nettle_hash_fast: avoid calling _update with zero-length
+ input
+
+As Nettle's hash update functions internally call memcpy, providing
+zero-length input may cause undefined behavior.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+
+https://gitlab.com/gnutls/gnutls/-/commit/3db352734472d851318944db13be73da61300568
+Upstream-Status: Backport
+CVE: CVE-2021-4209
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ lib/nettle/mac.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/nettle/mac.c b/lib/nettle/mac.c
+index f9d4d7a8df..35e070fab0 100644
+--- a/lib/nettle/mac.c
++++ b/lib/nettle/mac.c
+@@ -788,7 +788,9 @@ static int wrap_nettle_hash_fast(gnutls_digest_algorithm_t algo,
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+- ctx.update(&ctx, text_size, text);
++ if (text_size > 0) {
++ ctx.update(&ctx, text_size, text);
++ }
+ ctx.digest(&ctx, ctx.length, digest);
+
+ return 0;
+--
+GitLab
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
index e9af71c7bd..f1757871ce 100644
--- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
@@ -26,6 +26,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
file://CVE-2021-20231.patch \
file://CVE-2021-20232.patch \
file://CVE-2022-2509.patch \
+ file://CVE-2021-4209.patch \
"
SRC_URI[sha256sum] = "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63"
--
2.36.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH][dunfell 3/3] virglrenderer: fix CVE-2022-0135
2022-09-13 3:47 [PATCH][dunfell 1/3] connman: fix CVE-2022-32292 chee.yang.lee
2022-09-13 3:47 ` [PATCH][dunfell 2/3] gnutls: fix CVE-2021-4209 chee.yang.lee
@ 2022-09-13 3:47 ` chee.yang.lee
1 sibling, 0 replies; 3+ messages in thread
From: chee.yang.lee @ 2022-09-13 3:47 UTC (permalink / raw)
To: openembedded-core
From: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
---
.../virglrenderer/CVE-2022-0135.patch | 100 ++++++++++++++++++
.../virglrenderer/virglrenderer_0.8.2.bb | 1 +
2 files changed, 101 insertions(+)
create mode 100644 meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch
new file mode 100644
index 0000000000..4a277bd4d0
--- /dev/null
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch
@@ -0,0 +1,100 @@
+From 95e581fd181b213c2ed7cdc63f2abc03eaaa77ec Mon Sep 17 00:00:00 2001
+From: Gert Wollny <gert.wollny@collabora.com>
+Date: Tue, 30 Nov 2021 10:17:26 +0100
+Subject: [PATCH] vrend: Add test to resource OOB write and fix it
+
+v2: Also check that no depth != 1 has been send when none is due
+
+Closes: #250
+Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
+Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
+
+https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/95e581fd181b213c2ed7cdc63f2abc03eaaa77ec
+Upstream-Status: Backport
+CVE: CVE-2022-0135
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ src/vrend_renderer.c | 3 +++
+ tests/test_fuzzer_formats.c | 43 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 46 insertions(+)
+
+diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
+index 28f669727..357b81b20 100644
+--- a/src/vrend_renderer.c
++++ b/src/vrend_renderer.c
+@@ -7833,8 +7833,11 @@ static int vrend_renderer_transfer_write_iov(struct vrend_context *ctx,
+ info->box->height) * elsize;
+ if (res->target == GL_TEXTURE_3D ||
+ res->target == GL_TEXTURE_2D_ARRAY ||
++ res->target == GL_TEXTURE_2D_MULTISAMPLE_ARRAY ||
+ res->target == GL_TEXTURE_CUBE_MAP_ARRAY)
+ send_size *= info->box->depth;
++ else if (need_temp && info->box->depth != 1)
++ return EINVAL;
+
+ if (need_temp) {
+ data = malloc(send_size);
+diff --git a/tests/test_fuzzer_formats.c b/tests/test_fuzzer_formats.c
+index 59d6fb671..2de9a9a3f 100644
+--- a/tests/test_fuzzer_formats.c
++++ b/tests/test_fuzzer_formats.c
+@@ -957,6 +957,48 @@ static void test_vrend_set_signle_abo_heap_overflow() {
+ virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde);
+ }
+
++/* Test adapted from yaojun8558363@gmail.com:
++ * https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250
++*/
++static void test_vrend_3d_resource_overflow() {
++
++ struct virgl_renderer_resource_create_args resource;
++ resource.handle = 0x4c474572;
++ resource.target = PIPE_TEXTURE_2D_ARRAY;
++ resource.format = VIRGL_FORMAT_Z24X8_UNORM;
++ resource.nr_samples = 2;
++ resource.last_level = 0;
++ resource.array_size = 3;
++ resource.bind = VIRGL_BIND_SAMPLER_VIEW;
++ resource.depth = 1;
++ resource.width = 8;
++ resource.height = 4;
++ resource.flags = 0;
++
++ virgl_renderer_resource_create(&resource, NULL, 0);
++ virgl_renderer_ctx_attach_resource(ctx_id, resource.handle);
++
++ uint32_t size = 0x400;
++ uint32_t cmd[size];
++ int i = 0;
++ cmd[i++] = (size - 1) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE;
++ cmd[i++] = resource.handle;
++ cmd[i++] = 0; // level
++ cmd[i++] = 0; // usage
++ cmd[i++] = 0; // stride
++ cmd[i++] = 0; // layer_stride
++ cmd[i++] = 0; // x
++ cmd[i++] = 0; // y
++ cmd[i++] = 0; // z
++ cmd[i++] = 8; // w
++ cmd[i++] = 4; // h
++ cmd[i++] = 3; // d
++ memset(&cmd[i], 0, size - i);
++
++ virgl_renderer_submit_cmd((void *) cmd, ctx_id, size);
++}
++
++
+ int main()
+ {
+ initialize_environment();
+@@ -979,6 +1021,7 @@ int main()
+ test_cs_nullpointer_deference();
+ test_vrend_set_signle_abo_heap_overflow();
+
++ test_vrend_3d_resource_overflow();
+
+ virgl_renderer_context_destroy(ctx_id);
+ virgl_renderer_cleanup(&cookie);
+--
+GitLab
+
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb
index 31c45ef89c..8185d6f7e8 100644
--- a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb
@@ -13,6 +13,7 @@ SRCREV = "7d204f3927be65fb3365dce01dbcd04d447a4985"
SRC_URI = "git://anongit.freedesktop.org/git/virglrenderer;branch=master \
file://0001-gallium-Expand-libc-check-to-be-platform-OS-check.patch \
file://0001-meson.build-use-python3-directly-for-python.patch \
+ file://CVE-2022-0135.patch \
"
S = "${WORKDIR}/git"
--
2.36.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-09-13 3:47 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-09-13 3:47 [PATCH][dunfell 1/3] connman: fix CVE-2022-32292 chee.yang.lee
2022-09-13 3:47 ` [PATCH][dunfell 2/3] gnutls: fix CVE-2021-4209 chee.yang.lee
2022-09-13 3:47 ` [PATCH][dunfell 3/3] virglrenderer: fix CVE-2022-0135 chee.yang.lee
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox