Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package connman for openSUSE:Factory checked in at 2022-08-01 21:33:25 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/connman (Old) and /work/SRC/openSUSE:Factory/.connman.new.1533 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "connman" Mon Aug 1 21:33:25 2022 rev:14 rq:992045 version:1.41 Changes: -------- --- /work/SRC/openSUSE:Factory/connman/connman.changes 2022-07-14 16:35:01.656672125 +0200 +++ /work/SRC/openSUSE:Factory/.connman.new.1533/connman.changes 2022-08-01 21:34:44.378403655 +0200 @@ -1,0 +2,11 @@ +Mon Aug 1 13:48:53 UTC 2022 - Daniel Wagner <daniel.wagner@suse.com> + +- Add refcounting to wispr portal detection (bsc#1200190) + * add 0001-wispr-Rename-wispr_portal_list-to-wispr_portal_hash.patch + * add 0002-wispr-Ignore-NULL-proxy.patch + * add 0003-wispr-Add-reference-counter-to-portal-context.patch (CVE-2022-32293) + * add 0004-wispr-Update-portal-context-references.patch (CVE-2022-32293) +- Fix OOB write in received_data (bsc#1200189) + * add 0005-gweb-Fix-OOB-write-in-received_data.patch (CVE-2022-32292) + +------------------------------------------------------------------- New: ---- 0001-wispr-Rename-wispr_portal_list-to-wispr_portal_hash.patch 0002-wispr-Ignore-NULL-proxy.patch 0003-wispr-Add-reference-counter-to-portal-context.patch 0004-wispr-Update-portal-context-references.patch 0005-gweb-Fix-OOB-write-in-received_data.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ connman.spec ++++++ --- /var/tmp/diff_new_pack.FMt3UW/_old 2022-08-01 21:34:44.902405158 +0200 +++ /var/tmp/diff_new_pack.FMt3UW/_new 2022-08-01 21:34:44.906405170 +0200 @@ -35,6 +35,11 @@ Source0: http://www.kernel.org/pub/linux/network/connman/connman-%{version}.tar.xz Source1: http://www.kernel.org/pub/linux/network/connman/connman-%{version}.tar.sign Source2: connman.keyring +Patch001: 0001-wispr-Rename-wispr_portal_list-to-wispr_portal_hash.patch +Patch002: 0002-wispr-Ignore-NULL-proxy.patch +Patch003: 0003-wispr-Add-reference-counter-to-portal-context.patch +Patch004: 0004-wispr-Update-portal-context-references.patch +Patch005: 0005-gweb-Fix-OOB-write-in-received_data.patch # PATCH-FIX-OPENSUSE -- Greate symlink to network.service # downstream patches Patch100: 0100-connman-1.35-service.patch ++++++ 0001-wispr-Rename-wispr_portal_list-to-wispr_portal_hash.patch ++++++ From d7022ad52d8bf84f437b0b2e021d7b06064b97dd Mon Sep 17 00:00:00 2001 From: Daniel Wagner <wagi@monom.org> Date: Mon, 4 Jul 2022 08:16:58 +0200 Subject: [PATCH 1/5] wispr: Rename wispr_portal_list to wispr_portal_hash This data structure is a hash table, so replace the '_list' with '_hash' to reduce the possibility for confusion. Signed-off-by: Daniel Wagner <wagi@monom.org> --- src/wispr.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) --- a/src/wispr.c +++ b/src/wispr.c @@ -91,7 +91,7 @@ struct connman_wispr_portal { static bool wispr_portal_web_result(GWebResult *result, gpointer user_data); -static GHashTable *wispr_portal_list = NULL; +static GHashTable *wispr_portal_hash = NULL; static char *online_check_ipv4_url = NULL; static char *online_check_ipv6_url = NULL; @@ -576,7 +576,7 @@ static void wispr_portal_browser_reply_c if (index < 0) return; - wispr_portal = g_hash_table_lookup(wispr_portal_list, + wispr_portal = g_hash_table_lookup(wispr_portal_hash, GINT_TO_POINTER(index)); if (!wispr_portal) return; @@ -950,21 +950,21 @@ int __connman_wispr_start(struct connman DBG("service %p", service); - if (!wispr_portal_list) + if (!wispr_portal_hash) return -EINVAL; index = __connman_service_get_index(service); if (index < 0) return -EINVAL; - wispr_portal = g_hash_table_lookup(wispr_portal_list, + wispr_portal = g_hash_table_lookup(wispr_portal_hash, GINT_TO_POINTER(index)); if (!wispr_portal) { wispr_portal = g_try_new0(struct connman_wispr_portal, 1); if (!wispr_portal) return -ENOMEM; - g_hash_table_replace(wispr_portal_list, + g_hash_table_replace(wispr_portal_hash, GINT_TO_POINTER(index), wispr_portal); } @@ -1002,27 +1002,27 @@ void __connman_wispr_stop(struct connman DBG("service %p", service); - if (!wispr_portal_list) + if (!wispr_portal_hash) return; index = __connman_service_get_index(service); if (index < 0) return; - wispr_portal = g_hash_table_lookup(wispr_portal_list, + wispr_portal = g_hash_table_lookup(wispr_portal_hash, GINT_TO_POINTER(index)); if (!wispr_portal) return; if (wispr_portal->ipv4_context) { if (service == wispr_portal->ipv4_context->service) - g_hash_table_remove(wispr_portal_list, + g_hash_table_remove(wispr_portal_hash, GINT_TO_POINTER(index)); } if (wispr_portal->ipv6_context) { if (service == wispr_portal->ipv6_context->service) - g_hash_table_remove(wispr_portal_list, + g_hash_table_remove(wispr_portal_hash, GINT_TO_POINTER(index)); } } @@ -1031,7 +1031,7 @@ int __connman_wispr_init(void) { DBG(""); - wispr_portal_list = g_hash_table_new_full(g_direct_hash, + wispr_portal_hash = g_hash_table_new_full(g_direct_hash, g_direct_equal, NULL, free_connman_wispr_portal); @@ -1050,6 +1050,6 @@ void __connman_wispr_cleanup(void) { DBG(""); - g_hash_table_destroy(wispr_portal_list); - wispr_portal_list = NULL; + g_hash_table_destroy(wispr_portal_hash); + wispr_portal_hash = NULL; } ++++++ 0002-wispr-Ignore-NULL-proxy.patch ++++++ From 6d551ebed1e97f54a92412bde0555a5ffe920577 Mon Sep 17 00:00:00 2001 From: Daniel Wagner <wagi@monom.org> Date: Mon, 4 Jul 2022 10:18:50 +0200 Subject: [PATCH 2/5] wispr: Ignore NULL proxy connmand[16822]: Failed to find URL:http://ipv6.connman.net/online/status.html connmand[16822]: src/wispr.c:proxy_callback() proxy (null) (connmand:16449): GLib-CRITICAL **: 10:15:43.812: g_str_has_prefix: assertion 'str != NULL' failed --- src/wispr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/src/wispr.c +++ b/src/wispr.c @@ -809,7 +809,7 @@ static void proxy_callback(const char *p DBG("proxy %s", proxy); - if (!wp_context) + if (!wp_context || !proxy) return; wp_context->token = 0; ++++++ 0003-wispr-Add-reference-counter-to-portal-context.patch ++++++ From 72343929836de80727a27d6744c869dff045757c Mon Sep 17 00:00:00 2001 From: Daniel Wagner <wagi@monom.org> Date: Tue, 5 Jul 2022 08:32:12 +0200 Subject: [PATCH 3/5] wispr: Add reference counter to portal context Track the connman_wispr_portal_context live time via a refcounter. This only adds the infrastructure to do proper reference counting. Fixes: CVE-2022-32293 --- src/wispr.c | 52 ++++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 42 insertions(+), 10 deletions(-) --- a/src/wispr.c +++ b/src/wispr.c @@ -56,6 +56,7 @@ struct wispr_route { }; struct connman_wispr_portal_context { + int refcount; struct connman_service *service; enum connman_ipconfig_type type; struct connman_wispr_portal *wispr_portal; @@ -97,6 +98,11 @@ static char *online_check_ipv4_url = NUL static char *online_check_ipv6_url = NULL; static bool enable_online_to_ready_transition = false; +#define wispr_portal_context_ref(wp_context) \ + wispr_portal_context_ref_debug(wp_context, __FILE__, __LINE__, __func__) +#define wispr_portal_context_unref(wp_context) \ + wispr_portal_context_unref_debug(wp_context, __FILE__, __LINE__, __func__) + static void connman_wispr_message_init(struct connman_wispr_message *msg) { DBG(""); @@ -162,9 +168,6 @@ static void free_connman_wispr_portal_co { DBG("context %p", wp_context); - if (!wp_context) - return; - if (wp_context->wispr_portal) { if (wp_context->wispr_portal->ipv4_context == wp_context) wp_context->wispr_portal->ipv4_context = NULL; @@ -201,9 +204,38 @@ static void free_connman_wispr_portal_co g_free(wp_context); } +static struct connman_wispr_portal_context * +wispr_portal_context_ref_debug(struct connman_wispr_portal_context *wp_context, + const char *file, int line, const char *caller) +{ + DBG("%p ref %d by %s:%d:%s()", wp_context, + wp_context->refcount + 1, file, line, caller); + + __sync_fetch_and_add(&wp_context->refcount, 1); + + return wp_context; +} + +static void wispr_portal_context_unref_debug( + struct connman_wispr_portal_context *wp_context, + const char *file, int line, const char *caller) +{ + if (!wp_context) + return; + + DBG("%p ref %d by %s:%d:%s()", wp_context, + wp_context->refcount - 1, file, line, caller); + + if (__sync_fetch_and_sub(&wp_context->refcount, 1) != 1) + return; + + free_connman_wispr_portal_context(wp_context); +} + static struct connman_wispr_portal_context *create_wispr_portal_context(void) { - return g_try_new0(struct connman_wispr_portal_context, 1); + return wispr_portal_context_ref( + g_new0(struct connman_wispr_portal_context, 1)); } static void free_connman_wispr_portal(gpointer data) @@ -215,8 +247,8 @@ static void free_connman_wispr_portal(gp if (!wispr_portal) return; - free_connman_wispr_portal_context(wispr_portal->ipv4_context); - free_connman_wispr_portal_context(wispr_portal->ipv6_context); + wispr_portal_context_unref(wispr_portal->ipv4_context); + wispr_portal_context_unref(wispr_portal->ipv6_context); g_free(wispr_portal); } @@ -452,7 +484,7 @@ static void portal_manage_status(GWebRes connman_info("Client-Timezone: %s", str); if (!enable_online_to_ready_transition) - free_connman_wispr_portal_context(wp_context); + wispr_portal_context_unref(wp_context); __connman_service_ipconfig_indicate_state(service, CONNMAN_SERVICE_STATE_ONLINE, type); @@ -616,7 +648,7 @@ static void wispr_portal_request_wispr_l return; } - free_connman_wispr_portal_context(wp_context); + wispr_portal_context_unref(wp_context); return; } @@ -928,7 +960,7 @@ static int wispr_portal_detect(struct co if (wp_context->token == 0) { err = -EINVAL; - free_connman_wispr_portal_context(wp_context); + wispr_portal_context_unref(wp_context); } } else if (wp_context->timeout == 0) { wp_context->timeout = g_idle_add(no_proxy_callback, wp_context); @@ -977,7 +1009,7 @@ int __connman_wispr_start(struct connman /* If there is already an existing context, we wipe it */ if (wp_context) - free_connman_wispr_portal_context(wp_context); + wispr_portal_context_unref(wp_context); wp_context = create_wispr_portal_context(); if (!wp_context) ++++++ 0004-wispr-Update-portal-context-references.patch ++++++ From 416bfaff988882c553c672e5bfc2d4f648d29e8a Mon Sep 17 00:00:00 2001 From: Daniel Wagner <wagi@monom.org> Date: Tue, 5 Jul 2022 09:11:09 +0200 Subject: [PATCH 4/5] wispr: Update portal context references Maintain proper portal context references to avoid UAF. Fixes: CVE-2022-32293 --- src/wispr.c | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) --- a/src/wispr.c +++ b/src/wispr.c @@ -105,8 +105,6 @@ static bool enable_online_to_ready_trans static void connman_wispr_message_init(struct connman_wispr_message *msg) { - DBG(""); - msg->has_error = false; msg->current_element = NULL; @@ -166,8 +164,6 @@ static void free_wispr_routes(struct con static void free_connman_wispr_portal_context( struct connman_wispr_portal_context *wp_context) { - DBG("context %p", wp_context); - if (wp_context->wispr_portal) { if (wp_context->wispr_portal->ipv4_context == wp_context) wp_context->wispr_portal->ipv4_context = NULL; @@ -483,9 +479,6 @@ static void portal_manage_status(GWebRes &str)) connman_info("Client-Timezone: %s", str); - if (!enable_online_to_ready_transition) - wispr_portal_context_unref(wp_context); - __connman_service_ipconfig_indicate_state(service, CONNMAN_SERVICE_STATE_ONLINE, type); @@ -546,14 +539,17 @@ static void wispr_portal_request_portal( { DBG(""); + wispr_portal_context_ref(wp_context); wp_context->request_id = g_web_request_get(wp_context->web, wp_context->status_url, wispr_portal_web_result, wispr_route_request, wp_context); - if (wp_context->request_id == 0) + if (wp_context->request_id == 0) { wispr_portal_error(wp_context); + wispr_portal_context_unref(wp_context); + } } static bool wispr_input(const guint8 **data, gsize *length, @@ -618,13 +614,15 @@ static void wispr_portal_browser_reply_c return; if (!authentication_done) { - wispr_portal_error(wp_context); free_wispr_routes(wp_context); + wispr_portal_error(wp_context); + wispr_portal_context_unref(wp_context); return; } /* Restarting the test */ __connman_service_wispr_start(service, wp_context->type); + wispr_portal_context_unref(wp_context); } static void wispr_portal_request_wispr_login(struct connman_service *service, @@ -700,11 +698,13 @@ static bool wispr_manage_message(GWebRes wp_context->wispr_result = CONNMAN_WISPR_RESULT_LOGIN; + wispr_portal_context_ref(wp_context); if (__connman_agent_request_login_input(wp_context->service, wispr_portal_request_wispr_login, - wp_context) != -EINPROGRESS) + wp_context) != -EINPROGRESS) { wispr_portal_error(wp_context); - else + wispr_portal_context_unref(wp_context); + } else return true; break; @@ -753,6 +753,7 @@ static bool wispr_portal_web_result(GWeb if (length > 0) { g_web_parser_feed_data(wp_context->wispr_parser, chunk, length); + wispr_portal_context_unref(wp_context); return true; } @@ -770,6 +771,7 @@ static bool wispr_portal_web_result(GWeb switch (status) { case 000: + wispr_portal_context_ref(wp_context); __connman_agent_request_browser(wp_context->service, wispr_portal_browser_reply_cb, wp_context->status_url, wp_context); @@ -781,11 +783,14 @@ static bool wispr_portal_web_result(GWeb if (g_web_result_get_header(result, "X-ConnMan-Status", &str)) { portal_manage_status(result, wp_context); + wispr_portal_context_unref(wp_context); return false; - } else + } else { + wispr_portal_context_ref(wp_context); __connman_agent_request_browser(wp_context->service, wispr_portal_browser_reply_cb, wp_context->redirect_url, wp_context); + } break; case 300: @@ -798,6 +803,7 @@ static bool wispr_portal_web_result(GWeb !g_web_result_get_header(result, "Location", &redirect)) { + wispr_portal_context_ref(wp_context); __connman_agent_request_browser(wp_context->service, wispr_portal_browser_reply_cb, wp_context->status_url, wp_context); @@ -808,6 +814,7 @@ static bool wispr_portal_web_result(GWeb wp_context->redirect_url = g_strdup(redirect); + wispr_portal_context_ref(wp_context); wp_context->request_id = g_web_request_get(wp_context->web, redirect, wispr_portal_web_result, wispr_route_request, wp_context); @@ -820,6 +827,7 @@ static bool wispr_portal_web_result(GWeb break; case 505: + wispr_portal_context_ref(wp_context); __connman_agent_request_browser(wp_context->service, wispr_portal_browser_reply_cb, wp_context->status_url, wp_context); @@ -832,6 +840,7 @@ static bool wispr_portal_web_result(GWeb wp_context->request_id = 0; done: wp_context->wispr_msg.message_type = -1; + wispr_portal_context_unref(wp_context); return false; } @@ -866,6 +875,7 @@ static void proxy_callback(const char *p xml_wispr_parser_callback, wp_context); wispr_portal_request_portal(wp_context); + wispr_portal_context_unref(wp_context); } static gboolean no_proxy_callback(gpointer user_data) ++++++ 0005-gweb-Fix-OOB-write-in-received_data.patch ++++++ From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001 From: Nathan Crandall <ncrandall@tesla.com> Date: Tue, 12 Jul 2022 08:56:34 +0200 Subject: [PATCH 5/5] gweb: Fix OOB write in received_data() There is a mismatch of handling binary vs. C-string data with memchr and strlen, resulting in pos, count, and bytes_read to become out of sync and result in a heap overflow. Instead, do not treat the buffer as an ASCII C-string. We calculate the count based on the return value of memchr, instead of strlen. Fixes: CVE-2022-32292 --- gweb/gweb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/gweb/gweb.c +++ b/gweb/gweb.c @@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel } *pos = '\0'; - count = strlen((char *) ptr); + count = pos - ptr; if (count > 0 && ptr[count - 1] == '\r') { ptr[--count] = '\0'; bytes_read--;